Sasha Romanosky, PhD A passion for research Publications | Presentations | Industry Projects  Greetings! I research topics on the economics of security and privacy, cyber crime, cyber insurance, and national security. I am a Senior Policy Researcher at the RAND Corporation, a faculty member of the Pardee RAND Graduate School, and an affiliated faculty in the Program on Economics & Privacy at the Antonin Scalia Law School, George Mason University. My research has appeared in journals such as the Journal of Policy Analysis and Management, the Journal of Empirical Legal Studies, the Journal of Cybersecurity, the Journal of National Security Law and Policy, the Berkeley Technology Law Journal, International Journal of Intelligence and CounterIntelligence, and ACM's Digital Threats: Research and Practice (DTRAP). I earned a Ph.D. in Public Policy and Management from Carnegie Mellon University and a B.S. in Electrical Engineering from the University of Calgary, Canada. I was a Microsoft research fellow in the Information Law Institute at New York University School of Law, and a security professional for over 10 years in the financial and e-commerce industries. In addition, I am one of the original authors of the Common Vulnerability Scoring System (CVSS), an international standard for scoring computer vulnerabilities, and a co-creator of the Exploit Probability Scoring System (EPSS), an emerging standard for estimating the probability of a vulnerability being exploited in the wild. It was my pleasure and honor to serve as a Cyber Policy Advisor in the Office of the Secretary of Defense for Policy (OSDP) at the Pentagon, where I oversaw the Defense Department's Vulnerability Equities Process (VEP), the Vulnerability Disclosure Program (VDP), and other cyber policy matters, for which I received the Defense Medal for Exceptional Public Service. I can be reached at sasha.romanosky [at] gmail.com.

Academic Research

My research is motivated by the surge in social media, cloud computing, and mobile services that is fuelling the unprecedented collection, use and sale of personal consumer information. These opportunities for use of big data afford many benefits to firms, consumers, and government agencies. However individuals can be harmed when their personal information is lost, stolen, or improperly accessed.

In addition to commercial purposes, individual data are used for many kinds of public sector applications such as law enforcement and national security. These surveillance data, whether collected from drones, CCTVs, license plate readers, or other sources, represent an unprecedented opportunity to detect -- and prevent -- malicious activity.

The critical tension, therefore, is in balancing corporate interests, individual privacy rights, law enforcement, and national security. While there are legitimate reasons for limiting the collection, use, or sharing of personal information, excessive restrictions can be inefficient. For example, limiting the types of data that firms can collect may enhance consumer privacy, but may reduce a firm's ability to innovate. Restricted access to medical information may reduce medical fraud, but it may also inhibit important medical research or identify disease outbreaks. Limiting access to location or cloud-based data may hinder the government's ability to investigate serious crimes.

How is consumer data regulated today?
The management of personal consumer information is regulated by many disparate state and federal laws. On one hand, states may prohibit the selling, sharing or public disclosure of personal information. For example, some states specifically prevent the sale of driver tollbooth information, while other states prevent the collection or public notice of social security, zip code, and social media account information. On the other hand, state laws allow, or require, the disclosure of personal information. For example, most states require that companies notify individuals when their personal information has been lost or stolen, while others require consumer notice if a company collects your information with intent to sell it.

But what is the full landscape of state and federal information laws? How can firms continue to innovate despite increasing data restrictions? Do these laws work as intended, or do they introduce perverse outcomes? What consequences and benefits exist for protecting critical infrastructure, and how can these effects be empirically measured?

How do Information Policies work, and how do they reduce externalities?
Legislators often consider a number of alternative policy interventions to help reduce externalities caused by the unauthorized disclosure or collection of information, such as ex ante safety regulation (mandated standards), information disclosure, and ex post liability. Ex ante regulation is often a heavy-handed prevention mechanism that enforces a minimum standard of care. However, its effectiveness is hampered when the regulated inputs are only loosely correlated with the harmful outputs. Disclosure, on the other hand, can be a corrective mechanism that empowers individuals to avoid potential harms. However, cognitive biases may instead burden individuals, preventing them from acting. Finally, ex post liability allows victims to recover any losses through civil litigation, thereby forcing firms to internalize any harm.

But are these interventions effective? How do they drive firm and consumer behaviors, and how do they affect overall social costs?

These issues present many wonderful opportunities for rigorous empirical and inter-disciplinary research in security and privacy, information policy, applied microeconomics, and law & economics.

