|Sasha Romanosky, PhD|
A passion for research
Publications | Presentations | Industry Projects | Biography
Greetings! My research interests include the economics of security and privacy, information policy, applied microeconomics, and law & economics. I am an associate policy researcher at the RAND Corporation. I obtained my PhD from the Heinz College of Information Systems and Public Policy at Carnegie Mellon University, advised by Alessandro Acquisti.
I can be reached at sromanos [at] cmu.edu.
My research is motivated by the surge in social media, cloud computing, and mobile services that is fuelling the unprecedented collection, use and sale of personal consumer information. These opportunities for use of big data afford many benefits to firms, consumers, and government agencies. However individuals can be harmed when their personal information is lost, stolen, or improperly accessed.
In addition to commercial purposes, individual data are used for many kinds of public sector applications such as law enforcement and national security. These surveillance data, whether collected from drones, CCTVs, license plate readers, or other sources, represent an unprecedented opportunity to detect -- and prevent -- malicious activity.
The critical tension, therefore, is in balancing corporate interests, individual privacy rights, law enforcement, and national security. While there are legitimate reasons for limiting the collection, use, or sharing of personal information, excessive restrictions can be inefficient. For example, limiting the types of data that firms can collect may enhance consumer privacy, but may reduce a firm's ability to innovate. Restricted access to medical information may reduce medical fraud, but it may also inhibit important medical research or identify disease outbreaks. Limiting access to location or cloud-based data may hinder the government's ability to investigate serious crimes.
How is consumer data regulated today?
The management of personal consumer information is regulated by many disparate state and federal laws. On one hand, states may prohibit the selling, sharing or public disclosure of personal information. For example, some states specifically prevent the sale of driver tollbooth information, while other states prevent the collection or public notice of social security, zip code, and social media account information. On the other hand, state laws allow, or require, the disclosure of personal information. For example, most states require that companies notify individuals when their personal information has been lost or stolen, while others require consumer notice if a company collects your information with intent to sell it.
But what is the full landscape of state and federal information laws? How can firms continue to innovate despite increasing data restrictions? Do these laws work as intended, or do they introduce perverse outcomes? What consequences and benefits exist for protecting critical infrastructure, and how can these effects be empirically measured?
How do Information Policies work, and how do they reduce externalities?
Legislators often consider a number of alternative policy interventions to help reduce externalities caused by the unauthorized disclosure or collection of information, such as ex ante safety regulation (mandated standards), information disclosure, and ex post liability. Ex ante regulation is often a heavy-handed prevention mechanism that enforces a minimum standard of care. However, its effectiveness is hampered when the regulated inputs are only loosely correlated with the harmful outputs. Disclosure, on the other hand, can be a corrective mechanism that empowers individuals to avoid potential harms. However, cognitive biases may instead burden individuals, preventing them from acting. Finally, ex post liability allows victims to recover any losses through civil litigation, thereby forcing firms to internalize any harm.
But are these interventions effective? How do they drive firm and consumer behaviors, and how do they affect overall social costs?
These issues present many wonderful opportunities for rigorous empirical and inter-disciplinary research in security and privacy, information policy, applied microeconomics, and law & economics.
IT organizations consume great resources in identifying and remediating computer vulnerabilities. Compound this with the reality that the group finding the vulnerabilities is generally not the group fixing them. This results in a resource-intensive and sometimes adversarial organizational dynamic.
Managing and Auditing IT Vulnerabilities is the 6th in a series of Global Technology Audit Guides (GTAGs) published by the Institute of Internal Auditors (the IIA). We discuss the steps of first identifying, assessing then prioritizing computer vulnerabilities. We differentiate many of the characteristics of low- with high-performing vulnerability management organizations and we include a number of metrics than an organization can use to establish a datum and track their progress.
We recognize that immediate benefits are achieved by remediating individual, yet critical vulnerabilities. However, as shown in the diagram, effective vulnerability management means integrating and aligning IT Security with the organization's existing IT management processes (e.g. within an ITIL framework).