The new information and communication technologies have brought an evolution of IT systems from a standalone architecture to architectures where the systems are interconnected, and this in a multi-organizational environment. Through their interactions and their collaboration with external systems, notably via the service paradigm, information systems have become the place where information from different sources converges: data collected by the information system, computed data, data from outsourced services or databases,.. . Therefore, from a computer security point of view we can no longer focus solely on hardware, software and network issues. From now on, we must take into account the data that is an integral part of an organization's capital: data is today the main concern of companies. In this article we address the information security from the perspective of risk management taking into account the ability of an organization to control its data flows (incoming and outgoing). We propose the introduction of a new security criterion: the "controllability". The consideration of this criterion is essential to avoid the garbage in, garbage out issue (incoming data) and to reduce the risks in the use of the data produced (outgoing data).