Publications

Journal and Peer Reviewed Publications

• [J15] Jacobs, J., Romanosky, S., Edwards, B., Roytman, M., Adjerid, I., (2021) Exploit Prediction Scoring System, Digital Threats Research and Practice, 2(3), https://doi.org/10.1145/3436242.
• [J14] Jacobs, J., Romanosky, S., Adjerid, I., Baker, W, (2020) Improving vulnerability remediation through better exploit prediction, Journal of Cybersecurity, 6(1), https://doi.org/10.1093/cybsec/tyaa015.
• [J13] Romanosky, S., Boudreaux, B. (2020) Private-Sector Attribution of Cyber Incidents: Benefits and Risks to the U.S. Government, International Journal of Intelligence and CounterIntelligence, DOI: 10.1080/08850607.2020.1783877
• [J12] Khalili, M., Liu, M., Romanosky, S., (2019) Embracing and Controlling Risk Dependency in Cyber-insurance Policy Underwriting, Journal of Cybersecurity, 5(1).
• [J11] Ablon, L., Binnendijk, A., Hodgson, Q., Lilly, B., Romanosky, S., Senty, D., and Thompson, J., (2019), Operationalizing Cyberspace as a Military Domain: Lessons for NATO. Santa Monica, CA: RAND Corporation,  https://www.rand.org/pubs/perspectives/PE329.html.
• [J10] Williams, J.D., Parachini, J., Romanosky, S., Stebbins, D., Adgie, M., (2019), Advancing USMC OSINT Capabilities: Leveraging Intelligence Community Best Practices, Santa Monica, CA: RAND Corporation, PR-4299-1-USMC/MCIA.
• [J9] Romanosky, S., Ablon, L., Khuen, A., Jones, T. (2017) Content Analysis of Cyber Insurance Policies: How Do Insurance Companies Price Cyber Risk?, Journal of Cybersecurity, 5(1), 1-19.
• [J8] Romanosky, S., Goldman, Z. (2017). Understanding Cyber Collateral Damage, Journal of National Security Law and Policy, 9(1).
• [J7] Romanosky, S. (2016). Cost and Consequences of Cyber Incidents, Journal of Cybersecurity, 2(2), 121-135.
• [J6] Romanosky, S., Goldman, Z. (2016). Collateral Damage, Procedia Computer Science, 95, 10-17, Available at http://dx.doi.org/10.1016/j.procs.2016.09.287.
• [J5] Ablon, L., Heaton, P., Lavery, D., Romanosky, S., Consumer Attitudes Toward Data Breach Notifications and Loss of Personal Information, RAND Corporation, RR-1187-ICJ, 2016.
• [J4] Romanosky, S., Libicki, M., Winkelman, Z., Tkacheva, O, Internet Freedom Software and Illicit Activity: Supporting Human Rights Without Enabling Criminals, RAND Corporation (RR-1151-DOS), 2015
• [J3] Romanosky, S., Hoffman, D., and Acquisti, A. (2014). Empirical Analysis of Data Breach Litigation. Journal of Empirical Legal Studies, 11(1), 74–104.
• [J2] Romanosky, S., Telang, R. & Acquisti, A. (2011). Do Data Breach Disclosure Laws Reduce Identity Theft? Journal of Policy Analysis and Management, 30(2), 256-286.
• [J1] Romanosky, S. & Acquisti, A. (2009). Privacy Costs and Personal Data Protection: The Economic and Legal Perspectives. Berkeley Technology Law Journal, 24(3).

Working Papers and Papers in Review

• [WP3] Enterprise Risk Management: how do firms manage cyber risk?, with Elizabeth Petrun Sayers, (in review).
• [WP2] Health Provider incentives and the value of EMR: Evidence of EMR increasing outpatient charges, with Idris Adjerid and Ellerie Weber.
• [WP1] Is an ounce of prevention worth a pound of cure?: Balancing ex ante security with ex post mitigation, with Veronica Marotta, Richard Sharp, and Alessandro Acquisti (in review).

Book Publications

• [B3] Herr, T., Harrison, R., eds. (2016). Cyber Insecurity: Navigating the Perils of the Next Information Age. Rowman & Littlefield.
• [B2] Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., Sommerlad, P. (eds). (2006). Security Patterns: Integrating Security and Systems Engineering. Wiley & Sons, p 101-141, 164-176.
• [B1] Juric, M., Nashi, N., Berry, C., Kunnumpurath, M., Carnell, J., & Romanosky, S. (2002). J2EE Design Patterns Applied. WROX Press.

Industry Publications and Op-Eds

• [IP20] Are Firms and Consumers Investing Enough in Data Security?, Program on Economics and Privacy, Antonin Scalia Law School, George Mason Law School, January 10, 2019 . Available at https://custom.cvent.com/C674EF8FB0604BC9BF9B668FCA89DFEB/files/8d1f065ef9564e439ec810250f4d0a5a.pdf.
• [IP19] The Value of Data: a Story of Firm and Consumer Incentives, Building Common Approaches for Cybersecurity and Privacy in a Globalized World Transatlantic Conference, NYU Center for Cybersecurity & Humboldt Institute for Internet and Society.
• [IP18] Developing an Objective, Repeatable Scoring System for a Vulnerability Equities Process, Lawfare, February 13, 2019, available at https://www.lawfareblog.com/developing-objective-repeatable-scoring-system-vulnerability-equities-process.
• [IP17] Private-Sector Attribution of Cyber Attacks: A Growing Concern for the U.S. Government?, Lawfare, December 21, 2017, Available at https://lawfareblog.com/private-sector-attribution-cyber-attacks-growing-concern-us-government.
• [IP16] It’s Time for the International Community to Get Serious about Vulnerability Equities, with Kate Charlet, and Bert Thompson. Lawfare, November 15, 2017, Available at: https://www.lawfareblog.com/its-time-international-community-get-serious-about-vulnerability-equities.
• [IP15] The Equifax Breach: Yawn, or Yikes? Inside Sources, November 3, 2017, Available at: http://www.insidesources.com/equifax-breach-yawn-yikes/.
• [IP14] What Is Cyber Collateral Damage? And Why Does It Matter?, with Zachary K. Goldman, Lawfare, November 15, 2016. Available at https://www.lawfareblog.com/what-cyber-collateral-damage-and-why-does-it-matter.
• [IP13] The Future of Cyber Investigations at the FBI is Unclear, with Cortney Weinbaum, Inside Sources, August 24, 2016. Available at http://www.insidesources.com/the-future-of-cyber-investigations-at-the-fbi-is-unclear/.
• [IP12] The High Cost Of Hacks: Is Cyber Insurance To Blame For The Increasing Cost Of Data Breaches? US NEWS, March 6, 2015. Available at http://www.usnews.com/opinion/blogs/world-report/2015/03/06/cyber-insurers-must-do-a-better-job-of-assessing-risk-of-hacks.
• [IP11] Herr, T., Romanosky, S. (2015). Cyber Crime: Creating Roadmap to Effective Cyber Legislation, The American Foreign Policy Council Defense Technology Program Brief, (11).
• [IP10] Privacy Research Group Blog, Information Law Institute, NYU, School of Law, http://blogs.law.nyu.edu/privacyresearchgroup/, 2012-2013.
• [IP9] Comments to the Department of Commerce on Incentives to Adopt Improved Cybersecurity Practices (through cyber-insurance), http://www.ntia.doc.gov/files/ntia/romanosky_comments.pdf, 2012.
• [IP8] Concurring Opinions, (blog), www.concurringopinions.com, (Invited Contributor), 2010-2011.
• [IP7] Mell, P., Scarfone, K., & Romanosky, S. (2007). NIST Interagency Report (NIST IR) 7435, The Common Vulnerability Scoring System (CVSS) and Its Applicability to Federal Agency Systems. National Institute of Standards and Technology (NIST).
• [IP6] Mell, P., Scarfone, K., & Romanosky, S. (2007). A Complete Guide to the Common Vulnerability Scoring System Version 2.0. Forum of Incident Response and Security Teams (FIRST).
• [IP5] Mell, P., Scarfone, K., & Romanosky, S., (Nov/Dec, 2006). Common Vulnerability Scoring System. IEEE Security and Privacy, 4(6) 85-89.
• [IP4] Romanosky, S., Kim, G., & Kravchenko, B. (Oct 2006). Global Technology Audit Guide 6 (GTAG):Managing and Auditing IT Vulnerabilities. The Institute of Internal Auditors.
• [IP3] Cranor, L. F., Egelman, S., Hong, J., Kumaraguru, P., Kuo, C., Romanosky, S., Tsai, J., & Vaniea, K. (2005). FoxTor, A Tor Design Proposal. Carnegie Mellon University’s Usable Privacy and Security (CUPS) Laboratory.
• [IP2] Schiffman, M., Eschelbeck, G., Ahmad, D., Wright, A. & Romanosky, S. (2004). CVSS: A Common Vulnerability Scoring System. Forum of Incident Response and Security Teams (FIRST).
• [IP1] Romanosky, S. (March 2003). Enterprise Security Patterns. Information Systems Security Association Journal.

Presentations
Refereed and Peer-Reviewed Conferences

• [CP14] Improving Vulnerability Remediation Through Better Exploit Prediction, Workshop on the Economics of Information Security (WEIS), Boston, MA, June 3-4, 2019.
• [CP13] (Presentation by Mingyan Liu) Embracing and Controlling Risk Dependency in Cyber Insurance, with Mohammad Mahdi Khalili and Mingyan Liu, Workshop on the Economics of Information Security (WEIS), Innsbruck, Austria, June 18-19, 2018.
• [CP12] Content Analysis of Cyber Insurance Policies: How Do Insurance Companies Price Cyber Risk?, Workshop on the Economics of Information Security (WEIS), San Diego, CA, June 26-27, 2017.
• [CP11] (Presentation by Josh Baron) Collateral Damage, Complex Adaptive Systems 2016, Los Angeles, CA, November 2-4, 2016.
• [CP10] Provider incentives and the value of EMR: Evidence of hospitals using EMR to increase outpatient charges, 5th Annual Workshop on Health IT and Economics (WHITE), Washington DC, October 10-11, 2016.
• [CP9] Romanosky, S., Hoffman, D. & Acquisti, A. Empirical Analysis of Data Breach Litigation, iConference, College of Information, University of North Texas, February 12-15, 2013.
• [CP8] (Presentation by Alessandro Acquisti) Romanosky, S., Hoffman, D. & Acquisti, A. Empirical Analysis of Data Breach Litigation, 11th Workshop on the Economics of Information Security (WEIS), Berlin Brandenburg Academy of Sciences, Berlin, Germany, June 25-26, 2012.
• [CP7] Romanosky, S., Hoffman, D. & Acquisti, A. Empirical Analysis of Data Breach Litigation, International Conference on Information Systems (ICIS), Shanghai, China, December 4-7, 2011.
• [CP6] Romanosky, S., Hoffman, D. & Acquisti, A. Empirical Analysis of Data Breach Litigation, Fifth Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection (IFIP), Dartmouth College Hanover, NH, March 23–25, 2011.
• [CP5] Romanosky, S., Sharp, A. & Acquisti, A. Data Breaches and Identity Theft: When is Disclosure Optimal?, 9th Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA, June 8, 2010.
• [CP4] Romanosky, S., Telang, R. & Acquisti, A. Do Data Breach Disclosure Laws Reduce Identity Theft?, Conference on Empirical Legal Studies (CELS), Yale University, New Haven, CT, November 5-6, 2010.
• [CP3] Romanosky, S., Telang, R. & Acquisti, A. Do Data Breach Disclosure Laws Reduce Identity Theft?, 7th Workshop on the Economics of Information Security (WEIS), Dartmouth College, Hanover, NH, June 25-28, 2008.
• [CP2] Kuo, C., Romanosky, S. & Cranor, L. F. (2006). Human Selection of Mnemonic Phrase-based Passwords. Proceedings of the 2006 Symposium on Usable Privacy and Security (SOUPS), Carnegie Mellon University, Pittsburgh, PA, July 12-14, 2006.
• [CP1] Romanosky, S., Acquisti, A., Cranor, L. F., Hong, J. & Friedman, B. (2006). Privacy Patterns for online interactions. Proceedings of the 2006 Conference on Pattern Languages of Program, Portland, OR, October 21-23, 2006.

