Skip to main content

Department of Computer Science


Prof. Dr Petra Haferkorn

Professor of Computer Science, in particular IT-Security Management


Department of Computer Science

Research fields

  • Information Security Management
  • IT Governance
  • IT Risk Management
  • IT audits of Companies, Public Authorities and other Organisations


Sankt Augustin


C 277


Grantham-Allee 20

53757 Sankt Augustin


+49 2241 865 9867



  • Information Security Management (ISMS)
  • IT risk management
  • On-site audit of the information security management of organisations
  • Data protection, IT law and privacy
  • Analysis and Linear Algebra
  • Literature seminar

In the Bachelor and Master degree programmes Cyber Security & Privacy, Computer Science and Business Informatics.

Curriculum vitae

After studying mathematics with a minor in computer science, Petra Haferkorn worked at the German Federal Financial Supervisory Authority (BaFin) and led international on-site audits of the risk management of credit institutions, insurance companies and other financial service providers. In recent years, she has conducted IT audits focussing on the following areas: IT governance, information security management and information risk management systems.

Her auditing work presented her with challenges that she could not find satisfactory strategies for overcoming in traditional auditing and management theory. She therefore adopted concepts from recent sociological systems theory and its applications in systemic organisational consulting and applied them to her audit discussions and to the analysis of the functioning of IT security management systems.

Systemic approaches, for example, distinguish living from dead systems, which is very helpful when assessing the functioning of the socio-technical systems ‘information security management’ and ‘information risk management’:

While information technology adheres to predetermined rules and is mathematically determined, the social interactions of its users, programmers and other employees of an organisation cannot be precisely predetermined. For example, the addition of numbers leads to an unambiguous result, but the success of information security training for an organisation's employees remains uncertain.

While the laws of nature remain valid in purely technical systems, the (information) risks of organisations are constantly changing. For example, cables in a technical system will always burn out if the electrical voltage is too high, and corresponding experiments can be repeated by anyone at any time. In contrast, the behaviour of employees varies, for example, sometimes they choose a secure password and other times they do not consider it necessary.

Recent sociological systems theory therefore doubts that social systems can be controlled in the same way as machines; the reaction of living systems to an external stimulus cannot be precisely predicted. This postulate calls into question the traditional view of how (IT) audits and IT security management systems work and creates a new understanding of terms such as IT risk and information security.

However, the aim of systems theory is not simply to confuse! Nor does it want to question the purpose of audit teams or managers. Quite the opposite! The advantages of this theoretical approach are of great practical relevance: Only a theory that mentally denies the controllability of living systems makes it possible to show ways and means of ‘leading’ social systems.

This applies both to audit teams in relation to (IT) audit processes and to other information security teams in relation to (IT) management processes. For example, the complex question of how to maintain an organisation's awareness of its information risks cannot be answered by (overly) simple solutions. (Like, for example, the overly simplistic answer that the employees take an information security training course and then they will all know forever what they have to do for the organisation's information security).

Systems theory shows that there are no context-free, universally valid answers to the complex challenges of IT security management and prevents us from giving overly simple answers. If we follow the findings of agile and systemic approaches, audits and organisations learn how to deal with (ever new) risks through a step-by-step, circular approach. Uncertainties and risks are dealt with by the social systems through learning and decision-making processes.

Accordingly, an organisation will repeatedly sound out what the current labour market for IT specialists looks like (learning process) and then consider whether to hire or train (decision-making process), for example. Each of these decisions is analysed in terms of its impact on other employees, suppliers and customers and the decision taken is communicated appropriately. If the organisation later realises that the labour market or the wishes of the employees have changed, it will revisit this decision.

Generally speaking, the learning process in the factual dimension deliberately explores the organisation's lack of knowledge about IT security management. The decision-making process determines how to proceed on the basis of what has been learnt so far. At the same time, in the social dimension, the organisation keeps an eye on those affected and critics of current developments in order to include the perspectives of all interest groups and remain open to discussion with them. Only a dynamic information security management system is able to maintain a sufficient variety of actions in order to be able to react to unforeseen changes.


‘d!nternal audit’ working group of the German Institute of Internal Auditing, topics: Role of auditors and auditing in increasingly digital companies and public authorities, in particular auditing IT governance, agile forms of organisation and large amounts of data

FONCSI NeTWork, Fondation pour une culture de sécurité industrielle, topics: Risk and security in various sectors and contexts



Andelfinger, U. und Haferkorn, P.: Mehr als die Prüfung eines agilen Teams. In: Zeitschrift Interne Revision. Berlin (Erich Schmidt Verlag 06/22)

Andelfinger, U. und Haferkorn, P.: Praxiswissen Agilität für die IT-Governance, Prüfung und Revision. (dpunkt-Verlag)


Andelfinger, U. und Haferkorn, P.: Agile Prüfungen. (Heft 31 IT-Governance, dpunkt-Verlag)

Andelfinger, U. und Haferkorn, P.: Agilität – mehr als die Methode? Eine Orientierungshilfe. (Heft 33 IT-Governance, dpunkt-Verlag)


Haferkorn, P.: Risk communication from an audit team to its client. In: Risk communication in and for the real world. Toulouse (Springer Series in Safe­ty Management) URL:


Haferkorn, P.: Systemische Prüfungen. In: forum-executives auf der Homepage von „The AuditFactory“


Haferkorn, P.: Systemische Prüfungstheorie – ein Abriss. In: forum-executives auf der Homepage von „The AuditFactory“


Haferkorn, P.: Zugleich drinnen und draußen. In: Zeitschrift Interne Revision. Berlin (Erich Schmidt Verlag 6/13)


Haferkorn, P.: Systemische Prüfungen. Heidelberg (Carl-Auer Verlag. 2010)


Haferkorn, P.: Mehr als nur ein paar Fragen. In: Zeitschrift Interne Revision. Berlin (Erich Schmidt Verlag, 5/2006), S. 186-196


Haferkorn, P., G. Stahl: Beurteilung von Wahrscheinlichkeitsprognosen durch explorative Diagnoseverfahren. In: Schumacher, E., K. Streichfuss (Hrsg.): Proceedings der 5. Konferenz der SAS-Anwender in Forschung und Entwicklung. Hohenheim (Universität Hohenheim), S. 131-151


Fischer, P.: Die Menge der Digitaloptionen und die Darstellung komplexer Derivate mit Digitaloptionen. In: Research Workshop „Interne Risiko­steu­erungs­modelle“. Dt. Bundesbank, Frankfurt


Brüggemann-Klein, A., P. Fischer, T. Ottmann: Learning Picture Sets from Examples. In: Maurer, H. (Hrsg.): Birthday Book for Arturo Salomaa. Berlin (Springer Lecture Notes in Computer Science)