Information Security Economics 1
2015-2016 - IMT4142 - 5 ECTS

On the basis of

IMT 4762 Risk Management 1

Expected learning outcomes


  • The candidate possesses advanced knowledge about the challenges and current practices in security decision making
  • The candidate possesses thorough knowledge in financial models and security metrics
  • The candidate is capable of applying his/her knowledge in financial models to support security decision making


  • The candidate is able to analyze financial models and theory and apply these to security decision making situations
  • The candidate is able to carry out an limited and focused security decision making process under supervision
  • The candidate is able to carry out critical analysis of various literature sources on security economics and evaluate the practical implication on security decision making

General competence

  • The candidate is capable of analyzing relevant professional and research results and experiences in security economics, particularly financial models for security decision making
  • The candidate is capable of applying his/her knowledge and skills in financial models to security decision making processes
  • The candidate can work independently and is familiar with the challenges and current practices in security decision making
  • The candidate is capable of discussing professional problems, analyses and conclusions in the field of security decision maiing, both with specialists and with general audience
  • The candidate is capable of contributing to innovation and innovation processes


  1. European Unions (EU) view on information security economics
  2. Current industrial practices in information security economics
  3. Decision making in information security risk management
  4. Financial models
  5. Application of financial models as information security decision support

Teaching Methods

Project work

Teaching Methods (additional text)

Students are recommended to work in groups with the project. Every group must have no more than 3 members. It is also possible to complete the project individually. To ensure fairness, course deliverable grading will depend on deliverable quantity, quality and the number of contributing students.

The course will be made accessible for both campus and remote students. Every student is free to choose the pedagogic arrangement form that is best fitted for her/his own requirement. The lectures in the course will be given on campus and are open for both categories of students. All the lectures will also be available on Internet through GUC’s learning management system (ClassFronter).

Form(s) of Assessment

Oral exam, individually
Evaluation of Project(s)

Form(s) of Assessment (additional text)

  • Project – 49%
  • Oral exam (individual) – 51%
  • Both parts must be passed

Grading Scale

Alphabetical Scale, A(best) – F (fail)

External/internal examiner

Evaluated by external and internal examiner.

Re-sit examination

For the oral exam: Re-sit August 2016

Examination support


Coursework Requirements


Teaching Materials

Books, articles and WEB resources such as

ENSIA (2008): Security Economics and the Internal Market, 114 pages. Downloadable from:

Anderson, R. (2001): Why Information Security is Hard - An Economic Perspective. In: ACSAC 2001: Proc. 17th Annual Computer Security Applications Conference, pages. 358–365. IEEE Press, Los Alamitos. Downloadable from:

Cavusoglu, H., Cavusoglu, H. and Raghunathan, S. (2004): Economics of IT Security Management: Four Improvements to Current Security Practices. Communications of the Association for Information Systems 14, pages 65–75.

Anderson, R. J. and Moore, T. W. (2007): Information security economics – and beyond. Advances in Cryptology – Crypto 2007, LNCS 4622, Springer Verlag, Berlin Heidelberg, 68–91. Downloadable from:∼rja14/Papers/econ crypto.pdf

Selected parts from: Herrmann, D. S. (2007). Complete guide to security and privacy metrics: Measuring regulatory compliance, operational resilience, and ROI. CRC Press.

Su, X. (2006). An overview of economic approaches to information security management. Downloadable from:

Daneva, M. (2006): Applying Real Options Thinking to Information Security in Networked Organizations. Tech. Rep. TR-CTIT-06-11, Centre for Telematics and Information Technology, University of Twente, Enschede. Downloadable from the website of University of Twente, NL.

Benaroch, M. and Kauffman, R.J. (1999): A Case for Using Real Options Pricing Analysis to Evaluate Information Technology Project Investment. Information Systems Research 10(1), pages 70–86.

Berthold, S. and Böhme, R. (2010): Valuating Privacy with Option Pricing Theory. In: Economics of Information Security and Privacy, pp. 187–209. Springer, Heidelberg.

Sonnenreich, W., Albanese, J., and Stout, B. (2006). Return on security investment (ROSI)-A practical quantitative model. Journal of Research and Practice in Information Technology, 38(1), pages 45-56. Downloadable from:

IANS and RedSeal Networks (2011). The ROS of RedSeal. – Practical example from the industry. Downloadable from:

LockStep and Australian Government Chief Information Office (GCIO) (2004). A Guide for Government Agencies Calculating Return on Security Investment. Downloadable from: