PhD programme in Information Security - PHD-IS


Information security is a cross-cutting concern which is most closely related to Computer Science and Mathematics; in the context of the categorisation by the Norwegian Higher Education Institutions, this is most closely aligned with Mathematics and Natural Sciences, Information and Communication Science, and Security and Vulnerability. Although particularly at the research level it is inevitable that novel specializations arise whilst others decline in interest, the undergraduate curricula maintained by the joint IEEE/ACM Computing Curricula committee provide some indication of key areas; these cover both theoretical and mathematical foundations but also cryptography and abstract models of security-related properties as well as security-related aspects of application domains such as operating systems, networks, biometrics, or forensics. Moreover, ancillary domains such as policy, operational issues, and security management are also encompassed by these curricula and considered mainstream information security research, as is research on risk and threat analysis and vulnerabilities.
 Similarly more applied sub-domains are also identified by the CISSP (Certified Information Systems Security Professional) certification1 and similar professional-level certification and training programmes.
 As with any doctoral programme, however, one of the main objectives is to ensure that mathematical and scientific methods are acquired by students enrolled in the programme, providing the foundation to undertake largely independent research on completion of the programme whilst having undertaken specialized research within the domain of information security during the course of the programme.

Studiets varighet, omfang og nivå

The programme is considered part of the 3rd higher education cycle, namely the PhD level. The PhD programme is arranged such that it normally can be completed within a three year efficient research education period. Of this period, at least one semester (30 ECTS Credit Points) is reserved for organized teaching and learning in a form and manner appropriate to the study outcomes including but not limited to courses and seminars.

This taught component must be completed at the time of submission of the dissertation, but unless set out otherwise in case of a conditional admissions (see Course Structure), no further requirement on the time at which the taught credit points are to be accrued are made.
 The PhD programme must be completed (as determined by the date at which the viva voce takes place) within eight years from the date of admission as specified in the letter of admission.

The above period may be prolonged in case of formal interruption of studies or where extenuating circumstances apply. Unless such extenuating circumstances are required to be considered by law, they are decided on a case by case basis by a committee consisting of the Director of Academic Affairs, the Director of the PhD programme in Information Security, and at least one of the academic supervisors of the candidate by unanimous consent. Where such consent is not reached, the application for prolonging the study period will be considered as denied.
 A prolonged maximum study period may also be approved by the Admissions Board in consensus with the Director of Academic Affairs in cases where applicants wish to pursue the PhD programme on a part-time basis. In such cases the maximum period must not exceed ten years and will be noted in the letter of admission.

The PhD programme is a supervised programme. The PhD student will have regular contact with his or her supervisors and will typically participate in a research group.
 For candidates pursuing their studies on a full-time basis, the targeted time to completion of studies is three years or four years in case the candidate holds relevant teaching duties.

Forventet læringsutbytte

The successful completion of a Ph.D. programme provides a number of specific learning outcomes listed in the sections below. Beyond these, it introduces candidates to the methods and principles of scientific inquiry. This is taught both explicitly in specific courses, and also attained by collaboration with researchers including the candidate's supervisors and research groups. This provides insights into the processes of research and project management beyond the immediate remit of a doctoral research project.

The specific learning outcomes expected to have been achieved upon completion of the study programme are grouped into three categories in accordance with the national qualification framework: Knowledge, Skills, and General Competence. These learning outcomes as listed below, relate to the generalised descriptions for Ph.D.  level study released by Kunnskapsdepartementet (KD) {}}.


The Knowledge learning outcomes are primarily achieved through the development of the thesis and the guidance by the supervisor during the Ph.D.  programme.  The development of the thesis from the preparation of peer-reviewed publication during the programme ensures the student is at the forefront of research in their field.  The taught component has amandatory course which teaches the foundation of ethical research and research methodology, and the optional courses provide an understanding of the current state in a specific research area.

  1. Knowledge of the most advanced research in the candidate´s specialisation area of Information Security.
  2. Strong understanding of academic theory and the preparation of high-quality research.
  3. Ability to select appropriate research methods and sampling techniques for the candidate’s research field.
  4. Understanding the current state-of-the-art and applying knowledge to the development of new knowledge, theories and presentation of research in Information Security.


The learning outcomes in the Skills domain relate to activity in the research community.  Specifically, this refers to the participation and possible leadership of industrial or academic research projects. Although the latter is not achieved or typically achievable by candidates themselves as part of their studies, successful completion of the programme enables to translate the understanding of processes and dynamics from observations and taught elements into such abilities. As with the previously described Knowledge outcomes, the preparation of the thesis forms a significant part of the development of these learning outcomes.  The experiences passed on from the supervisor and in the writing of peer-review publications contribute to the student's ability to interact with the international research community and to disseminate their research findings. 

  1. Ability to provide management and planning of research projects in Information Security in Academic and Industrial environments.
  2. Ability to support and participate in Industrial and Academic research projects at a high international level.
  3. Ability to comprehend complex academic issues and the related ethical considerations.
  4. Ability to understand and challenge the existing knowledge and practise in Information Security.

General Competence

The development of the general competence required to participate actively and constructively in the international research community, and to interact with other collaborators from outside Information Security --- considering that the discipline is often called upon to serve as a bridge to other disciplines --- and the general public are covered by a more varied set of learning outcomes.  The thesis preparation still has a major impact in teaching the student how to organise and explain their thoughts and research but these outcomes go beyond the formal written presentation of scientific research.  The ability to speak with clarity about these advanced research topics needs to be developed and is provided by the student's attendance at conferences for the presentation and discussion of publications, in workshops and tutorials within IMT and culminating with the public oral defence of their research.  Mandatory taught courses in research ethics and methodology are used to develop an understanding of the wider societal impact of their research, and the techniques to work with other disciplines and conduct projects to provide high-quality ethical research in diverse areas which may benefit advanced understanding of Information Security.