Conference and Workshop Presentations, and Panel Discussant

• [P116]        Securing Critical IT Products and Services, 73nd Semiannual Meeting of the RAND Board of Trustees, April, 2021. (Invited)
• [P115]        Navigating Risks with Cyber Insurance, PrivSec Global, March 23-25, 2021. (Invited)
• [P114]        Cyber insurance, The Role of Law and Government in Cyber Insurance Markets: A Cyber Insurance Conference,  University of Minnesota Law School, March 12, 2021. (Invited)
• [P113]        Cyberinsurance and Ransomware, Cybersecurity and Cybertrust Task Force, Computing Community Consortium, February, 22, 2021. (Invited)
• [P112]        Exploit Prediction Scoring System, TPRC, The Research Conference On Communications, Information, And Internet Policy, February 19, 2021.
• [P111]        Cyber Insurance: What You Need to Know About How it Works and What it Covers, Cyber Readiness Institute, February, 4, 2021. (Invited)
• [P110]        Program on Economics & Privacy, Scholars Research Roundtable, Law & Economics Center Antonin Scalia Law School, George Mason University, January 29, 2021. (Invited)
• [P109]        Research Roundtable, Law & Economics Center, Program on Economics & Privacy, George Mason University Antonin Scalia Law School, Tuscon, AZ, January 17-19, 2020.  (Invited)
• [P108]        Cyber Insurance and Cyber Resilience: A Workshop for Researchers and Practitioners, University of Pennsylvania Law School, Philadelphia, PA, December 13, 2019. (Invited)
• [P107]        How to Save Money on Cyber Insurance, Clearwater Healthcare Risk Management, Washington, D.C., October 9, 2019. (Invited)
• [P106]        2019 Distinguished Lecture Series, Kogod Cybersecurity Governance Center (KCGC), American University, Washington D.C., October 7, 2019 (Invited)
• [P105]        Balancing Privacy and Security in the Digital Age, U.S. State Department International Visitor Leadership Program (IVLP), Washington D.C., September 12, 2019. (Invited)
• [P104]        Information Technology Leaders Explore Cyber Security Strategies, U.S. State Department International Visitor Leadership Program (IVLP), Washington D.C., September 10, 2019. (Invited)
• [P103]        Private Sector Attribution of Cyber Incidents: Benefits and Risks to the U.S. Government, National Bureau of Economics (NBER) of National Security, July 22, 2019.
• [P102]        Improving Vulnerability Remediation Through Better Exploit Prediction, FTC PrivacyCon, Washington, DC, June 27, 2019.
• [P101]        Economics & Privacy, Seventh Annual Public Policy Symposium on the Law & Economics of Privacy and Data Security, George Mason University Antonin Scalia Law School, May 10, 2019. (Invited)
• [P100]        Assessing, Measuring, Reducing and Transferring Cybersecurity Risk in Complex Organizations, University of Maryland, Executive Cybersecurity Summit, College Park, MD, April 5, 2019. (Invited)
• [P99]        Privacy and Data Use in the Financial Sector, Law & Economics Center’s Ninth Annual Financial Services Symposium, George Mason University, April 3, 2019. (Invited)
• [P98]        Economics of Information Security, Consumer Payments & Finance Academy, George Mason University, April 2, 2019. (Invited)
• [P97]        Idea Exchange, University of Calgary, Washington, D.C., March 27, 2019. (Invited)
• [P96]        Hearings on Competition and Consumer Protection, Federal Trade Commission, Washington, DC, December 11-12, 2018. (Invited)
• [P95]        International Policy Conference on Vulnerability Management, Brussels, Belgium, December 5, 2018. (Invited)
• [P94]        Private Sector Attribution of Cyber Incidents, U.S. Department of Defense, Office of the Secretary of Defense for Cyber Policy (DoD OSD), Washington, D.C., November 08, 2018.
• [P93]        Private Sector Attribution of Cyber Incidents, U.S. Secret Service, Electronic Crimes Task Force, Washington, D.C., October 11, 2018
• [P92]        Building Common Approaches for Cybersecurity and Privacy in a Globalized World Transatlantic Conference NYU Center For Cybersecurity & Humboldt Institute for Internet and Society NY, New York, October 1-3, 2018. (Invited)
• [P91]        Content Analysis of Cyber Insurance, Armed Forces Communications & Electronics Association (AFCEA), Fairfax, VA, September 11, 2018. (Invited)
• [P90]        Using Economic Incentives to Find Security Flaws: Bug Bounties, Sixth Annual Public Policy Symposium on the Law & Economics of Privacy and Data Security, George Mason University, June 1, 2018, (Panel Moderator).
• [P89]         Panel Discussant Program on Economics & Privacy, 3rd Annual Digital Information Policy Scholars Conference, George Mason University Antonin Scalia Law School, April 26-27, 2018. (Invited)
• [P88]        Panel Discussant on cyber security and cyber insurance, FICO World 2018, Miami Beach, April 16 – 19, 2018. (Invited)
• [P87]        Improving the Vulnerability Equities Process, U.S. Department of Defense, Office of the Secretary of Defense for Cyber Policy (DoD OSD), Washington, D.C., April 5, 2018. (Invited)
• [P86]        Researching Cyber security in the private sector, non-profit, and federal government,  discussion for the Government and Policy Speakers Series, the University of Nebraska College of Law, April 2, 2018. (Invited)
• [P87]        Research Opportunities in Think Tanks, PUBP 850 Professional Development Seminar, Schar School of Policy and Government, George Mason University, March 22, 2018. (Invited)
• [P85]        How do cyber insurance carriers price cyber risk?, PrivacyCon, Federal Trade Commission, Washington DC, February 28, 2018.
• [P84] TIPS D&O Insurance Cyber Liability Forum, New York City, New York, January 30, 2018. (Invited)
• [P83] Systemic Risk and Cyber Insurance Working Roundtable, Hosted by the EastWest Institute, Marsh & McLennan and Microsoft, Washington D.C, January 17, 2017. (Invited)
• [P82] How do Insurance Carriers Price Cyber Risk? Financial Information Systems and Cybersecurity: A Public Policy Perspective, University of Maryland, January 10, 2018. (Invited)
