Safeguarding Information in Service Science with Service Integration

. Service Science can be described through information, that underpins knowledge as enabler of service value chain. Therefore data, as a part of information, is a basic asset of the service market where undertakings constantly face high competition and try to protect such assets from malicious attackers. Information as to be preserved also for regulatory constraints, and traditional organizational models can have limits in doing so. In this paper it is discussed the possibility to manage both data protection and cyber security through an information security integrated management service (ISIMS). In fact, as per other cross-functional knowledge, information security and data privacy compliance can be managed via an integrated approach, as a possible evolution of the common organizational separation between their respective domains, namely Legal and IT. Moreover, this paper identifies major areas of benefits as well as current lack of integrated systems for information safeguard in Service Science.


Introduction
In today's interconnected business world, one of the main objectives is to manage efficiently and effectively information flows. This means to prevent data breaches, information alteration or unavailability, so as to avoid episodes where a single incident comprise millions of data loss, like credit cards leak back in January 2009 [1,2]. Thus, most companies are constantly working on reduction of potential direct and indirect losses due to misuse, damage, destruction, or unavailability of information, using several approaches, including the implementation of an information security management system [3] and data protection tools. In order to avoid GDPR's fines and, at the same time, to save on the need to inform final users affected from data breaches, companies are using encryption to protect data, but this may be insufficient for such purposes, in spite lawyers often differently believe. The protection and security of company's data and systems became more and more important, representing a key factor even in terms of competitiveness, sustaining de facto the existence of enterprise [4] businesses. This paper provides a literature review of relevant and recent papers from two research domains: information security and data protection, identifying the most common business approaches that are the most relevant in both cases and providing a new integrated and service-based approach.
As a matter of fact, Service Science combines human knowledge with technological understanding, employing service systems for value cocreation. At the same time, such combination of knowing can significantly improve the ability to design and scale service systems themselves [5], in which entities can cooperate for beneficial solutions. Likewise, considering people and technologies at the basis of Service Science, the latter is focused on knowledge elaboration through service systems with the objective to improve services provided to customers [6]. Therefore, innovation and research in Service Science is proceeding fast and it has been recognized that the emergence of Service Science [7] is fostering the need of a distinctive body of knowledge. The goal is to improve business models thanks to IT services as a commodity with cost benefits.
As a matter of fact, in the last decade new IT-based business models arose thanks to the dramatic Internet evolution and high-performance connectivity, which allowed service based on grid and cloud technologies. Consequently, vast amounts of data have been generated and distributed among data bases and networks around the globe. So, new ways of gathering, processing, and accessing information have supported innovation and competition, generating new service-based solutions in a smarter and more and more interconnected world [8,9].
Thanks to this, today firms can benefit from access or temporary possession to other business services instead of paying for their ownership. Thus, new payment mechanisms for service market arose, like pay-per-use or access fees, stressing out an alternative view of Service Science implications. [10] These new mechanisms lead to some adaptation by service-based businesses in terms of their organizational structure, and studies showed that developed countries are experiencing a migration of labour force to different service sectors. These sectors can be grouped into three basic system categories (i.e., Execute, Transform and Innovate) with two common specificities: basic knowledge and different supplementary professional competences [11]. For what concern knowledge, it is based on information composed by different kind of data, and its abundance poses challenging problem in the creation of efficient and secure service systems. So, the efficient integration, combination and reuse of data to customize services provided to users is fundamental to the economics of service activities [12].

