Pankaj Pandey successfully completed his PhD trial lecture and thesis defense at the Norwegian University of Science and Technology on Monday, the 4th of July 2016 and will be awarded the degree of Doctor of Philosophy.
The title of his thesis is “Using Theories from Economics and Finance for Information Security Risk Management” and the given topic for his trial lecture was “Security and Insecurity with Open Source Software: Past, Present, and Future”.
In his thesis Pandey presents a method for investing in information security risk management. Information security practitioners face a challenging task of assessing the information security risks. Lack of complete information about all vulnerabilities in the system leads to difficulty in assessing the severity of vulnerabilities and estimation of the impact of an attack. There are technical tools to protect against cyber attacks, such as passwords, firewalls etc., and various insurance solutions if one were to be attacked. The problem is that conventional insurance does not have the capacity to cover huge losses. When it comes to cyber attacks losses may involve millions of dollars. In addition, an attack will have negative impact on share price and the organization’s reputation. Investors call for better risk mitigation strategies, and Pandey have chosen to address this issue from an economic perspective.
Gather knowledge to prevent attacks
With several scenarios taken from real life, Pandey presents a type of financial market related to information security, where anyone with knowledge and interest about information security can contribute to and profit from protecting against attacks. This type of market is called Information security prediction market, and can be an effective method to collect and take advantage of information that would otherwise be spread. The market is open to participate in buying and selling a variety of information security derivatives, such as Options. The economic benefit of investments in information security risk management is estimated as the value of the reduction in the impact of an uncertain future event, such as a cyber attack. In this regard it is important to be able to predict the events and their potential impact. All stakeholders have high interest in an attack not occurring. They will thus work towards a common goal to protect, by selling any information they have about software vulnerabilities. That way everyone will have the opportunity to profit from knowledge sharing. If an organization were to be attacked, the stakeholders are so many that it is possible to cover even huge losses. The system thus has the potential to help businesses in cases where they otherwise might not have survived.
Pandey’s research can help to prevent cyber attacks from happening and to mitigate the adverse effects after they have happened.
The following committee has been appointed to evaluate his thesis, trial lecture and defense:
- First external opponent: Professor Dr. Wim Van Grembergen, Information Systems Management Group, University of Antwerp, Belgium.
- Second external opponent: Dr. Janne Hagen, Forsvarets forskningsinstitutt (FFI).
- Internal opponent and administrator for the assessment committee: Professor Dr. Stewart Kowalski, Faculty of Computer Science and Media Technology, NTNU in Gjøvik.
- Dean Nils Kalstad Svendsen led disputation.
Pankaj Pandey carried out his PhD work at the Faculty of Computer Science and Media Technology, NTNU and Faculty of Applied Economics, University of Antwerp. His supervisors were Professor Einar Snekkenes, Faculty of Computer Science and Media Technology, NTNU in Gjøvik and Professor Steven De Haes, Department of Applied Economics, University of Antwerp, Belgium.