• [P81] Economics & Privacy's Research Roundtable for Privacy Fellows (Discussant), Economics & Privacy's Research Roundtable for Privacy Fellows, George Mason University, Arlington, VA, December 14-15, 2017. (Invited)
• [P80] Multi-Stakeholder Roundtable on Cybercrime, National Governors Association, Fairfax County Police Department Headquarters, Fairfax, VA, December 11, 2017. (Invited)
• [P79] Cyber Insurance, Tenth Annual Microeconomics Conference, Federal Trade Commission, Washington, DC. November 2-3, 2017. (Invited)
• [P78] Content Analysis of Cyber Insurance, RAND Institute of Civil Justice Board Meeting, October 31, 2017. (Invited)
• [P77] Pricing Cyber Risks, Cybersecurity and Privacy Law Center, Albany Law School, Albany, NY, October 19-20, 2017. (Invited)
• [P76] Content Analysis of Cyber Insurance, TPRC, George Mason University, Arlington, VA, Sept 8, 2017.
• [P75] Cyber Collateral Damage, NSA Information Assurance Symposium, Baltimore, MD, June 21, 2017.
• [P74] Managing DoD's Vulnerability Disclosure Program, NSA Information Assurance Symposium, Baltimore, MD, June 21, 2017.
• [P73] Private Sector Attribution of Cyber Incidents, NSA Information Assurance Symposium, Baltimore, MD, June 21, 2017.
• [P72] Cyber Costs and Cyber Insurance, Forum of the Future, Toronto, Canada, June 5, 2017. (Invited)
• [P71] Data Breaches and Privacy (Panel Discussant), Eleventh Annual Judicial Symposium on Civil Justice Issues, George Mason University, Arlington, VA, May 23, 2017. (Invited)
• [P70] Research Opportunities in Think Tanks, PUBP 850 Professional Development Seminar, Schar School of Policy and Government, George Mason University, April 6, 2017.
• [P69] Content Analysis of Cyber Insurance Policies: How do Carriers Price Cyber Risk?, 2nd Annual Digital Information Policy Scholars Conference, George Mason University, Arlington, VA, April, 28, 2017.
• [P68] The Cyber LOAC Hackathon, Hoover Institution Johnson Center in Washington, Washington DC, November 11, 2016. (Invited)
• [P67] Cyber Collateral Damage, Legal and Policy Dimensions of Cybersecurity, George Washington University School of Media and Public Affairs, Washington, DC., September 28-29, 2016. (Invited)
• [P66] Emerging Policy Tools in Cybersecurity (panel discussant), The New America Foundation, October 28, 2016. (Invited)
• [P65] TPRC (moderator), George Mason University, Washington, DC, October 1, 2016. (Invited)
• [P64] Legal and Policy Dimensions of Cybersecurity, George Washington University, Washington, DC, September 27-29, 2016.
• [P63] RAND Policy Circle Conversation Series: CMEPP/Citi Private Bank, Cyber Threats and Data Breaches, Santa Monica, CA, September 19, 2016. (Invited)
• [P62] Fourth Annual LEC Public Policy Conference on the Law & Economics of Privacy and Data Security, George Mason University, Arlington, VA, June 22-23, 2016.
• [P61] RAND Center for Catastrophic Risk Management and Compensation Board Meeting, Washington, DC, June 23, 2016. (Invited)
• [P60] Systemic Risk and Aggregation Modeling, NetDiligence Cyber Risk Forum, Wednesday, Philadelphia, PA, June 8, 2016. (Invited)
• [P59] RAND Center for Corporate Ethics and Governance Board Meeting, New York, NY, May 17, 2016. (Invited)
• [P58] Costs and Consequences of Cyber Incidents, Digital Information Policy Scholars Conference, George Mason University, Arlington, VA, April 29, 2016.
• [P57] Justice Infrastructure and Environment Board Meeting, RAND Corporation, Santa Monica, CA, April 21, 2016. (Invited)
• [P56] Quantifying Cyber Risk, Center on Law and Security, New York University, New York, NY, April 6, 2016. (Invited)
• [P55] Kogod Cybersecurity Governance Center, American University, Washington DC, March 28, 2016. (Invited)
• [P54] Conference Board of Canada's Cyber Security Centre, Ottawa, Canada, March 23, 2016. (Invited)
• [P53] Technological Disruptions of Societies and Organizations: Communications Networks, Computational Trust, Reputation, Anonymity, and Beyond, ISAT/DARPA, Arlington, VA, March 14-15, 2016. (Invited)
• [P52] DHS Science and Technology Cyber Security Division R&D Showcase, Washington DC, February 18, 2016. (Invited)
• [P51] Costs and Consequences of Cyber Incidents, PrivacyCon, Federal Trade Commission, Washington DC, January 14, 2016.
• [P50] Financial Information Systems and Cybersecurity: A Public Policy Perspective, University of Maryland, January 13, 2016. (Invited)
• [P49] Workshop on Data Breach Recovery for Individuals and Institutions, National Academies of Sciences, Washington DC, January 12, 2016. (Invited)
• [P48] Internet and Computer Law, American Association of Law Schools, New York, NY, January 9, 2016. (Invited)
• [P47] Catalyzing Privacy by Design: Frontiers in Regulation and Management, Georgetown Law Center, Washington DC, January 6, 2016. (Invited)
• [P46] Costs and Consequences of Cyber Incidents, Law & Economics Privacy Fellows Research Roundtable, George Mason University, Arlington, VA, December, 10-11, 2015.
• [P45] RAND Board of Trustee Meeting, Santa Monica, CA, November 11, 2015. (Invited)
• [P44] RAND Institute of Civil Justice Board Meeting, Washington DC, October 23, 2015. (Invited)
• [P43] RAND Center for Catastrophic Risk Management and Compensation Board Meeting, Washington, DC, June 23, 2015. (Invited)
• [P42] RAND Center for Corporate Ethics and Governance board meeting, New York, NY, May 21, 2015. (Invited)
• [P41] Cyber Crime: Creating Roadmap to Effective Cyber Legislation, New America Foundation, Washington, DC, May 14, 2015.
• [P40] U.S. Department of Justice, Global Justice Information Sharing Initiative, Advisory Committee (GAC) Meeting, Washington, DC, January 27, 2015. (Invited)
• [P39] Cybersecurity Forum for Independent and Executive Branch Agencies: Study on Proactive Cybersecurity Risk Management, Federal Communication Commission, Washington, DC, January 27, 2015. (Invited)
• [P38] LEC Research Roundtable for Economists on the Law & Economics of Privacy & Data Security, Discussant, George Mason University, Arlington, VA, January 22-23, 2015. (Invited)