Methods
This research identified studies and papers describing approaches for information security and data protection in Service Science and propose the use of an integrated service to manage such dual business requirement. To do so, several sources has been taken into account: Google Scholar search engine, arXiv, SSRN, Elsevier, and GitHub.
It has been used articles published in the Service Science field of study using and combining the following keywords: Service Science, Data Management, Data Protection, Privacy, Cyber Security, Information Security, Integrated System, Organizational Model.
Analyzed studies are chosen by the criteria which follow, separating them in those that attempted to: 1. implement integrated systems on security and privacy activities for service-based firms 2. analyze new organizational models for information management in Service Science 3. analyze new business models or use case for information management and security in Service Science

Information-based perspective
Service Science was launched by IBM in the early 2000s with the purpose of finding new, data-driven techniques for value generation thanks to knowledge integration from different domains. This implies changes in the organizations approach to service in the context of systems, and related relationship governance.
Considering that the value of data and analytics arose significantly in the past 5 years, today it is noticeable an exchange of data from many sources, including social media, boosting techniques of simulation and prediction for better value propositions, sustained also by customer digital transactions [13].
The business focus changed, from product-only perspective to a comprehensive approach, where processes are key elements for value creation. This entails a value increase of intangible assets, namely information, knowledge and human resources, where technologies are based on high capacity of data processing and described as knowledge technologies. In this light, ICT tools became basic elements of communication flows and stock of knowledge [14], namely a service management framework able to meet business goals and customer needs. Indeed, ITSM research field is de facto a subset of Service Science [15,16].
The basic elements of Service Science can be described with a new model, namely through an information-based perspective.
To be more explicit if the core elements of Service Science are: 1. provider, 2. customer, 3. technology (enabler of customer-supplier relationship), and 4. multidisciplinary knowledge, thanks to an information-centric perspective the Service Science basics can be reshaped and identified as follows: 1. Knowledge Holder (KH) -who detains information 2. Knowledge Provider (KP) -which interprets/provides resources of the KH 3. Knowledge user (KU) -who takes advantage from information 4. Knowledge -which is composed by information and data 5. Enabling Technology (ET) -which allows KUs to have access to KPs information and Knowledge In this light, in Service Science there are rooms for a knowledge-based perspective [17], which in principle argues that the most important resource for the enterprise is the knowledge embedded in its employees and systems.
Therefore, in the Service Science sector, KHs need to protect such knowledge but KPs need to share it with KUs to cocreate value. Thus, the balance between the need to share information and its protection is a decisive exercise for service appreciation by KUs, that ultimately are customers.
In this paper, for the Service Science sector it is analysed the possibility to manage data protection and cyber security through an information security integrated management service (ISIMS), considering security and privacy cocreation is an important research topic. The ISIMS can foster value cocreation in service sector by virtue of the increasing weight that the risk analysis of data management has in strategic decisions and the ongoing regulatory changes on privacy field around the globe. This paper shows how the ISMS can manage efficiently the above-mentioned and contraposed balance of sharing and protection of knowledge, representing a turn-over from the traditional organizational separation between information security and data protection, an innovative approach, capable also to sustain enterprise architecture language to foster security and privacy cocreation.

