romanosky dot net

Sasha Romanosky
A passion for information security economics

Projects | Publications | Presentations | Biography

Research Projects
Below are some of my current research interests and projects:

Economics of Information Security

Greetings! I am a PhD student in the Heinz College of Information Systems and Public Policy at Carnegie Mellon University. My academic research intersects the fields of consumer privacy, information security, economics of law, and public policy. My working thesis topic is:

Measuring and Modeling Security and Privacy Laws
Many security and privacy laws appear to be implemented without the expectation of measurement or evaluation. This is one area where I hope to contribute. For example, I conducted a familiar public policy analysis of the treatment effect of law on crime: the effect of data breach disclosure (aka security breach notification) laws on identity theft. By notifying consumers when their personal information has been lost or stolen, the hope is that consumers will take measures to prevent future harm. Also, the public disclosure (the “sunlight” effect) of a breach is expected to force firms to internalize more of the cost of breaches, creating an incentive for them to improve their security practices, reducing future data breaches. We found that adoption of the laws reduced identity theft by about 2% on average. The paper can be found here: Do data breach disclosure laws reduce identity theft?

This research has also fostered an interest in legal theory and the mechanisms that public policies (laws) leverage in order to reduce the harm from a firm’s otherwise socially beneficial activity. Ex ante safety regulation, ex post liability and information disclosure are three such mechanism. And so, I am exploring economic social welfare analyses of such mechanisms to better understand how they should behave and under which circumstances.

My advisors are Rahul Telang and Alessandro Acquisti.

I am also engaged in a number of other industry-related information security projects that are described below.

Common Vulnerability Scoring System (CVSS)

August 2007: NIST and SCAP: CVSS v2 has been republished as a NIST Interagency Report (NIST-IR7435). This publication discusses how Federal agencies can incorporate Federal Information Processing Standards (FIPS) 199 impact ratings into their CVSS scores and generate scores specifically tailored to Federal agency environments. This is part of NIST's recommendation of CVSS by Federal agencies as part of the U.S. government Security Content Automation Protocol (SCAP). The document is available Here.

June 2007: Version 2 of the Common Vulnerability Scoring System was published. It represents the collective efforts of industry professionals and academia researchers to improve the flexibility and usability of this IT vulnerability scoring system. http://www.first.org/cvss/

June 2007: CVSS and the Payment Card Industry (PCI): In order for private-sector firms to process credit cards, they need to comply with the Payment Card Industry Data Security Standards (PCI DSS). Effective June 2007, the PCI governing body is requiring firms use CVSS in order to determine how vulnerable are their IT systems. The PCI DSS is available Here.

Currently, corporate IT management must identify and assess vulnerabilities for many disparate hardware and software platforms. They need to prioritize these vulnerabilities and remediate those that pose the greatest risk. But when there are so many to fix, with each being scored differently across vendors, how can IT managers convert this mountain of vulnerability data into actionable information? The Common Vulnerability Scoring System (CVSS) is an open framework that addresses this issue. It offers the following benefits:

Standardized Vulnerability Scores: When an organization normalizes vulnerability scores across all their software and hardware platforms, they can leverage a single vulnerability policy to address each of them. This policy may be similar to a service level agreement (SLA) that states how quickly a particular vulnerability must be validated and remediated.
Prioritized Risk: When the final score is computed, the vulnerability now becomes contextual. That is, vulnerability scores are now representative of the actual risk to an organization. They know how important, in relation to other vulnerabilities, is a given vulnerability.
Open framework: Users can be confused when a vulnerability is given a certain score. What properties gave it that score? How does it differ from this other one, or why is it not the same? With CVSS, anyone can view the exact metric values that were used to formulate the overall score.

CVSS was conceived by the National Infrastructure Assurance Council (NIAC), as a response to the multitude of disparate computer vulnerability scoring systems that are currently available through commercial and open-source organizations. It was accepted by the US Department of Homeland Security in 2004, and many infosec individuals and vendors have been working to promote and improve this framework. For example, CVSS is currently supported by NIST's National Vulnerability Database (NVD), Tenable Security, Cisco, Oracle and others. See a full list of adopters here

The CVSS score is a composite score derived from the following three categories:

The base metric represents the properties of a vulnerability which do not change over time such as access complexity, access vector, degree to which the vulnerability compromises the confidentiality, integrity and availability of the system, and requirement for authentication to the system
The temporal metric measures the properties which do change over time such as the existence of an official patch or functional exploit code and the level of effort to remediate the vulnerability
The environmental metric measures the properties of a vulnerability which are representative of users' IT environment such as prevalence of the affected system and overall potential loss

CVSS was originally created by Mike Schiffman, Gerhard Eschelbeck, Dave Ahmed, Andrew Wright, and Sasha Romanosky and is under active development. If you would like to participate, please visit FIRST for more information.

Vulnerability Management

IT organizations consume great resources in identifying and remediating computer vulnerabilities. Compound this with the reality that the group finding the vulnerabilities is generally not the group fixing them. This results in a resource-intensive and sometimes adversarial organizational dynamic.

Managing and Auditing IT Vulnerabilities is the 6th in a series of Global Technology Audit Guides (GTAGs) published by the Institute of Internal Auditors (the IIA). We discuss the steps of first identifying, assessing then prioritizing computer vulnerabilities. We differentiate many of the characteristics of low- with high-performing vulnerability management organizations and we include a number of metrics than an organization can use to establish a datum and track their progress.

We recognize that immediate benefits are achieved by remediating individual, yet critical vulnerabilities. However, as shown in the diagram, effective vulnerability management means integrating and aligning IT Security with the organization's existing IT management processes (e.g. within an ITIL framework).

FoxTor

I am in the process of porting FoxTor to Firefox v3. If you would like advanced notice, send me an email (sromanos at cmu.edu).

When you use the Internet, you leave a trail of information that can be used to track your online activities. FoxTor is a tool that helps prevent this. It provides an easy and convenient way to browse the Web anonymously using the Firefox web browser.

FoxTor uses the "Masked" and "Unmasked" metaphor to help you control when websites can and cannot track you. Once installed, you Mask and Unmask yourself by clicking the icon in the bottom left corner of your web browser as shown below.

and

FoxTor also enables privacy preferences within Firefox and automatically configures the browser to use Tor and Privoxy. Tor provides users with a free and secure way to communicate anonymously over the Internet. Privoxy ensures that all browser communication passes through the Tor network. Together, these tools ensure that you remain anonymous when browsing online.

The FoxTor concept was the winning entry of the Tor GUI Competition and was designed by members of Carnegie Mellon's Usable Privacy and Security Lab (CUPS).

Visit the FoxTor home page or Mozilla for more information and to download the extension.

Security Patterns
Patterns are a beautiful way of organizing and formalizing proven solutions to reoccurring problems. They were developed by Christopher Alexander in the 1970’s. Alexander observed and documented the relationships that existed between things: objects, spaces, light, people, passages, and moods. From this work emerged architectural patterns and pattern languages. This methodology was later adapted to Object Oriented (OO) programming and then Information Security. A couple of important points about patterns (especially if you ever consider writing some):

They are very hard to write well. A “great idea” is not a pattern
Patterns don’t represent “new” work (the way most papers do)
They codify existing knowledge to help novices implement good solutions
They are structured according to the 3 Part Rule
- Context: describes the general conditions under which the problem occurs
- Problem: describes the problem that repeatedly occurs and the forces that exist within the context. Forces may complement or contradict one another
- Solution: shows how to best solve the reoccurring problem, or better, how to balance the forces associated with the problem

Visit Markus Schumacher's site or hillside.net for more information on security patterns.

Publications

Sasha Romanosky and Alessandro Acquisti, Privacy Costs and Personal Data Protection: Economic and Legal Perspectives of Ex Ante Regulation, Ex Post Liability and Information Disclosure, 24 Berkeley Technology Law Journal (forthcoming 2009). Available at SSRN: http://ssrn.com/abstract=1522605
Sasha Romanosky, Rahul Telang and Alessandro Acquisti, Do Data Breach Disclosure Laws Reduce Identity Theft? (September 16, 2008). Available at SSRN: http://ssrn.com/abstract=1268926
Peter Mell, Karen Scarfone, Sasha Romanosky, " NIST Interagency Report (NIST IR) 7435, The Common Vulnerability Scoring System (CVSS) and Its Applicability to Federal Agency Systems," National Institute of Standards and Technology (NIST), 2007.
Peter Mell, Karen Scarfone, Sasha Romanosky, "A Complete Guide to the Common Vulnerability Scoring System Version 2.0," Forum of Incident Response and Security Teams (FIRST), 2007.
Peter Mell, Karen Scarfone, Sasha Romanosky, "Common Vulnerability Scoring System," IEEE Security and Privacy, vol. 4, no. 6, pp. 85-89, Nov/Dec, 2006. *
Sasha Romanosky, Gene Kim, Bridget Kravchenko, "Managing and Auditing IT Vulnerabilities," The Institute of Internal Auditors, October, 2006.
Sasha Romanosky, "Private Sector: When it comes to data security, sweat the little things," Pittsburgh Post-Gazette, August 22, 2006.
Romanosky, S., Acquisti, A., Hong, J., Cranor, L. F., and Friedman, B. 2006. Privacy patterns for online interactions. In Proceedings of the 2006 Conference on Pattern Languages of Programs (Portland, Oregon, October 21 - 23, 2006). PLoP '06. ACM, New York, NY, 1-9. DOI= http://doi.acm.org/10.1145/1415472.1415486
Cynthia Kuo, Sasha Romanosky, Lorrie Faith Cranor, "Human Selection of Mnemonic Phrase-based Passwords", Proceedings of the 2006 Symposium On Usable Privacy and Security (SOUPS), Carnegie Mellon University.
Markus Schumacher, Eduardo Fernandez-Buglioni, Duane Hybertson, Frank Buschmann, Peter Sommerlad (editors), "Security Patterns: Integrating Security and Systems Engineering", pp101-141, 164-176, Wiley & Sons, 2006.
I contributed the following risk management and enterprise patterns:
- Asset Valuation: determining the overall importance an enterprise places on the assets it owns and controls
- Threat Assessment: identifying the likelihood of hazardous events that can occur to an enterprise's assets
- Vulnerability Assessment: identifying the weaknesses that could be exploited to compromise an asset
- Risk Determination: evaluating and prioritizing the risks to an enterprise's assets
- Enterprise Partner Communication: protecting an enterprise and its assets while communicating with 3rd parties
Mike Schiffman, Gerhard Eschelbeck, David Ahmad, Andrew Wright, Sasha Romanosky, "CVSS: A Common Vulnerability Scoring System", National Infrastructure Advisory Council (NIAC), 2004.
Sasha Romanosky, "Enterprise Security Patterns", Information Systems Security Association Journal, March 2003.
Matjaz Juric, Nadia Nashi, Craig Berry, Meeraj Kunnumpurath, John Carnell, Sasha Romanosky "J2EE Design Patterns Applied", WROX Press, 2002.
Sasha Romanosky "Enterprise Security Design Patterns", proceedings of the European Conference on Pattern Languages of Programs (EuroPLoP), 2002.

* ©2006 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.

Presentations
Here are some presentations that I have given:

Data Breaches and Identity Theft: When is Mandatory Disclosure Optimal? This was presented at the "Financial Information Systems and Cybersecurity: A Public Policy Perspective" workshop at the University of Maryland (Oct. 27, 2009). Here, we present part of an analytical model that explores the conditions under which information disclosure can reduce social costs. A related presentation was given at INFORMS (Oct. 11, 2009).

Consumer Privacy Costs and Personal Data Protection: Economic and Legal Perspectives (March 6, 2009) This was an invited talk co-presented with Alessandro Acquisti at a data breach symposium sponsored by the Berkeley Center for Law & Technology and the Berkeley Technology Law Journal. We present some initial research into three legal regimes used to reduce harm caused by firms: ex ante regulation, ex post liability and information disclosure. We provide an economic comparison of these regimes with a focus on conusmer privacy costs from data breaches.

Do Data Breach Dislcosure Laws Reduce Identity Theft? This empirical research measures the effect of state-level data breach disclosure laws on identity theft. This work was presented at the Workshop on the Econonomics of Information Security at Dartmouth College (Jun. 26, 2008) and Electronic Health Information and Privacy Conference (Nov. 3, 2008).

The New Common Vulnerability Scoring System (CVSS v2) (2008) This was a talk given to the CyLab group at Carnegie Mellon University. A similar talk was prepared for the Institute for Information Infrastructure Protection (I3P) at Cornell University. The audience for both groups was largely academics, and as we are all keen on data and metrics, the talk was well received. I highlighted adoption of CVSS by the PCI Council and NIST's SCAP. I also discussed the benefits and consequences of CVSS as an ordinal vs cardinal metric.

Effective Collaboration (2007): This is a discussion about recognizing the incentives and motivations of others. This is critical, I believe when one is trying to promote an idea or affect change in an organization.

Risk Analysis using Skybox (2007): In this class on Information Security Risk Analysis, taught by Ashish Arora, we look at various quantitative models for risk analysis. Here, I introduce Skybox, a very sophisticated commercial analysis product.

Vulnerability Management (2007): Here, I present Vulnerability Management to the local Pittsburgh ISSA/ISACA chapter. This is content from the "Managing and Auditing IT Vulnerabilities GTAG" mentioned above.

Text Passwords (2006): This was a presentation to a class on Usable Privacy and Security systems taught by Lorrie Cranor and Jason Hong. Here I discuss the landscape of text-based passwords and present some thoughts on memorability.

Security Patterns (2006): This was a talk I gave to an Object-Oriented software design class, taught by Stephen Roehrig at CMU.

CVSS (2006): This was a talk on CVSS presented to the ISSA Pittsburgh chapter while enrolled in the Master of Science Information Security Public Policy and Management (MSISPM) at CMU.

Biography

Sasha Romanosky, CISSP, holds a Bachelor of Science degree in Electrical Engineering from the University of Calgary, Canada. He has been working with internet and security technologies for over 10 years, predominantly within the financial and e-commerce industries at companies such as Morgan Stanley and eBay. He is coauthor of "J2EE Design Patterns Applied" and "Security Patterns: Integrating Security and Systems Engineering" and has published other works on information security. He developed the FoxTor tool for anonymous web browsing and is co-developer of the Common Vulnerability Scoring System (CVSS), an open framework for scoring computer vulnerabilities. Sasha is a member of CMU's CyLab and the Usable Security and Privacy laboratory (CUPS).

Sasha is currently a PhD candidate at the Heinz College, School of Information Systems and Public Policy at Carnegie Mellon University where he researches the Economics of Information Security. He can be reached at sromanos at cmu [dot] edu.

Projects | Publications | Presentations | Biography