romanosky dot net

	Sasha Romanosky, PhD A passion for research Publications \| Presentations \| Industry Projects \| Biography Greetings! My research interests include the economics of security and privacy, cybercrime, national security, applied microeconomics, and law & economics. I am a policy researcher at the RAND Corporation. I obtained my PhD from the Heinz College of Information Systems and Public Policy at Carnegie Mellon University, advised by Alessandro Acquisti. I can be reached at sasha.romanosky [at] gmail.com.

Academic Research

My research is motivated by the surge in social media, cloud computing, and mobile services that is fuelling the unprecedented collection, use and sale of personal consumer information. These opportunities for use of big data afford many benefits to firms, consumers, and government agencies. However individuals can be harmed when their personal information is lost, stolen, or improperly accessed.

In addition to commercial purposes, individual data are used for many kinds of public sector applications such as law enforcement and national security. These surveillance data, whether collected from drones, CCTVs, license plate readers, or other sources, represent an unprecedented opportunity to detect -- and prevent -- malicious activity.

The critical tension, therefore, is in balancing corporate interests, individual privacy rights, law enforcement, and national security. While there are legitimate reasons for limiting the collection, use, or sharing of personal information, excessive restrictions can be inefficient. For example, limiting the types of data that firms can collect may enhance consumer privacy, but may reduce a firm's ability to innovate. Restricted access to medical information may reduce medical fraud, but it may also inhibit important medical research or identify disease outbreaks. Limiting access to location or cloud-based data may hinder the government's ability to investigate serious crimes.

How is consumer data regulated today?
The management of personal consumer information is regulated by many disparate state and federal laws. On one hand, states may prohibit the selling, sharing or public disclosure of personal information. For example, some states specifically prevent the sale of driver tollbooth information, while other states prevent the collection or public notice of social security, zip code, and social media account information. On the other hand, state laws allow, or require, the disclosure of personal information. For example, most states require that companies notify individuals when their personal information has been lost or stolen, while others require consumer notice if a company collects your information with intent to sell it.

But what is the full landscape of state and federal information laws? How can firms continue to innovate despite increasing data restrictions? Do these laws work as intended, or do they introduce perverse outcomes? What consequences and benefits exist for protecting critical infrastructure, and how can these effects be empirically measured?

How do Information Policies work, and how do they reduce externalities?
Legislators often consider a number of alternative policy interventions to help reduce externalities caused by the unauthorized disclosure or collection of information, such as ex ante safety regulation (mandated standards), information disclosure, and ex post liability. Ex ante regulation is often a heavy-handed prevention mechanism that enforces a minimum standard of care. However, its effectiveness is hampered when the regulated inputs are only loosely correlated with the harmful outputs. Disclosure, on the other hand, can be a corrective mechanism that empowers individuals to avoid potential harms. However, cognitive biases may instead burden individuals, preventing them from acting. Finally, ex post liability allows victims to recover any losses through civil litigation, thereby forcing firms to internalize any harm.

But are these interventions effective? How do they drive firm and consumer behaviors, and how do they affect overall social costs?

These issues present many wonderful opportunities for rigorous empirical and inter-disciplinary research in security and privacy, information policy, applied microeconomics, and law & economics.

Publications

Journal and Peer Reviewed Publications

[J5] Ablon, L., Heaton, P., Lavery, D., Romanosky, S., Consumer Attitudes Toward Data Breach Notifications and Loss of Personal Information, RAND Corporation, RR-1187-ICJ, 2016.
[J4] Romanosky, S., Libicki, M., Winkelman, Z., Tkacheva, O, Internet Freedom Software and Illicit Activity: Supporting Human Rights Without Enabling Criminals, RAND Corporation (RR-1151-DOS), 2015
[J3] Romanosky, S., Hoffman, D., and Acquisti, A. (2014). Empirical Analysis of Data Breach Litigation. Journal of Empirical Legal Studies, 11(1), 74–104.
[J2] Romanosky, S., Telang, R. & Acquisti, A. (2011). Do Data Breach Disclosure Laws Reduce Identity Theft? Journal of Policy Analysis and Management, 30(2), 256-286.
[J1] Romanosky, S. & Acquisti, A. (2009). Privacy Costs and Personal Data Protection: The Economic and Legal Perspectives. Berkeley Technology Law Journal, 24(3).

Working Papers and Papers in Review

[WP5] Understanding Cyber Collateral Damage, with Zachary Goldman.
[WP4] Breach Notification Laws - Policy and Practice, with Trey Herr, (in review).
[WP3] Cost and Consequences of Cyber Incidents, (in review).
[WP2] Health Provider incentives and the value of EMR: Evidence of EMR increasing outpatient charges, with Idris Adjerid and Ellerie Weber.
[WP1] Is an ounce of prevention worth a pound of cure?: Balancing ex ante security with ex post mitigation, with Veronica Marotta, Richard Sharp, and Alessandro Acquisti.

