Applicability of Prediction Markets in Information Security Risk Management

Information security practitioners face a challenging task of assessing the information security risks. The lack of complete information about the vulnerabilities in the system leads to the problem of information asymmetry between the security stakeholders. This leads to difficulty in assessing the severity of vulnerabilities and estimation of the impact of an attack. There are at least two approaches to deal with information asymmetry in the information security market, namely market methods and financial instruments. This paper focuses on a relatively novel method: prediction markets, to deal with the information asymmetry problem in information security domain. In this paper, we examine the applicability of prediction markets in forecasting and assessment of information security events. We describe the usefulness of prediction markets in prediction of vulnerabilities, setting values for vulnerabilities and threats, and as a source of aggregating security information for pricing of cyber-financial instruments, such as cyber-insurance.