Sasha Romanosky, PhD
A passion for research

Publications | Presentations | Industry Projects 


I research topics on the economics of security and privacy, cyber crime, cyber insurance, and national security. I am a Senior Policy Researcher at the RAND Corporation, a faculty member of the Pardee RAND Graduate School, and an affiliated faculty in the Program on Economics & Privacy at the Antonin Scalia Law School, George Mason University. My research has appeared in journals such as the Journal of Policy Analysis and Management, the Journal of Empirical Legal Studies, the Journal of Cybersecurity, the Journal of National Security Law and Policy, the Berkeley Technology Law Journal, International Journal of Intelligence and CounterIntelligence, and ACM's Digital Threats: Research and Practice (DTRAP).

I earned a Ph.D. in Public Policy and Management from Carnegie Mellon University and a B.S. in Electrical Engineering from the University of Calgary, Canada. I was a Microsoft research fellow in the Information Law Institute at New York University School of Law, and a security professional for over 10 years in the financial and e-commerce industries. In addition, I am one of the original authors of the Common Vulnerability Scoring System (CVSS), an international standard for scoring computer vulnerabilities, and a co-creator of the Exploit Probability Scoring System (EPSS), an emerging standard for estimating the probability of a vulnerability being exploited in the wild.

It was my pleasure and honor to serve as a Cyber Policy Advisor in the Office of the Secretary of Defense for Policy (OSDP) at the Pentagon, where I oversaw the Defense Department's Vulnerability Equities Process (VEP), the Vulnerability Disclosure Program (VDP), and other cyber policy matters, for which I received the Defense Medal for Exceptional Public Service.

I can be reached at sasha.romanosky [at]

Academic Research

My research is motivated by the surge in social media, cloud computing, and mobile services that is fuelling the unprecedented collection, use and sale of personal consumer information. These opportunities for use of big data afford many benefits to firms, consumers, and government agencies. However individuals can be harmed when their personal information is lost, stolen, or improperly accessed.

In addition to commercial purposes, individual data are used for many kinds of public sector applications such as law enforcement and national security. These surveillance data, whether collected from drones, CCTVs, license plate readers, or other sources, represent an unprecedented opportunity to detect -- and prevent -- malicious activity.

The critical tension, therefore, is in balancing corporate interests, individual privacy rights, law enforcement, and national security. While there are legitimate reasons for limiting the collection, use, or sharing of personal information, excessive restrictions can be inefficient. For example, limiting the types of data that firms can collect may enhance consumer privacy, but may reduce a firm's ability to innovate. Restricted access to medical information may reduce medical fraud, but it may also inhibit important medical research or identify disease outbreaks. Limiting access to location or cloud-based data may hinder the government's ability to investigate serious crimes.

How is consumer data regulated today?
The management of personal consumer information is regulated by many disparate state and federal laws. On one hand, states may prohibit the selling, sharing or public disclosure of personal information. For example, some states specifically prevent the sale of driver tollbooth information, while other states prevent the collection or public notice of social security, zip code, and social media account information. On the other hand, state laws allow, or require, the disclosure of personal information. For example, most states require that companies notify individuals when their personal information has been lost or stolen, while others require consumer notice if a company collects your information with intent to sell it.

But what is the full landscape of state and federal information laws? How can firms continue to innovate despite increasing data restrictions? Do these laws work as intended, or do they introduce perverse outcomes? What consequences and benefits exist for protecting critical infrastructure, and how can these effects be empirically measured?

How do Information Policies work, and how do they reduce externalities?
Legislators often consider a number of alternative policy interventions to help reduce externalities caused by the unauthorized disclosure or collection of information, such as ex ante safety regulation (mandated standards), information disclosure, and ex post liability. Ex ante regulation is often a heavy-handed prevention mechanism that enforces a minimum standard of care. However, its effectiveness is hampered when the regulated inputs are only loosely correlated with the harmful outputs. Disclosure, on the other hand, can be a corrective mechanism that empowers individuals to avoid potential harms. However, cognitive biases may instead burden individuals, preventing them from acting. Finally, ex post liability allows victims to recover any losses through civil litigation, thereby forcing firms to internalize any harm.

But are these interventions effective? How do they drive firm and consumer behaviors, and how do they affect overall social costs?

These issues present many wonderful opportunities for rigorous empirical and inter-disciplinary research in security and privacy, information policy, applied microeconomics, and law & economics.