Refereed Conference Proceedings

[CP10] Provider incentives and the value of EMR: Evidence of hospitals using EMR to increase outpatient charges, 5th Annual Workshop on Health IT and Economics (WHITE), October 10-11, Washington DC.
[CP9] Romanosky, S., Hoffman, D. & Acquisti, A. Empirical Analysis of Data Breach Litigation, iConference, College of Information, University of North Texas, Feb 12-15, 2013.
[CP8] Romanosky, S., Hoffman, D. & Acquisti, A. Empirical Analysis of Data Breach Litigation, 11th Workshop on the Economics of Information Security (WEIS), Berlin Brandenburg Academy of Sciences, Berlin, Germany, June 25-26, 2012.
[CP7] Romanosky, S., Hoffman, D. & Acquisti, A. Empirical Analysis of Data Breach Litigation, International Conference on Information Systems (ICIS), Shanghai, China, December 4-7, 2011.
[CP6] Romanosky, S., Hoffman, D. & Acquisti, A. Empirical Analysis of Data Breach Litigation, Fifth Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection (IFIP), Dartmouth College Hanover, NH, March 23–25, 2011.
[CP5] Romanosky, S., Sharp, A. & Acquisti, A. Data Breaches and Identity Theft: When is Disclosure Optimal?, 9th Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA, June 8, 2010.
[CP4] Romanosky, S., Telang, R. & Acquisti, A. Do Data Breach Disclosure Laws Reduce Identity Theft?, Conference on Empirical Legal Studies (CELS), Yale University, New Haven, CT, November 5-6, 2010.
[CP3] Romanosky, S., Telang, R. & Acquisti, A. Do Data Breach Disclosure Laws Reduce Identity Theft?, 7th Workshop on the Economics of Information Security (WEIS), Dartmouth College, Hanover, NH, June 25-28, 2008.
[CP2] Kuo, C., Romanosky, S. & Cranor, L. F. (2006). Human Selection of Mnemonic Phrase-based Passwords. Proceedings of the 2006 Symposium on Usable Privacy and Security (SOUPS), Carnegie Mellon University, Pittsburgh, PA, July 12-14, 2006.
[CP1] Romanosky, S., Acquisti, A., Cranor, L. F., Hong, J. & Friedman, B. (2006). Privacy Patterns for online interactions. Proceedings of the 2006 Conference on Pattern Languages of Program, Portland, OR, October 21-23, 2006.

Book Publications

[B2] Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., Sommerlad, P. (eds). (2006). Security Patterns: Integrating Security and Systems Engineering. Wiley & Sons, p 101-141, 164-176.
[B1] Juric, M., Nashi, N., Berry, C., Kunnumpurath, M., Carnell, J., & Romanosky, S. (2002). J2EE Design Patterns Applied. WROX Press.

Industry and Trade Publications

[TP8] Herr, T., Romanosky, S. (2015), Cyber Crime: Creating Roadmap to Effective Cyber Legislation, The American Foreign Policy Council Defense Technology Program Brief, (11).
[TP7] Mell, P., Scarfone, K., & Romanosky, S. (2007). NIST Interagency Report (NIST IR) 7435, The Common Vulnerability Scoring System (CVSS) and Its Applicability to Federal Agency Systems. National Institute of Standards and Technology (NIST).
[TP6] Mell, P., Scarfone, K., & Romanosky, S. (2007). A Complete Guide to the Common Vulnerability Scoring System Version 2.0. Forum of Incident Response and Security Teams (FIRST).
[TP5] Mell, P., Scarfone, K., & Romanosky, S., (Nov/Dec, 2006). Common Vulnerability Scoring System. IEEE Security and Privacy, 4(6) 85-89.
[TP4] Romanosky, S., Kim, G., & Kravchenko, B. (Oct 2006). Global Technology Audit Guide 6 (GTAG):Managing and Auditing IT Vulnerabilities. The Institute of Internal Auditors.
[TP3] Cranor, L. F., Egelman, S., Hong, J., Kumaraguru, P., Kuo, C., Romanosky, S., Tsai, J., & Vaniea, K. (2005). FoxTor, A Tor Design Proposal. Carnegie Mellon University’s Usable Privacy and Security (CUPS) Laboratory.
[TP2] Schiffman, M., Eschelbeck, G., Ahmad, D., Wright, A. & Romanosky, S. (2004). CVSS: A Common Vulnerability Scoring System. Forum of Incident Response and Security Teams (FIRST).
[TP1] Romanosky, S. (March 2003). Enterprise Security Patterns. Information Systems Security Association Journal.

