On this page

Research Focus Areas

Privacy problems are often communication problems. We combine technical system analysis with empirical studies on usability questions. We work interdisciplinarily with law and social sciences, psychology, and ethics. Our four focus areas range from developing technical protection mechanisms to innovative teaching concepts.

Privacy, Data Protection, and Security in Everyday Life

Interdisciplinary research on security and data protection in real-world usage contexts, focusing on user-friendly protection measures and their practical implementation in everyday life. Examples: Security and privacy awareness in software development and operations · User studies on trust and acceptance · Collaborative work with sociology

Understandable Privacy Technologies and Explanations

Development and evaluation of mechanisms that are comprehensible even for non-experts and strengthen trust in technology. Examples: Analysis of the use and explanation of privacy terms in privacy notices · Development and testing of a Privacy Range for software developers and operators to acquire data protection competencies

Empirical Analysis and Web Crawling

Investigation of privacy practices with robust and ethical approaches to assess data protection compliance and identify improvements. Examples: Web and app crawling · Automated cookie banner detection · PrivacyScore comparison platform (currently paused, restart planned) · Bot detection techniques and impact on crawling

Digital Innovations in Higher Education

Development of new approaches for competency-oriented digital education that achieve their goals despite widespread AI tools. Examples: Privacy-friendly e-assessment system psi-exam · Exam booklet system

Funded Projects

ForDaySec (2022–2026)

Security in Everyday Digitalization (Bavarian Research Network). Our subproject develops interactive training formats and investigates various explanation approaches to make privacy mechanisms understandable for software developers and operators. A first result is the ForDaySec card game.

fordaysec.deForDaySec Card Game

DiKuLe (2021–2025)

Developing Digital Cultures of Teaching (Foundation for Innovation in Higher Education). Our contributions: Co-leadership of the overall project, technical support for DiKuLe symposia, establishment of a professional video studio environment for the university, and evaluation of the exam booklet system. Professor Herrmann was featured as “The Teaching Nerd” by the Foundation for Innovation in Higher Education.

Project WebsitePortrait 'The Teaching Nerd'

BaKuLe (2025–2031)

Shaping Bamberg’s Cultures of Teaching Together (Foundation for Innovation in Higher Education). The project consists of ten structural measures for organizational development. Focus areas at the chair include, in addition to co-leading the overall project, the development and implementation of AI-resistant assessment formats and e-assessment systems, the development of a feedback app for low-barrier feedback, and the establishment of the “Teaching Forum”.

projekt-bakule.de

explanym (2022–2025)

Explainable Anonymization for Data Protection-Compliant Data Use (BMFTR). Our subproject investigates how anonymization procedures can be explained so that users understand the protective effect and trust the technology.

Completed Projects Show details

EU CANVAS (2017–2019) · BMBF InviDas (?–?) · …

CANVAS (2017–2019)

Constructing an Alliance for Value-driven Cybersecurity (EU H2020 CSA). CANVAS was the first European project to provide an integrative overview of ethical and regulatory issues in cybersecurity. CANVAS brought together technology developers with legal and ethics scholars as well as social scientists to address the challenge of how to align cybersecurity with European values and fundamental rights.

What remained: In the project, we published various freely accessible results: information packages, a freely accessible book on cybersecurity, a free MOOC, and a reference curriculum with case studies. Through this, we hope to contribute to a more systematic anchoring of ethical principles in cybersecurity training and practice.

Project website with all freely available results

EMPRI-DEVOPS (2018–2022)

Employee Privacy in Software Development and Operations (BMBF). The project investigated privacy risks from digital traces and metadata in DevOps environments. The goal was to find a balance between legitimate employer interests and the protection of developers’ privacy. Concepts for data minimization and privacy-friendly configurations for development tools were developed.

Project website: empri-devops.de

WINTERMUTE (2020–2023)

AI-supported Security Situation Assessment and Policy Enforcement in Complex Networks (BMBF). The project aimed to manage increasingly complex communication networks with AI methods and protect them from attacks without violating users’ privacy. An approach for adaptive anomaly detection was developed that supports administrators in network security without replacing them.

Project website: projekt-wintermute.de

InviDas (2020–2023)

Interactive, Visual Data Spaces for Sovereign Data Protection Decision-Making (BMBF). The project developed a virtual dashboard for visualizing data flows from wearables and fitness trackers. Users can thus understand which health data is shared with whom for what purpose. Through visualizations and gamification approaches, complex privacy policies were made understandable.

Project websiteWhitepaper

Selected Publications

Website Privacy Challenges (PETS 2023)

What was it about? How do website operators actually respond to data protection compliance problems?

What did we find? Operators show diverse reactions – from lack of knowledge to resource constraints to deliberate non-compliance.

Why does it matter? Understanding the operator perspective improves the design of privacy regulation and support offerings.

Read paper (Open Access)

K. Dietz et al.: The Missing Link in Network Intrusion Detection: Taking AI/ML Research Efforts to Users. IEEE Access 12, pp. 79815-79837, 2024

What was it about? Why are AI/ML-based intrusion detection systems rarely deployed in practice?

What did we find? Researchers often neglect user perspectives, explainability, and privacy requirements during development.

Why does it matter? User-centered approaches can bridge the gap between academic research and practical application.

Read paper (IEEE Xplore)

M. Maass et al.: Effective Notification Campaigns on the Web: A Matter of Trust, Framing, and Support. USENIX Security, 2021.

What was it about? How must data protection compliance violations be reported to website operators so that operators actually take action?

What did we find? Sender, framing, and support offerings significantly increase the likelihood of success.

Why does it matter? Notification works better when you address recipients correctly.

Read paper (Open Access)

J.L. Kröger et al.: How do app vendors respond to subject access requests?: a longitudinal privacy study on iOS and Android Apps. ARES 2020: 10:1-10:10 - Best Paper Award

What was it about? How well do GDPR access rights work in practice?

What did we find? Significant gaps in access processes, many companies do not fulfill requests correctly.

Why does it matter? Rights on paper are of little use if they cannot be enforced in practice.

Read paper (Open Access)Video summary

Further Publications

DBLPGoogle Scholar

Contact

Prof. Dr. Dominik Herrmann
Chair Privacy and Security in Information Systems
University of Bamberg, 96045 Bamberg Chair Privacy and Security in Information Systems
University of Bamberg
96045 Bamberg

dh.psi@uni-bamberg.de | +49 951 863-2661
uni-mal-anders.de | LinkedIn

Prof. Dr. Dominik Herrmann
Chair Privacy and Security in Information Systems,
University of Bamberg, 96045 Bamberg

dh.psi@uni-bamberg.de
+49 951 863-2661
uni-mal-anders.de | LinkedIn

View