• [P37] Cybersecurity Forum, Study on Proactive Cybersecurity Risk Management, Federal Communications Commission, Washington DC, January 27, 2015. (Invited)
• [P36] Invited Speaker, RAND Center for Corporate Ethics and Governance Board Meeting, New York, November 5, 2014. (Invited)
• [P35] Invited Speaker, German-US cybersecurity Dialog, Incentives and Public-Private Collaboration for Cybersecurity, George Washington University, October 17, 2014. (Invited)
• [P34] Public Disclosure of Data Breaches: Optimizing Ex Ante And Ex Post Security Investments, Law and Economics of Data Security Policy, George Mason University, Arlington, VA, March 7, 2014.
• [P33] Research Roundtable on the Future of Privacy and Data Regulation, Law & Economics Center, George Mason University, March 7, 2014. (Invited)
• [P32] Incentives to Adopt Improved Cybersecurity Practices, Tenth Annual Forum on Financial Information Systems and Cybersecurity: A Public Policy Perspective, Smith School of Business, University of Maryland, January 8, 2014. (Invited)
• [P31] Law and Economics of Data Security Policy, Law and Economics Center, George Mason University School of Law, December 12, 2013. (Invited)
• [P30] From Here to Secure: Market Drivers and the Cybersecurity Framework, Center for Business and Public Policy, Georgetown University, December 4, 2013. (Invited)
• [P29] International Association of Privacy Professionals (IAPP) Practical Privacy Series. New York, NY, November 6, 2013. (Invited)
• [P28] The Dr. Jekyll and Dr. Hyde of Health IT:Does Health IT Increase Medical Billing Fraud?, INFORMS Healthcare Conference, Chicago, IL, June 23-26, 2013.
• [P27] Public Policy Conference on the Law & Economics of Privacy and Data Security, Law and Economics Center, George Mason University School of Law, June 19, 2013. (Invited)
• [P26] The Incentives and Regulation of Cybersecurity, Center for Business and Public Policy (CBPP), Georgetown University, June 13, 2013. (Invited)
• [P25] Battling Big Brother, Personal Democracy Forum, New York, NY, June 6-7, 2013. (Invited)
• [P24] Cybersecurity Insurance Roundtable, Defining the Pillars of an Effective Cyber Risk Culture, Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD), May 13, 2013. (Invited)
• [P23] Law and Economics of Privacy, George Mason University School of Law, December 12, 2012. (Invited)
• [P22] Empirical Analysis of Data Breach Litigation, Canadian Law and Economics Association, University of Toronto, Canada, September 28-29, 2012.
• [P21] Cybersecurity Insurance Workshop, “Defining Challenges to Today’s Cybersecurity Insurance Market,” Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD), October 22, 2012. (Invited)
• [P20] Measuring and Modeling Security and Privacy Laws. Economics Research Working Group Meeting, Microsoft Research New England Lab, Cambridge, MA, October 19-21, 2011 (Gratis Visitor). (Invited)
• [P19] Empirical Analysis of Data Breach Litigation, 39th Research Conference on Communication, Information and Internet Policy (Telecommunications Policy Research Conference), George Mason University Law School, Arlington, VA, September 23-25, 2011.
• [P18] Empirical Analysis of Data Breach Litigation, Fourth Annual Privacy Law Scholars Conference (PLSC), Berkeley, CA, June 2-3, 2011.
• [P17] Data Breaches and Identity Theft: When is Disclosure Optimal?, iConference, Seattle, WA, February 8-11, 2011.
• [P16] Empirical Analysis of Data Breach Litigation, Seventh Annual Forum on Financial Information Systems and Cybersecurity: A Public Policy Perspective, University of Maryland, College Park, MD, January 19, 2011.
• [P15] Data Breaches and Identity Theft: When is Disclosure Optimal?, Telecommunications Policy Research Conference (TPRC), George Mason University School of Law, Arlington, VA, September 23-25, 2010.
• [P14] Security Economics. Annual Computer Security Applications Conference (ACSAC), Austin, TX, December 5-9, 2010. (Invited)
• [P13] Data Breaches and Identity Theft: When is Disclosure Optimal?, Sixth Annual Forum on Financial Information Systems and Cybersecurity: A Public Policy Perspective, University of Maryland, College Park, MD, October 28, 2009.
• [P12] Data Breaches and Identity Theft: When is Disclosure Optimal?, Institute for Operations Research and the Management Sciences (INFORMS), San Diego, CA, October 12, 2009.
• [P11] Privacy Costs and Personal Data Protection: The Economic and Legal Perspectives. Security Breach Notification Six Years Later, University of California Berkeley, Center for Law and Technology, Berkeley, CA, March 9, 2009. (Invited)
• [P10] Using Regulation and Liability to Prevent Data Breaches, Information Systems Security Association, Pittsburgh, PA, January, 2009. (Invited)
• [P9] Do Data Breach Disclosure Laws Reduce Identity Theft? Electronic Health and Information & Privacy Conference, Ottawa, Canada, November 3, 2008. (Invited)
• [P8] The Common Vulnerability Scoring System (CVSS), CyLab, Carnegie Mellon University, November, 2008.
• [P7] The Common Vulnerability Scoring System (CVSS), Institute of Infrastructure Protection (I3P), Cornell University, October, 2008.
• [P6] Do Data Breach Disclosure Laws Reduce Identity Theft?, Fifth Annual Forum on Financial Information Systems and Cybersecurity: A Public Policy Perspective, University of Maryland, College Park, MD, May, 2008.
• [P5] Do Data Breach Disclosure Laws Reduce Identity Theft? Information Systems Security Association, Pittsburgh, PA, January, 2008. (Invited)
• [P4] Do Data Breach Disclosure Laws Reduce Identity Theft?, Workshop on Information Systems Economics (WISE), McGill University, Montreal, Canada, December, 2007.
• [P3] Managing and Auditing IT Vulnerabilities. The Institute of Internal Auditors Information Technology Conference, Scottsdale, AZ, April 2007.
• [P2] Managing and Auditing IT Vulnerabilities, Information Systems Security Association, Pittsburgh, PA, January, 2007. (Invited)
• [P1] The Common Vulnerability Scoring System (CVSS), Information Systems Security Association, Pittsburgh, PA, January, 2006. (Invited)