Presentations
Invited Presentations

[IP34] Kogod Cybersecurity Governance Center, March 28, 2016, American University, Washington DC.
[IP33] Conference Board of Canada's Cyber Security Centre, March 23, 2016, Ottawa, Canada.
[IP32] DHS Science and Technology Cyber Security Division R&D Showcase, February 18, 2016, Washington DC.
[IP31] Financial Information Systems and Cybersecurity: A Public Policy Perspective, January 13, 2016, University of Maryland.
[IP30] Workshop on Data Breach Recovery for Individuals and Institutions, National Academies of Sciences, January 12, 2016, Washington DC.
[IP29] Internet and Computer Law, American Association of Law Schools, January 9, 2016, New York, NY.
[IP28] Catalyzing Privacy by Design: Frontiers in Regulation and Management, Georgetown Law Center, January 6, 2016, Washington DC.
[IP27] RAND Board of Trustee Meeting, November 11, 2015, Santa Monica, CA.
[IP26] RAND Institute of Civil Justice Board Meeting, October 23, 2015, Washington DC.
[IP25] RAND Center for Catastrophic Risk Management and Compensation Board Meeting, June 23, 2015, Washington, DC.
[IP24] RAND Center for Corporate Ethics and Governance board meeting, May 21, 2015, New York, NY.
[IP23] Invited Speaker, U.S. Department of Justice, Global Justice Information Sharing Initiative, Advisory Committee (GAC) Meeting, Washington, DC, January 27, 2015.
[IP22] Cybersecurity Forum, Study on Proactive Cybersecurity Risk Management, Federal Communications Commission, Washington DC, January 27, 2015.
[IP21] Invited Speaker, RAND Center for Corporate Ethics and Governance Board Meeting, New York, November 5, 2014.
[IP20] Invited Speaker, German-US cybersecurity Dialog, Incentives and Public-Private Collaboration for Cybersecurity, George Washington University, October 17, 2014.
[IP19] Research Roundtable on the Future of Privacy and Data Regulation, Law & Economics Center, George Mason University, March 7, 2014.
[IP18] Incentives to Adopt Improved Cybersecurity Practices, Tenth Annual Forum on Financial Information Systems and Cybersecurity: A Public Policy Perspective, Smith School of Business, University of Maryland, January 8, 2014.
[IP17] Law and Economics of Data Security Policy, Law and Economics Center, George Mason University School of Law, December 12, 2013.
[IP16] From Here to Secure: Market Drivers and the Cybersecurity Framework, Center for Business and Public Policy, Georgetown University, December 4, 2013.
[IP15] International Association of Privacy Professionals (IAPP) Practical Privacy Series. New York, NY, November 6, 2013.
[IP14] Public Policy Conference on the Law & Economics of Privacy and Data Security, Law and Economics Center, George Mason University School of Law, June 19, 2013.
[IP13] The Incentives and Regulation of Cybersecurity, Center for Business and Public Policy (CBPP), Georgetown University, June 13, 2013.
[IP12] Battling Big Brother, Personal Democracy Forum, June 6-7, New York, NY.
[IP11] Cybersecurity Insurance Roundtable, Defining the Pillars of an Effective Cyber Risk Culture, Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD), May 13, 2013.
[IP10] Law and Economics of Privacy, George Mason University School of Law, December 12, 2012.
[IP9] Cybersecurity Insurance Workshop, “Defining Challenges to Today’s Cybersecurity Insurance Market,” Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD), October 22, 2012.
[IP8] Measuring and Modeling Security and Privacy Laws. Economics Research Working Group Meeting, Microsoft Research New England Lab, Cambridge, MA, October 19-21, 2011 (Gratis Visitor).
[IP7] Security Economics. Annual Computer Security Applications Conference (ACSAC), Austin, TX, December 5-9, 2010.
[IP6] Privacy Costs and Personal Data Protection: The Economic and Legal Perspectives. Security Breach Notification Six Years Later, University of California Berkeley, Center for Law and Technology, Berkeley, CA, March 9, 2009.
[IP5] Using Regulation and Liability to Prevent Data Breaches, Information Systems Security Association, Pittsburgh, PA, January, 2009.
[IP4] Do Data Breach Disclosure Laws Reduce Identity Theft? Electronic Health and Information & Privacy Conference, Ottawa, Canada, November 3, 2008.
[IP3] Do Data Breach Disclosure Laws Reduce Identity Theft? Information Systems Security Association, Pittsburgh, PA, January, 2008.
[IP2] Managing and Auditing IT Vulnerabilities, Information Systems Security Association, Pittsburgh, PA, January, 2007.
[IP1] The Common Vulnerability Scoring System (CVSS), Information Systems Security Association, Pittsburgh, PA, January, 2006.