Journal and Peer Reviewed Publications

Working Papers and Papers in Review

Book Publications

Industry Publications and Op-Eds

Refereed and Peer-Reviewed Conferences

Conference and Workshop Presentations, and Panel Discussant

Industry Projects

Exploit Prediction Scoring System (EPSS)
I am one of the creators of EPSS, an emerging standard for predicting when software vulnerabilities will be exploited. EPSS is an open, volunteer, and entirely data-driven effort. Our goal is to assist network defenders to better prioritize vulnerability remediation efforts. While other industry standards have been useful for capturing innate characteristics of a vulnerability and provide measures of severity, they are limited in their ability to assess threat. EPSS fills that gap because it uses current threat information from CVE and real-world exploit data. The EPSS model produces a probability score between 0 and 1 (0 and 100%). Visit for more information.

This figure plots CVSS and EPSS scores for a sample of vulnerabilities. First, observe how most vulnerabilities are concentrated near the bottom of the plot, and only a small percent of vulnerabilities have EPSS scores above 50% (0.5). While there is some correlation between EPSS and CVSS scores, overall, this plot provides suggestive evidence that attackers are not only targeting vulnerabilities that produce the greatest impact, or are necessarily easier to exploit (such as for example, an unauthenticated remote code execution). This is an important finding because it refutes a common assumption that attackers are only looking for — and using — the most severe vulnerabilities. And so, how then can a network defender choose among these vulnerabilities when deciding what to patch first? CVSS is a useful tool for capturing the fundamental properties of a vulnerability, but it needs to be used in combination with data-driven threat information, like EPSS, in order to better prioritize vulnerability remediation efforts.

The figure shows actual exploit observations for a sample of vulnerabilities. Each row represents a separate vulnerability (CVE), while each blue line represents an observed exploit. The red dots represent the time of public disclosure of the CVE. (Note that we are not tracking whether these exploits are successful or not.) While it is difficult to draw conclusive insights from these behaviors, we can comment on general characteristics. First, simply viewing these data is interesting because they provide a novel view into real-world exploit behavior. Indeed, it is exceedingly rare to see these kinds of data publicly available, and we are fortunate to be able to share them with you. It is also thought-provoking to examine and consider the different kinds of exploit patterns, such as:

Common Vulnerability Scoring System (CVSS)
I am one of the original authors of CVSS, and have been working on it since 2003. Please see
FIRST.ORG for a full description of the current standard.

Currently, corporate IT management must identify and assess vulnerabilities for many disparate hardware and software platforms. They need to prioritize these vulnerabilities and remediate those that pose the greatest risk. But when there are so many to fix, with each being scored differently across vendors, how can IT managers convert this mountain of vulnerability data into actionable information? The Common Vulnerability Scoring System (CVSS) is an open framework that addresses this issue. It offers the following benefits:

CVSS is part of the Payment Card Industry Data Security Standard (PCI-DSS), NIST's SCAP Project, and has been formally adopted as an international standard for scoring vulnerabilities (ITU-T X.1521).

Vulnerability Management

IT organizations consume great resources in identifying and remediating computer vulnerabilities. Compound this with the reality that the group finding the vulnerabilities is generally not the group fixing them. This results in a resource-intensive and sometimes adversarial organizational dynamic.

Managing and Auditing IT Vulnerabilities is the 6th in a series of Global Technology Audit Guides (GTAGs) published by the Institute of Internal Auditors (the IIA). We discuss the steps of first identifying, assessing then prioritizing computer vulnerabilities. We differentiate many of the characteristics of low- with high-performing vulnerability management organizations and we include a number of metrics than an organization can use to establish a datum and track their progress.

We recognize that immediate benefits are achieved by remediating individual, yet critical vulnerabilities. However, as shown in the diagram, effective vulnerability management means integrating and aligning IT Security with the organization's existing IT management processes (e.g. within an ITIL framework).

Security Patterns
Patterns are a beautiful way of organizing and formalizing proven solutions to reoccurring problems. They were developed by Christopher Alexander in the 1970’s. Alexander observed and documented the relationships that existed between things: objects, spaces, light, people, passages, and moods. From this work emerged architectural patterns and pattern languages. This methodology was later adapted to Object Oriented (OO) programming and then Information Security. A couple of important points about patterns (especially if you ever consider writing some):

Visit Markus Schumacher's site or for more information on security patterns.

Publications | Presentations | Industry Projects