Using theories from economics and finance for information security risk management

Date: 4 July 2016

Venue: Norwegian University of Science and Technology - Teknologiveien 22 - 2815 Gjøvik, Norway

PhD candidate: Pankaj Pandey

Principal investigator: Prof. dr. Steven De Haes, University of Antwerp

Co-principal investigator: Prof. dr. Einar Arthur Snekkenes, NTNU

Short description: PhD defence Pankaj Pandey - joint PhD Faculty of Applied Economics, University of Antwerp - Faculty of Computer Science and Media Technology, NTNU

The economic benefit of investments in information security risk management is estimated as the value of the reduction in the impact of an uncertain future event. Therefore, it is important for the decision makers to be able to predict the uncertain future events and their adverse impact. On the other hand, the information related to information security events often exists in the form of dispersed insights, opinions, and intuitions. An effort to aggregate this dispersed information may make a significant contribution to the risk management. Therefore, devising a mechanism to aggregate the dispersed information for risk management particularly to ’hedge’ the impact of an information security event is crucial.

Prediction markets are an emerging form of technology-enabled economic tool to collect human intelligence. Several studies and industry applications have shown that the prediction markets are one of the most effective mechanisms for collection and aggregation of dispersed information. However, not all prediction markets have the same objective and therefore, they have a different design. Thus, for the success of a prediction market an important question to address is how to design the market?

This thesis investigates the gaps in the existing information security investment models and market methods and proposes a framework to simplify the task of selecting an investment model. This research establishes a conceptual foundation for the study of information security prediction market and investigates the applicability of prediction markets in the management of information security risks. A set of design elements and performance evaluation criteria for the information security prediction market are presented in this thesis. Furthermore, this thesis presents a set of information security financial instruments, demonstrates their application and evaluates their usefulness in mitigating the impact of the underlying information security event. A set of metrics for ex-ante and ex-post assessment of hedge strategy and performance of information security financial instruments are presented in this thesis. This research establishes that the information security financial instruments and prediction markets can be an effective solution, at least to some extent, to the problems in the existing risk market for information security risks.