Commentaries

Op-Ed at US NEWS, The High Cost of Hacks: Is cyber insurance to blame for the increasing cost of data breaches?, March 6, 2015, US NEWS. Available at http://www.usnews.com/opinion/blogs/world-report/2015/03/06/cyber-insurers-must-do-a-better-job-of-assessing-risk-of-hacks.
Comments to the Department of Commerce on Incentives to Adopt Improved Cybersecurity Practices (through cyber-insurance)
Concurring Opinions (general topics legal blog)
Privacy Research Group (blog), Information Law Institute, NYU School of Law

Industry Projects

Common Vulnerability Scoring System (CVSS)
Currently, corporate IT management must identify and assess vulnerabilities for many disparate hardware and software platforms. They need to prioritize these vulnerabilities and remediate those that pose the greatest risk. But when there are so many to fix, with each being scored differently across vendors, how can IT managers convert this mountain of vulnerability data into actionable information? The Common Vulnerability Scoring System (CVSS) is an open framework that addresses this issue. It offers the following benefits:

Standardized Vulnerability Scores: When an organization normalizes vulnerability scores across all their software and hardware platforms, they can leverage a single vulnerability policy to address each of them. This policy may be similar to a service level agreement (SLA) that states how quickly a particular vulnerability must be validated and remediated.
Prioritized Risk: When the final score is computed, the vulnerability now becomes contextual. That is, vulnerability scores are now representative of the actual risk to an organization. They know how important, in relation to other vulnerabilities, is a given vulnerability.
Open framework: Users can be confused when a vulnerability is given a certain score. What properties gave it that score? How does it differ from this other one, or why is it not the same? With CVSS, anyone can view the exact metric values that were used to formulate the overall score.

CVSS is part of the Payment Card Industry Data Security Standard (PCI-DSS), NIST's SCAP Project, and has been formally adopted as an international standard for scoring vulnerabilities (ITU-T X.1521).

Vulnerability Management

IT organizations consume great resources in identifying and remediating computer vulnerabilities. Compound this with the reality that the group finding the vulnerabilities is generally not the group fixing them. This results in a resource-intensive and sometimes adversarial organizational dynamic.

Managing and Auditing IT Vulnerabilities is the 6th in a series of Global Technology Audit Guides (GTAGs) published by the Institute of Internal Auditors (the IIA). We discuss the steps of first identifying, assessing then prioritizing computer vulnerabilities. We differentiate many of the characteristics of low- with high-performing vulnerability management organizations and we include a number of metrics than an organization can use to establish a datum and track their progress.

We recognize that immediate benefits are achieved by remediating individual, yet critical vulnerabilities. However, as shown in the diagram, effective vulnerability management means integrating and aligning IT Security with the organization's existing IT management processes (e.g. within an ITIL framework).

Security Patterns
Patterns are a beautiful way of organizing and formalizing proven solutions to reoccurring problems. They were developed by Christopher Alexander in the 1970’s. Alexander observed and documented the relationships that existed between things: objects, spaces, light, people, passages, and moods. From this work emerged architectural patterns and pattern languages. This methodology was later adapted to Object Oriented (OO) programming and then Information Security. A couple of important points about patterns (especially if you ever consider writing some):

They are very hard to write well. A “great idea” is not a pattern
Patterns don’t represent “new” work (the way most papers do)
They codify existing knowledge to help novices implement good solutions
They are structured according to the 3 Part Rule
- Context: describes the general conditions under which the problem occurs
- Problem: describes the problem that repeatedly occurs and the forces that exist within the context. Forces may complement or contradict one another
- Solution: shows how to best solve the reoccurring problem, or better, how to balance the forces associated with the problem

Visit Markus Schumacher's site or hillside.net for more information on security patterns.

Biography

Sasha Romanosky researches topics in the economics of security and privacy, cyber crime, national security, applied microeconomics, and law & economics. He is a policy researcher at the RAND Corporation and a faculty member of the Pardee RAND Graduate School. Sasha holds a PhD in Public Policy and Management from Carnegie Mellon University and a BS in Electrical Engineering from the University of Calgary, Canada. He has published in the Journal of Policy Analysis and Management, Journal of Empirical Legal Studies, the Berkeley Technology Law Journal, coauthored two book chapters and has written other works on information security. Sasha was a Microsoft research fellow in the Information Law Institute at New York University, and was a security professional for over 10 years within the financial and e-commerce industries at companies such as Morgan Stanley and eBay. Sasha holds a CISSP certification and is co-author of the Common Vulnerability Scoring System (CVSS), an international standard for scoring computer vulnerabilities.

Publications | Presentations | Industry Projects | Biography