PhD programme in Information Security - PHD-IS

Short description

Information security is a cross-cutting concern which is most closely related to Computer Science and Mathematics; in the context of the categorisation by the Norwegian Higher Education Institutions, this is most closely aligned with Mathematics and Natural Sciences, Information and Communication Science, and Security and Vulnerability. Although particularly at the research level it is inevitable that novel specializations arise whilst others decline in interest, the undergraduate curricula maintained by the joint IEEE/ACM Computing Curricula committee provide some indication of key areas; these cover both theoretical and mathematical foundations but also cryptography and abstract models of security-related properties as well as security-related aspects of application domains such as operating systems, networks, biometrics, or forensics. Moreover, ancillary domains such as policy, operational issues, and security management are also encompassed by these curricula and considered mainstream information security research, as is research on risk and threat analysis and vulnerabilities.
Similarly more applied sub-domains are also identified by the CISSP (Certified Information Systems Security Professional) certification1 and similar professional-level certification and training programmes.
As with any doctoral programme, however, one of the main objectives is to ensure that mathematical and scientific methods are acquired by students enrolled in the programme, providing the foundation to undertake largely independent research on completion of the programme whilst having undertaken specialized research within the domain of information security during the course of the programme.


The programme is considered part of the 3rd higher education cycle, namely the PhD level. The PhD programme is arranged such that it normally can be completed within a three year efficient research education period. Of this period, at least one semester (30 ECTS Credit Points) is reserved for organized teaching and learning in a form and manner appropriate to the study outcomes including but not limited to courses and seminars.

This taught component must be completed at the time of submission of the dissertation, but unless set out otherwise in case of a conditional admissions (see Course Structure), no further requirement on the time at which the taught credit points are to be accrued are made.
The PhD programme must be completed (as determined by the date at which the viva voce takes place) within eight years from the date of admission as specified in the letter of admission.

The above period may be prolonged in case of formal interruption of studies or where extenuating circumstances apply. Unless such extenuating circumstances are required to be considered by law, they are decided on a case by case basis by a committee consisting of the Director of Academic Affairs, the Director of the PhD programme in Information Security, and at least one of the academic supervisors of the candidate by unanimous consent. Where such consent is not reached, the application for prolonging the study period will be considered as denied.
A prolonged maximum study period may also be approved by the Admissions Board in consensus with the Director of Academic Affairs in cases where applicants wish to pursue the PhD programme on a part-time basis. In such cases the maximum period must not exceed ten years and will be noted in the letter of admission.

The PhD programme is a supervised programme. The PhD student will have regular contact with his or her supervisors and will typically participate in a research group.
For candidates pursuing their studies on a full-time basis, the targeted time to completion of studies is three years or four years in case the candidate holds relevant teaching duties.

Expected learning outcomes

The goal of the PhD programme in information security at Gjøvik University College is that the candidate will conduct independent research under the guidance of one or more academic supervisors leading to a dissertation.

The doctoral dissertation must embody the results of extended research, be an original contribution to knowledge, and include material worthy of publication at an internationally recognized level. It should demonstrate the candidate’s ability to conduct an independent investigation, to abstract principles upon which predictions can be made or other novel results obtained, and to interpret in a logical manner facts and phenomena revealed by the research.

Candidates will also receive advanced training in theoretical background and foundations both applicable to the immediate field of study and also forming a foundation for independent and objective scientific investigation and principles. Successful candidates will be qualified for research activities and other forms of positions with substantial scientific requirements.

Graduates from the study programme PhD in Information Security will be qualified primarily for high level research positions in industry as well as teaching and research positions in academia.


Establishing links to academics outside the college and particularly internationally is highly desirable, as is an exposure to working conditions and academic approaches at other, international institutions.

An individual study plan should therefore identify one or two opportunities for gaining experience at overseas institutions over the course of the doctoral studies. Whilst overseas visits and stays are not mandatory and need not be arranged at the time of drawing up an individual study programme, the need for making appropriate arrangements with hosting institutions makes taking such steps early on advisable.

The duration of the overseas stays should be several weeks to ensure sufficient exposure to the research environment at the hosting institution.

Target Group

The target group for the PhD study programme encompasses candidates holding a relevant Master degree whose degree classification matches the requirements set out in the section Admission Criterias. Such candidates may wish to pursue careers as academics, research scientists, or to hold advanced positions related to information security in industry and government.

Admission Criteria

In order to be admitted to a PhD programme, the applicant must normally hold a five-year Master degree or equivalent combination of undergraduate degree and Master level degree, which the university college has approved as basis for admission to the PhD programme.

Master degree programmes relevant for the purposes of the PhD in Information Security include but are not limited to Mathematics, Computer Science, and Electrical Engineering and combined degree programmes incorporating substantial elements of these. Further degree programmes in different or related subjects may be approved on an individual basis taking particularly the proposed area of doctoral research of a candidate into account.

For an application to be accepted, the above degrees must also satisfy minimum requirements for degree classification. Based on the common Norwegian degree classification scheme, these requirements are:

  • Average grade for the Bachelor degree must be A, B or C
  • Average grade for subjects/courses at Master level must be A or B
  • The Master thesis must have grade A or B

These requirements may be waived or reduced in part by unanimous vote of the Admissions Board (see further information about the admission prosess here) in exceptional circumstances. These include cases where an equivalent degree classification cannot be established or mapped onto the above scale.

Moreover, waivers and reductions may also form part of a conditional admission. These may be granted if the Admissions Board is satisfied that extenuating circumstances are applicable for a given candidate. Failure on the part of the candidate to meet the requirements imposed by the Admission Board as part of the admission letter will result in the admission considered to be rejected effective with the date of the original decision regarding the application.

For further discussion of these requirements also refer to the website.

Course Structure

The taught component of an individual PhD study plan instance must comprise at least 30 ECTS credit points. These 30 credit points must be part of an approved study plan which may encompass more than 30 credit points together; the initial study plan is must form part of the application to the PhD programme but may be amended and altered subsequently. Any such changes must be submitted in writing and approved by the Director of the PhD programme.

If, as part of the elaboration of an individual study plan, it is determined that a candidate’s research or courses forming the core of the study plan have further prerequisites, a candidate can be required to take additional courses and seminars in excess of the 30 ECTS credit points.

No credit points are accrued for courses taken at the Bachelor level, but up to 10 credit points may be approved for courses at the Master level.

No courses forming part of the study plan may have been previously credited in the course of another degree programme. A review of individual study plans will ensure that overlap between courses credit to other degree programmes and the present study plans are minimized. From time to time courses may also be taken for credit from other accredited institutions provided that it can be established that the content and level of such courses is equivalent; the approval process for such external courses is as noted above. If a candidate has taken courses prior to commencing studies in the PhD programme, credit points which have not previously been credited to another degree programme may be credited provided that the examination awarding the marks and concomitant credit points has taken place less than five years before the start of the studies under the PhD programme. If credit points are to be credited for courses which were not marked on a Pass/Failed basis, they must have been marked at either the A or B grade or equivalent.
Courses covering the area of Ethics and Legal Aspects of Scientific Research, IMT6001, and Introduction to Information Security, IMT6011, are mandatory and must be taken at the PhD level.

The list of approved courses and their availability in a given time period is updated from time to time and is considered at the time of submission of the individual study plan and when such study plans are considered for changes or amendments. The list of approved courses is hereby formally included by reference into this document.

See also Section 4.2 of §4 in the Regulation for the degree of Philosophiae Doctor (PhD) at Gjøvik University College (website).

Technical Prerequisites

No technical requirements are imposed at this point.

Table of subjects

Coursecode Course name C/E *) ECTS each. semester
  S1(A) S2(S)
IMT6001 Ethics and Legal Aspects of Scientific Research C 5 5
IMT6011 Introduction to Information Security C 5 5
IMT6021 Foundations of Information Security E 5  
IMT6031 Intrusion Detection and Prevention E 5  
IMT6041 Selected Topics in Cryptology E 5  
IMT6051 Wireless Communication Security E 5  
IMT6061 Risk Analysis II E 5  
IMT6071 Biometrics E   5
IMT6081 Modern Cryptology E 5  
IMT6091 Computational Forensics E 5 5
IMT6101 Computational Intelligence E   5
IMT6111 Risk Analysis I E 5  
Sum: 0 0
*) C - Compulsory course, E - Elective course