  1.  Ability to identify new problems arising from recent developments in Information Security and assess their impact on society.
  2. Ability to conduct ethical, scientifically sound research in areas of Information Security at the boundaries of existing laws and accepted limits.
  3. Ability to manage interdisciplinary projects with diverse groups of individuals to bring results in information security to fruition,
  4. Ability to organize and participate in research and development through established national and international research frameworks.
  5. Ability to argue the merits, limitations, and possibilities of new developments in information security in recognized international forums.
  6. Capability of applying latest abstract research within information security to specific real-world problems in creative and innovative ways.


Establishing links to academics outside the college and particularly internationally is highly desirable, as is an exposure to working conditions and academic approaches at other, international institutions.

An individual study plan should therefore identify one or two opportunities for gaining experience at overseas institutions over the course of the doctoral studies. Whilst overseas visits and stays are not mandatory and need not be arranged at the time of drawing up an individual study programme, the need for making appropriate arrangements with hosting institutions makes taking such steps early on advisable.

The duration of the overseas stays should be several weeks to ensure sufficient exposure to the research environment at the hosting institution.


The target group for the PhD study programme encompasses candidates holding a relevant Master degree whose degree classification matches the requirements set out in the section Admission Criterias. Such candidates may wish to pursue careers as academics, research scientists, or to hold advanced positions related to information security in industry and government.

Opptakskrav og rangering

In order to be admitted to a PhD programme, the applicant must normally hold a five-year Master degree or equivalent combination of undergraduate degree and Master level degree, which the university college has approved as basis for admission to the PhD programme.

Master degree programmes relevant for the purposes of the PhD in Information Security include but are not limited to Mathematics, Computer Science, and Electrical Engineering and combined degree programmes incorporating substantial elements of these. Further degree programmes in different or related subjects may be approved on an individual basis taking particularly the proposed area of doctoral research of a candidate into account.

For an application to be accepted, the above degrees must also satisfy minimum requirements for degree classification. Based on the common Norwegian degree classification scheme, these requirements are:

  • Average grade for the Bachelor degree must be A, B or C
  • Average grade for subjects/courses at Master level must be A or B
  • The Master thesis must have grade A or B

These requirements may be waived or reduced in part by unanimous vote of the Admissions Board (see further information about the admission prosess here) in exceptional circumstances. These include cases where an equivalent degree classification cannot be established or mapped onto the above scale.

Moreover, waivers and reductions may also form part of a conditional admission. These may be granted if the Admissions Board is satisfied that extenuating circumstances are applicable for a given candidate. Failure on the part of the candidate to meet the requirements imposed by the Admission Board as part of the admission letter will result in the admission considered to be rejected effective with the date of the original decision regarding the application.

For further discussion of these requirements also refer to the website.

Studiets innhold, oppbygging og sammensetning

The taught component of an individual PhD study plan instance must comprise at least 30 ECTS credit points. These 30 credit points must be part of an approved study plan which may encompass more than 30 credit points together; the initial study plan is must form part of the application to the PhD programme but may be amended and altered subsequently. Any such changes must be submitted in writing and approved by the Director of the PhD programme.

If, as part of the elaboration of an individual study plan, it is determined that a candidate’s research or courses forming the core of the study plan have further prerequisites, a candidate can be required to take additional courses and seminars in excess of the 30 ECTS credit points.

No credit points are accrued for courses taken at the Bachelor level, but up to 10 credit points may be approved for courses at the Master level.

No courses forming part of the study plan may have been previously credited in the course of another degree programme. A review of individual study plans will ensure that overlap between courses credit to other degree programmes and the present study plans are minimized. From time to time courses may also be taken for credit from other accredited institutions provided that it can be established that the content and level of such courses is equivalent; the approval process for such external courses is as noted above. If a candidate has taken courses prior to commencing studies in the PhD programme, credit points which have not previously been credited to another degree programme may be credited provided that the examination awarding the marks and concomitant credit points has taken place less than five years before the start of the studies under the PhD programme. If credit points are to be credited for courses which were not marked on a Pass/Failed basis, they must have been marked at either the A or B grade or equivalent.
 Courses covering the area of Ethics and Legal Aspects of Scientific Research, IMT6001, and Introduction to Information Security, IMT6011, are mandatory and must be taken at the PhD level.

The list of approved courses and their availability in a given time period is updated from time to time and is considered at the time of submission of the individual study plan and when such study plans are considered for changes or amendments. The list of approved courses is hereby formally included by reference into this document.

See also Section 4.2 of §4 in the Regulation for the degree of Philosophiae Doctor (PhD) at Gjøvik University College (website).

Tekniske forutsetninger

No technical requirements are imposed at this point.



Emnekode Emnets navn O/V *) Studiepoeng pr. semester
  S1(H) S2(V)
IMT6011 Introduction to Information Security O 5 5
IMT6001 Ethics and Legal Aspects of Scientific Research O 5 5
IMT6041 Selected Topics in Cryptology V 5  
IMT6031 Intrusion Detection and Prevention V 5  
IMT6021 Foundations of Information Security V   5
IMT6051 Wireless Communication Security V 5  
IMT6061 Risk Management II V 5  
IMT6081 Modern Cryptology V 5  
IMT6091 Computational Forensics V 5 5
IMT6111 Risk Management I V 5  
IMT6121 Authentication V 5 5
IMT6071 Biometrics V   5
IMT6101 Computational Intelligence V    
Sum: 0 0
*) O - Obligatorisk emne, V - Valgbare emne