Industry Projects

Exploit Prediction Scoring System (EPSS)
I am one of the creators of EPSS, an emerging standard for predicting when software vulnerabilities will be exploited. EPSS is an open, volunteer, and entirely data-driven effort. Our goal is to assist network defenders to better prioritize vulnerability remediation efforts. While other industry standards have been useful for capturing innate characteristics of a vulnerability and provide measures of severity, they are limited in their ability to assess threat. EPSS fills that gap because it uses current threat information from CVE and real-world exploit data. The EPSS model produces a probability score between 0 and 1 (0 and 100%). Visit https://www.first.org/epss/ for more information.

This figure plots CVSS and EPSS scores for a sample of vulnerabilities. First, observe how most vulnerabilities are concentrated near the bottom of the plot, and only a small percent of vulnerabilities have EPSS scores above 50% (0.5). While there is some correlation between EPSS and CVSS scores, overall, this plot provides suggestive evidence that attackers are not only targeting vulnerabilities that produce the greatest impact, or are necessarily easier to exploit (such as for example, an unauthenticated remote code execution). This is an important finding because it refutes a common assumption that attackers are only looking for — and using — the most severe vulnerabilities. And so, how then can a network defender choose among these vulnerabilities when deciding what to patch first? CVSS is a useful tool for capturing the fundamental properties of a vulnerability, but it needs to be used in combination with data-driven threat information, like EPSS, in order to better prioritize vulnerability remediation efforts.