Information security elements in Service Science
Information is the most important asset for computer-based industries as well as for other organizations, from governments, healthcare and education, to manufacturing, and retail sector. Two authors [18,19] describe security management on the basis of security policies, underpinned by security principles and regulations that define how to secure the organization and its information as a whole. Indeed, data and information are essential to meet business requirements and the most challenging and emerging issue became how to manage both privacy and security issues. Cloud Security Alliance (CSA) divides (Big) Data security and privacy into four main categories [20]: 1. Infrastructure security, 2. Data privacy, 3. Integrity and reactive security and 4. Data management. Considering the increase in big data heterogeneity, both data privacy and security challenges will increase in the future, stressing the need of future research on the field [21] of information privacy and security.
Information security is an ever-evolving complex issue for almost all businesses today. There are many recurrent problems in the cyber-space that can hit a company, from the proliferation and evolution of malware to phishing, thus companies seek for a reactive management on cyber security protection [22]. These threats occur on the basis of different likelihood and may have different negative outcomes, so technical and non-technical approaches are adopted in order to propose an information security framework capable to respond to such challenge [23]. A special role is played by cryptography, that can provide primitives for (symmetric or asymmetric) data encryption, data integrity and authenticity, and authentication. Even if modern solutions are well-performing, they often operate individually because they are designed for facing one only problem, and pretending they can simply overlap.
As a matter of fact, risk can be defined as effect of uncertainty on objectives [24,25], and there are many other definitions by several international organizations and standards which can describe and manage the phenomena, for example ISO/IEC 27005 [26], ISO Guide 73:2009 [27], COSO [28] or NIST SP 800-30 [29].
Risk is the combination of likelihood and severity and can occur at different levels, thus has different effects and requires specific mitigation measures at any level [30]. In fact, all organizations are exposed to its underpinning security threats (e.g., malware, ransomware, phishing, denial of service, etc.), namely risks to their information systems, which in turns are risks to data control, often inadequately highlighting internal processes, people or systems [31]. To this extent, the risk management is recognized as a fundamental aspect of managing IT security risks [32].
At the basis of the most common risk management methodologies there is the risk assessment, which is a step-by-step process from the identification of risk sources and assets to risk estimation and prioritization. This means to analyse threats and vulnerabilities to determine how circumstances and events can adversely impact an organization and related likelihood [33]. An Information Security Management System (ISMS) planning phase is based on this process [34].
Moreover, the information security risk assessment (ISRA) starts with the definition and understanding of one of the two approaches to be used in the process itself: qualitative and quantitative [35]. In both cases, it should be considered that KHs can be found in relation of different assets, which often are placed also outside IT departments. This is also true for KPs, especially in consideration of data processed, which can be of personal nature or business sensitive, implying other department than legal involvement. Furthermore, considering that risk management objective is to protect the organization itself, this implies the ability to protect people, IT and physical assets, as well as knowledge and know-how, which represent the core elements of value creation. This means to ensure confidentiality, integrity and availability (CIA) of information and related systems and securing the organization's resources [36].
According to several authors, achieving and maintaining CIA factors and IT services must be at an appropriate level, despite this is a complex activity because there is a need to manage risk with mitigating measures, taking into consideration business goals, insufficient amount of information, limited resources, and time constraints. In addition there are policies, that need to be established and at an appropriate level, because although the IT division knows risks and attacks very well, it is not prepared to make choices that are strategic for the company. In other words, somebody at the level of the board of directors should choose policies, and the IT department should only implement them.
More generally, this is a multicriteria decision-making (MCDM) problem, and a review of the literature highlights a significant application of MCDM in the context of risk assessment, as well as a need for a new hybrid model with the integration of information security elements [37]. There is a trend of research in hybrid models for risk analysis and assessment [38,39], implying interdisciplinarity in conducting researches, and consequently integration with other business domains.

