Sasha Romanosky, PhD
A passion for research

Publications | Presentations | Industry Projects | Biography

Greetings! My research interests include the economics of security and privacy, information policy, applied microeconomics, and law & economics. I am an associate policy researcher at the RAND Corporation. I obtained my PhD from the Heinz College of Information Systems and Public Policy at Carnegie Mellon University, advised by Alessandro Acquisti.

I can be reached at sromanos [at] cmu.edu.

Academic Research

My research is motivated by the surge in social media, cloud computing, and mobile services that is fuelling the unprecedented collection, use and sale of personal consumer information. These opportunities for use of big data afford many benefits to firms, consumers, and government agencies. However individuals can be harmed when their personal information is lost, stolen, or improperly accessed.

In addition to commercial purposes, individual data are used for many kinds of public sector applications such as law enforcement and national security. These surveillance data, whether collected from drones, CCTVs, license plate readers, or other sources, represent an unprecedented opportunity to detect -- and prevent -- malicious activity.

The critical tension, therefore, is in balancing corporate interests, individual privacy rights, law enforcement, and national security. While there are legitimate reasons for limiting the collection, use, or sharing of personal information, excessive restrictions can be inefficient. For example, limiting the types of data that firms can collect may enhance consumer privacy, but may reduce a firm's ability to innovate. Restricted access to medical information may reduce medical fraud, but it may also inhibit important medical research or identify disease outbreaks. Limiting access to location or cloud-based data may hinder the government's ability to investigate serious crimes.

How is consumer data regulated today?
The management of personal consumer information is regulated by many disparate state and federal laws. On one hand, states may prohibit the selling, sharing or public disclosure of personal information. For example, some states specifically prevent the sale of driver tollbooth information, while other states prevent the collection or public notice of social security, zip code, and social media account information. On the other hand, state laws allow, or require, the disclosure of personal information. For example, most states require that companies notify individuals when their personal information has been lost or stolen, while others require consumer notice if a company collects your information with intent to sell it.

But what is the full landscape of state and federal information laws? How can firms continue to innovate despite increasing data restrictions? Do these laws work as intended, or do they introduce perverse outcomes? What consequences and benefits exist for protecting critical infrastructure, and how can these effects be empirically measured?

How do Information Policies work, and how do they reduce externalities?
Legislators often consider a number of alternative policy interventions to help reduce externalities caused by the unauthorized disclosure or collection of information, such as ex ante safety regulation (mandated standards), information disclosure, and ex post liability. Ex ante regulation is often a heavy-handed prevention mechanism that enforces a minimum standard of care. However, its effectiveness is hampered when the regulated inputs are only loosely correlated with the harmful outputs. Disclosure, on the other hand, can be a corrective mechanism that empowers individuals to avoid potential harms. However, cognitive biases may instead burden individuals, preventing them from acting. Finally, ex post liability allows victims to recover any losses through civil litigation, thereby forcing firms to internalize any harm.

But are these interventions effective? How do they drive firm and consumer behaviors, and how do they affect overall social costs?

These issues present many wonderful opportunities for rigorous empirical and inter-disciplinary research in security and privacy, information policy, applied microeconomics, and law & economics.


Publications

Working Papers Journal and Peer Reviewed Publications Book Chapters Industry and Trade Publications
Commentaries


Presentations
Invited Talks Other Presentations

Industry Projects

Common Vulnerability Scoring System (CVSS)
Currently, corporate IT management must identify and assess vulnerabilities for many disparate hardware and software platforms. They need to prioritize these vulnerabilities and remediate those that pose the greatest risk. But when there are so many to fix, with each being scored differently across vendors, how can IT managers convert this mountain of vulnerability data into actionable information? The Common Vulnerability Scoring System (CVSS) is an open framework that addresses this issue. It offers the following benefits: CVSS is part of the Payment Card Industry Data Security Standard (
PCI-DSS), NIST's SCAP Project, and has been formally adopted as an international standard for scoring vulnerabilities (ITU-T X.1521).



Vulnerability Management
IT organizations consume great resources in identifying and remediating computer vulnerabilities. Compound this with the reality that the group finding the vulnerabilities is generally not the group fixing them. This results in a resource-intensive and sometimes adversarial organizational dynamic.

Managing and Auditing IT Vulnerabilities is the 6th in a series of Global Technology Audit Guides (GTAGs) published by the Institute of Internal Auditors (the IIA). We discuss the steps of first identifying, assessing then prioritizing computer vulnerabilities. We differentiate many of the characteristics of low- with high-performing vulnerability management organizations and we include a number of metrics than an organization can use to establish a datum and track their progress.

We recognize that immediate benefits are achieved by remediating individual, yet critical vulnerabilities. However, as shown in the diagram, effective vulnerability management means integrating and aligning IT Security with the organization's existing IT management processes (e.g. within an ITIL framework).



Security Patterns
Patterns are a beautiful way of organizing and formalizing proven solutions to reoccurring problems. They were developed by Christopher Alexander in the 1970’s. Alexander observed and documented the relationships that existed between things: objects, spaces, light, people, passages, and moods. From this work emerged architectural patterns and pattern languages. This methodology was later adapted to Object Oriented (OO) programming and then Information Security. A couple of important points about patterns (especially if you ever consider writing some):
Visit
Markus Schumacher's site or hillside.net for more information on security patterns.



Biography

Sasha Romanosky researches topics in the economics of security and privacy, information policy, applied microeconomics, and law & economics. He is an associate policy researcher at the RAND Corporation. Sasha holds a PhD in Public Policy and Management from Carnegie Mellon University and a BS in Electrical Engineering from the University of Calgary, Canada. He has published in the Journal of Policy Analysis and Management, Journal of Empirical Legal Studies, the Berkeley Technology Law Journal, coauthored two book chapters and has written other works on information security. Sasha was a Microsoft research fellow in the Information Law Institute at New York University, and was a security professional for over 10 years within the financial and e-commerce industries at companies such as Morgan Stanley and eBay. Sasha holds a CISSP certification and is co-author of the Common Vulnerability Scoring System (CVSS), an open standard for scoring computer vulnerabilities.


Publications | Presentations | Industry Projects | Biography