The figure shows actual exploit observations for a sample of vulnerabilities. Each row represents a separate vulnerability (CVE), while each blue line represents an observed exploit. The red dots represent the time of public disclosure of the CVE. (Note that we are not tracking whether these exploits are successful or not.) While it is difficult to draw conclusive insights from these behaviors, we can comment on general characteristics. First, simply viewing these data is interesting because they provide a novel view into real-world exploit behavior. Indeed, it is exceedingly rare to see these kinds of data publicly available, and we are fortunate to be able to share them with you. It is also thought-provoking to examine and consider the different kinds of exploit patterns, such as:

• Duration: Some vulnerabilities are exploited over a short period of time (days, weeks), while others are exploited over much longer periods of time (years). For example, some vulnerabilities in this sample have been exploited for nearly the full time window of 3 years.
• Density (intensity, prevalence): Some vulnerabilities are exploited many times during their overall duration, while others are only exploited a few times. For example, notice how exploits for some vulnerabilities occur repeatedly throughout the lifespan of the exploit, while for other vulnerabilities, there are long periods of inactivity. In addition, some vulnerabilities seem to be exploited nearly continuously (one at the bottom) and therefore appear as almost a solid blue line.
• Fragmentation: In addition to the number of times a vulnerability is exploited within its duration (i.e. density), we may also be interested in the fragmentation of exploit behavior. That is, the measure of consistent exploitation day after day, versus exploitation followed by periods of inactivity.
• Time to first exploit (delay): From the data we collect, some vulnerabilities are exploited almost immediately upon public disclosure, while for other vulnerabilities, there is a much longer delay until first observed exploit. And indeed, this figure shows a number of vulnerabilities that are exploited before public disclosure. (Given the many factors involved in CVE disclosures, we make no comment on whether or not these are proper zero day vulnerabilities.) For example, some vulnerabilities in this sample are exploited immediately, while others take 6 months or more to be exploited.
• Co-exploitation: Some vulnerabilities appear to be exploited at the same time as others. This kind of co-exploitation may be suggestive of vulnerability chaining, the practice of using multiple, successive exploits in order to compromise a target.

Common Vulnerability Scoring System (CVSS)
I am one of the original authors of CVSS, and have been working on it since 2003. Please see FIRST.ORG for a full description of the current standard.

Currently, corporate IT management must identify and assess vulnerabilities for many disparate hardware and software platforms. They need to prioritize these vulnerabilities and remediate those that pose the greatest risk. But when there are so many to fix, with each being scored differently across vendors, how can IT managers convert this mountain of vulnerability data into actionable information? The Common Vulnerability Scoring System (CVSS) is an open framework that addresses this issue. It offers the following benefits:

• Standardized Vulnerability Scores: When an organization normalizes vulnerability scores across all their software and hardware platforms, they can leverage a single vulnerability policy to address each of them. This policy may be similar to a service level agreement (SLA) that states how quickly a particular vulnerability must be validated and remediated.
• Prioritized Risk: When the final score is computed, the vulnerability now becomes contextual. That is, vulnerability scores are now representative of the actual risk to an organization. They know how important, in relation to other vulnerabilities, is a given vulnerability.
• Open framework: Users can be confused when a vulnerability is given a certain score. What properties gave it that score? How does it differ from this other one, or why is it not the same? With CVSS, anyone can view the exact metric values that were used to formulate the overall score.

CVSS is part of the Payment Card Industry Data Security Standard (PCI-DSS), NIST's SCAP Project, and has been formally adopted as an international standard for scoring vulnerabilities (ITU-T X.1521).



Vulnerability Management

IT organizations consume great resources in identifying and remediating computer vulnerabilities. Compound this with the reality that the group finding the vulnerabilities is generally not the group fixing them. This results in a resource-intensive and sometimes adversarial organizational dynamic. Managing and Auditing IT Vulnerabilities is the 6th in a series of Global Technology Audit Guides (GTAGs) published by the Institute of Internal Auditors (the IIA). We discuss the steps of first identifying, assessing then prioritizing computer vulnerabilities. We differentiate many of the characteristics of low- with high-performing vulnerability management organizations and we include a number of metrics than an organization can use to establish a datum and track their progress. We recognize that immediate benefits are achieved by remediating individual, yet critical vulnerabilities. However, as shown in the diagram, effective vulnerability management means integrating and aligning IT Security with the organization's existing IT management processes (e.g. within an ITIL framework).

Security Patterns
Patterns are a beautiful way of organizing and formalizing proven solutions to reoccurring problems. They were developed by Christopher Alexander in the 1970’s. Alexander observed and documented the relationships that existed between things: objects, spaces, light, people, passages, and moods. From this work emerged architectural patterns and pattern languages. This methodology was later adapted to Object Oriented (OO) programming and then Information Security. A couple of important points about patterns (especially if you ever consider writing some):

• They are very hard to write well. A “great idea” is not a pattern
• Patterns don’t represent “new” work (the way most papers do)
• They codify existing knowledge to help novices implement good solutions
• They are structured according to the 3 Part Rule
  • Context: describes the general conditions under which the problem occurs
  • Problem: describes the problem that repeatedly occurs and the forces that exist within the context. Forces may complement or contradict one another
  • Solution: shows how to best solve the reoccurring problem, or better, how to balance the forces associated with the problem

Visit Markus Schumacher's site or hillside.net for more information on security patterns.