Sasha Romanosky
A passion for research


Publications | Presentations | Industry Projects | Biography

Academic Research

Greetings! I am a PhD candidate in the Heinz College of Information Systems and Public Policy at Carnegie Mellon University. Using conventional economic methods, I research legal and economic issues concerning data security and consumer privacy. My thesis title is Measuring and Modeling Security and Privacy Laws.

Many security and privacy laws appear to be implemented without the expectation of measurement or evaluation. This is one area where I hope to contribute. For example, I conducted an empirical analysis of the effect of data breach disclosure laws on identity theft. The hope is that notification empowers consumers to mitigate harms from identity theft. Also, the public disclosure (the “sunlight” effect) of a breach is expected to force firms to internalize more of the cost of a data breach. However, individuals suffer from a number of behavioral decision biases which may instead burden them, driving them to inaction. Using a diff-in-diff fixed-effect regression on panel data from the years 2002-2009, we found that adoption of these laws reduced identity theft by 6%.

This research path has also fostered a great interest in law and economics and the mechanisms by which public policies (laws) can reduce the harm from a firm’s otherwise socially beneficial activity. Ex ante safety regulation, ex post liability and information disclosure are three such common instruments. And so, I performed a legal and economic analysis of these mechanisms within the context of data breaches. In addition, I conducted an analytical study of mandatory disclosure. Leveraging the economic analysis of tort (accident) law, I examined how firm and consumer incentives (and therefore costs) are affected, and ultimately, examined the conditions under which social costs can be reduced.

One of the more controversial issues surrounding data breaches is the extent to which firms incur liability through litigation. Using Westlaw and PACER, I have collected and coded a set of over 200 federal data breach lawsuits in order to answer two main research questions: which breaches are being litigated, and which data breach suits are settling?

The figure below illustrates these mechanisms and how my research contributes to each one.



My advisor is Alessandro Acquisti. I am currently on the job market, and expect to complete my PhD in the spring of 2012.



Publications

Working Papers Journal and Peer Reviewed Publications Book Chapters Industry and Trade Publications Blog Postings (Concurring Opinions: a general topics legal blog)


Presentations
Invited Talks Other Presentations

Industry Projects

Common Vulnerability Scoring System (CVSS)

Brief History:
  • April 2011: CVSS has been accepted as an International Telecommunication Union (ITU) standard and is formally known as: ITU-T X.1521.

  • August 2007: NIST and SCAP: CVSS v2 has been republished as a NIST Interagency Report (NIST-IR7435). This publication discusses how Federal agencies can incorporate Federal Information Processing Standards (FIPS) 199 impact ratings into their CVSS scores and generate scores specifically tailored to Federal agency environments. This is part of NIST's recommendation of CVSS by Federal agencies as part of the U.S. government Security Content Automation Protocol (SCAP). The document is available Here.

  • June 2007: Version 2 of the Common Vulnerability Scoring System was published. It represents the collective efforts of industry professionals and academia researchers to improve the flexibility and usability of this IT vulnerability scoring system. http://www.first.org/cvss/

  • June 2007: CVSS and the Payment Card Industry (PCI): In order for private-sector firms to process credit cards, they need to comply with the Payment Card Industry Data Security Standards (PCI DSS). Effective June 2007, the PCI governing body is requiring firms use CVSS in order to determine how vulnerable are their IT systems. The PCI DSS is available Here.

    Overview:
    Currently, corporate IT management must identify and assess vulnerabilities for many disparate hardware and software platforms. They need to prioritize these vulnerabilities and remediate those that pose the greatest risk. But when there are so many to fix, with each being scored differently across vendors, how can IT managers convert this mountain of vulnerability data into actionable information? The Common Vulnerability Scoring System (CVSS) is an open framework that addresses this issue. It offers the following benefits:
    • Standardized Vulnerability Scores: When an organization normalizes vulnerability scores across all their software and hardware platforms, they can leverage a single vulnerability policy to address each of them. This policy may be similar to a service level agreement (SLA) that states how quickly a particular vulnerability must be validated and remediated.
    • Prioritized Risk: When the final score is computed, the vulnerability now becomes contextual. That is, vulnerability scores are now representative of the actual risk to an organization. They know how important, in relation to other vulnerabilities, is a given vulnerability.
    • Open framework: Users can be confused when a vulnerability is given a certain score. What properties gave it that score? How does it differ from this other one, or why is it not the same? With CVSS, anyone can view the exact metric values that were used to formulate the overall score.

    CVSS was conceived by the National Infrastructure Assurance Council (NIAC), as a response to the multitude of disparate computer vulnerability scoring systems that are currently available through commercial and open-source organizations. It was accepted by the US Department of Homeland Security in 2004, and many infosec individuals and vendors have been working to promote and improve this framework. For example, CVSS is currently supported by NIST's National Vulnerability Database (NVD), Tenable Security, Cisco, Oracle and others. See a full list of adopters here

    The CVSS score is a composite score derived from the following three categories:
    • The base metric represents the properties of a vulnerability which do not change over time such as access complexity, access vector, degree to which the vulnerability compromises the confidentiality, integrity and availability of the system, and requirement for authentication to the system
    • The temporal metric measures the properties which do change over time such as the existence of an official patch or functional exploit code and the level of effort to remediate the vulnerability
    • The environmental metric measures the properties of a vulnerability which are representative of users' IT environment such as prevalence of the affected system and overall potential loss

    CVSS was originally created by Mike Schiffman, Gerhard Eschelbeck, Dave Ahmed, Andrew Wright, and Sasha Romanosky and is under active development. If you would like to participate, please visit FIRST for more information.



    Vulnerability Management
    IT organizations consume great resources in identifying and remediating computer vulnerabilities. Compound this with the reality that the group finding the vulnerabilities is generally not the group fixing them. This results in a resource-intensive and sometimes adversarial organizational dynamic.

    Managing and Auditing IT Vulnerabilities is the 6th in a series of Global Technology Audit Guides (GTAGs) published by the Institute of Internal Auditors (the IIA). We discuss the steps of first identifying, assessing then prioritizing computer vulnerabilities. We differentiate many of the characteristics of low- with high-performing vulnerability management organizations and we include a number of metrics than an organization can use to establish a datum and track their progress.

    We recognize that immediate benefits are achieved by remediating individual, yet critical vulnerabilities. However, as shown in the diagram, effective vulnerability management means integrating and aligning IT Security with the organization's existing IT management processes (e.g. within an ITIL framework).


    FoxTor
    I am in the process of porting FoxTor to Firefox v3. If you would like advanced notice, send me an email (sromanos at cmu.edu).

    When you use the Internet, you leave a trail of information that can be used to track your online activities. FoxTor is a tool that helps prevent this. It provides an easy and convenient way to browse the Web anonymously using the Firefox web browser.

    FoxTor uses the "Masked" and "Unmasked" metaphor to help you control when websites can and cannot track you. Once installed, you Mask and Unmask yourself by clicking the icon in the bottom left corner of your web browser as shown below.

    and

    FoxTor also enables privacy preferences within Firefox and automatically configures the browser to use Tor and Privoxy. Tor provides users with a free and secure way to communicate anonymously over the Internet. Privoxy ensures that all browser communication passes through the Tor network. Together, these tools ensure that you remain anonymous when browsing online.

    The FoxTor concept was the winning entry of the Tor GUI Competition and was designed by members of Carnegie Mellon's Usable Privacy and Security Lab (CUPS).

    Visit the FoxTor home page or Mozilla for more information and to download the extension.


    Security Patterns
    Patterns are a beautiful way of organizing and formalizing proven solutions to reoccurring problems. They were developed by Christopher Alexander in the 1970’s. Alexander observed and documented the relationships that existed between things: objects, spaces, light, people, passages, and moods. From this work emerged architectural patterns and pattern languages. This methodology was later adapted to Object Oriented (OO) programming and then Information Security. A couple of important points about patterns (especially if you ever consider writing some):
    • They are very hard to write well. A “great idea” is not a pattern
    • Patterns don’t represent “new” work (the way most papers do)
    • They codify existing knowledge to help novices implement good solutions
    • They are structured according to the 3 Part Rule
      • Context: describes the general conditions under which the problem occurs
      • Problem: describes the problem that repeatedly occurs and the forces that exist within the context. Forces may complement or contradict one another
      • Solution: shows how to best solve the reoccurring problem, or better, how to balance the forces associated with the problem
    Visit Markus Schumacher's site or hillside.net for more information on security patterns.



    Biography

    Sasha Romanosky is a PhD candidate in the Heinz College, School of Information Systems and Public Policy at Carnegie Mellon University where he researches legal and economic issues concerning data security and consumer privacy. He holds a Bachelor of Science degree in Electrical Engineering from the University of Calgary, Canada. Sasha has published in the Journal of Policy Analysis and Management, the Berkeley Technology Law Journal, coauthored two book chapters and has written other works on information security law and economics. Sasha was a security professional for over 10 years, predominantly within the financial and e-commerce industries at companies such as Morgan Stanley and eBay. He holds a CISSP certification and is involved in a number of industry projects. For example, he developed the FoxTor tool for anonymous web browsing and is co-author of the Common Vulnerability Scoring System (CVSS), an open framework for scoring computer vulnerabilities. Sasha is a member of CMU's CyLab at Carnegie Mellon and the Usable Security and Privacy laboratory (CUPS).

    Sasha can be reached at sromanos at cmu [dot] edu.


    Publications | Presentations | Industry Projects | Biography