Data Protection key points in Service Science
Data protection, and more generally information protection, should be implemented in all information processes through logical, technical, physical and organizational measures that prevent data from loss of confidentiality, integrity and availability [40,41,42].
There are examples of inefficiency in a reactive, bottom-up, technology-centric approach to determining security and privacy requirements. [43]. Therefore, to reduce the risk of data breaches and other types of security incidents, the organization must be proactive and adopt preventive policies and related measures, including cryptography, that well fits and are proportionate to the organizational structure [44]. In a world changing at fast pace, where big data sources are ready to be integrated to enhance predictability analysis [45], data should be managed and shared in a secure way [46], taking into proper account people's privacy. With the introduction of GDPR [47], companies are requested to implement rules and measures in performing data processing, as well as mechanism to foster security and privacy together, both from user and application oriented. The application of pseudonymisation or cryptography to personal data can reduce risks to data subjects concerned and help controllers and processors to meet their data-protection obligations, even if this may not be enough in the very next future. Indeed, new solutions to tackle security and privacy issues are necessary, otherwise the use of big data sources combined with new methodologies of data analysis will overcome current encryption and anonymization schemes, bringing computing techniques to reidentified unidentified data [48].
Thanks to the introduction of the new Regulation in EU (the GDPR), risk management concept is requested to be introduced in organizations processes in order to meet the principle of accountability, one of classic information security. Therefore, likelihood and severity of the risk is applicable even in the context of the rights and freedoms of the data subject and should be evaluated on the basis of an objective assessment. The aim at managing risks in data protection is to find measures to mitigate the risk of data loss of confidentiality, integrity, and availability, likewise for information security.
Today there are many companies that bring service in the field of data protection, from simple tools to support privacy compliance to software as a service (SaaS) product. This is a trend that has been boosted by the introduction of the GDPR, which is a regulation more focused than its predecessor [49] on processes and data flow mapping. Companies that offer data protection as a service (DPaaS) usually provide tools and services that can deliver compliance activities through a service model and help in securing data. DPaaS tools are provided on a cloud-basis, with possibilities of data backup solutions, integration with access controls tools, network virtualization tools, or firewalls. Moreover, the introduction of the Data Protection Officer (DPO) to ensure the compliance of organizational data processes with the GDPR, may directly influence the ability of organization to leverage data. This implies direct responsibilities on the way past data are processed, but even how predictive analysis are performed. Thus, the increase of the use of cloud-based services can bring to a DPaaS trend for companies.

Results
Data Protection and Information Security are sustaining the consistent evolution of business models. Failing in privacy and security measures implementation can lead to negative outcomes that can significantly prevent the value cocreation. Today, more than in the past the capabilities and organizational structure of an organization, and its relations with customers are vital for business [50], but in the digital context these are not possible without implementation of data protection and information security mechanisms. The more synergies among these domains are developed the more efficiently value is created.
With regard of papers identified in this study, it emerges clearly that information is the most valuable asset in the digital world and personal data are a subset of information which have a great influence on how risk should be considered and mitigated within a company.
Moreover, there are several techniques and methodologies applied in the security sector, but data protection seems not yet fully integrated in such techniques and methodologies, rather privacy law and related measures are considered like external inputs.
It seems that there is a lack of literature and research which explore the possibility to integrate data privacy and security with information security, on the contrary all papers identified start from the assumption that IT departments continue to be the focal point for information security only.
It seems also that there is an upcoming trend in data protection as a service (DPaaS), thanks to the increase in cloud-based service adoption, but there have not founded evidence on synergies or interdependencies with information security domain, techniques, or tools.
There is a common view in papers identified that Service Science is more and more dependent from data processing and communication flows and emerge the need of companies to balance information sharing and its protection, due to the final goal of value creation for KUs, that ultimately are customers.

Conclusions
Thanks to results identified there are good basis to sustain that Service Science sector have rooms to manage data protection and cyber security through an information security integrated management service (ISIMS). Considering that security and privacy cocreation is an important research topic, the development of an ISIMS can foster value cocreation in service sector by virtue of the increasing weight that the risk analysis of data management has strategic decisions and the ongoing regulatory changes on privacy field around the globe. It is true that the general principles are still coming from the requirements of information security but their integration, also with the requirements of sensitive data protection, is still far to be satisfactory. Confidentiality is obtained easily by cryptography but at which level should it operate? [50] In addition, there is access control (already used in DBMSs and operating systems) that can lead to confidentiality, but they are still used independently and are not integrated. Also, users want data integrity (not only for sensitive data), cryptography offers methods for ensuring it (e.g., keyed cryptographic hashing functions, digital signature) but the most correct and promising method is authenticated encryption, interesting and powerful, but not yet proved to be attack-resistant, although suspected. Access control is not integrated with authenticated encryption and poses several challenges that require ad-hoc design.
An ISMS can manage efficiently the above-mentioned and contraposed balance of sharing and protection of knowledge, starting from a turn-over from the traditional organizational separation between information security and data protection, an innovative approach, capable also to sustain enterprise architecture language [51] to foster security and privacy cocreation.