Sasha Romanosky

Senior Policy Researcher

Washington Office

Education

Ph.D. in public policy and management, Carnegie Mellon University; B.S. in electrical engineering, University of Calgary

One Page Bio

Media Resources

This researcher is available for interviews.

To arrange an interview, contact the RAND Office of Media Relations at (310) 451-6913, or email media@rand.org.

More Experts

Overview

Sasha Romanosky is a senior policy researcher at the RAND Corporation, an appointed Member of the Data Privacy and Integrity Advisory Committee (DPIAC) at the Department of Homeland Security, and a former cyber policy advisor at the Pentagon in the Office of the Secretary of Defense for Policy (OSDP).

He researches the economics of cyber security, privacy, and national security. For example, he has examined whether data breach notification laws reduced consumer identity theft, and when firms are more likely to be sued (and settle) when they suffer a data breach. He studied the cost of data breaches in order to understand whether corporate losses are really as severe as is commonly believed, and he collected a dataset of cyber insurance policies to examine how insurance carriers price cyber risk. He has also studied private sector attribution of cyber incidents, and their impact to law enforcement, and the intelligence community.

Romanosky was a research fellow in the Information Law Institute at New York University, and a security professional for over 10 years. He is one of the original coauthors of the Common Vulnerability Scoring System (CVSS), an open standard for scoring computer vulnerabilities, and EPSS, the Exploit Prediction Scoring System. While in DoD, he oversaw two of the Department's most critical vulnerability programs, and advised on other matters related to cyber security and cyber policy.

Romanosky holds a Ph.D. in public policy and management from Carnegie Mellon University, and a B.S. in electrical engineering from the University of Calgary, Canada.

Research Focus

Previous Positions

Cyber Policy Advisor, U.S. Department of Defense

Selected Publications

Sasha Romanosky, Lillian Ablon, Andreas Kuehn,Therese Jones, "Content Analysis of Cyber Insurance Policies: How do Carriers Price Cyber Risk?" Journal of Cybersecurity, 2019 (forthcoming)

Sasha Romanosky, "Cost and Consequences of Cyber Incidents," Journal of Cybersecurity, 2(2), 2016

Sasha Romanosky, Zachary Goldman, "Understanding Cyber Collateral Damage," Journal of National Security Law and Policy, 9(1), 2017

Sasha Romanosky, David Hoffman, Alessandro Acquisti, "Empirical Analysis of Data Breach Litigation," Journal of Empirical Legal Studies, 11(1), 2014

Sasha Romanosky, Martin C. Libicki, Zev Winkelman, Olesya Tkacheva, Internet Freedom Software and Illicit Activity: Supporting Human Rights Without Enabling Criminals, RAND Corporation (RR-1151-DOS), 2015

Sasha Romanosky, Alessandro Acquisti, Rahul Telang, "Do Data Breach Disclosure Laws Reduce Identity Theft?" Journal of Policy Analysis and Management, 30(2), 2011

Sasha Romanosky, Alessandro Acquisti, "Privacy Costs and Personal Data Protection: Economic and Legal Perspectives of Ex Ante Regulation, Ex Post Liability and Information Disclosure," Berkeley Technology Law Journal, 24(3), 2009

Honors & Awards

Defense Medal for Exceptional Public Service, Department of Defense

Commentary

Cybersecurity

commentary
Developing an Objective, Repeatable Scoring System for a Vulnerability Equities Process
Feb 5, 2019
Security Cooperation

commentary
It's Time for the International Community to Get Serious About Vulnerability Equities
Nov 15, 2017
Cybersecurity

commentary
The Equifax Breach: Yawn, or Yikes?
Nov 3, 2017
Cybercrime

commentary
The Future of Cyber Investigations at the FBI Is Unclear
Aug 24, 2016
Cybercrime

announcement
Law Enforcement Cyber Center: A New Internet Resource for Combating Cybercrime
Aug 11, 2015
commentary
The High Cost of Hacks
Mar 9, 2015

Publications

Report
Support to the DoD Cyber Workforce Zero-Based Review: Developing a Repeatable Process for Conducting ZBRs Within DoD
Sep 19, 2022
Report
Identifying Critical IT Products and Services
Jul 6, 2022
Report
Disclosure of Software Supply Chain Risks
May 26, 2022
Report
Measuring Intelligence, Surveillance, and Reconnaissance Effectiveness at the United States Central Command
Jan 20, 2021
Tool
Measuring Intelligence, Surveillance, and Reconnaissance Effectiveness at the United States Central Command: Data Visualization Tool Documentation
Jan 20, 2021
Report
The Internet of Bodies: Opportunities, Risks, and Governance
Oct 29, 2020
Journal Article
Private-Sector Attribution of Cyber Incidents: Benefits and Risks to the U.S. Government
Sep 1, 2020
Report
Operationalizing Cyberspace as a Military Domain: Lessons for NATO
Jun 20, 2019
Journal Article
Content Analysis of Cyber Insurance Policies: How Do Carriers Price Cyber Risk?
Apr 30, 2019
Journal Article
Embracing and Controlling Risk Dependency in Cyber-Insurance Policy Underwriting
2019
Report
Law Enforcement Cyber Center: Final Technical Report
Jan 15, 2018
Journal Article
Understanding Cyber Collateral Damage
2017
Journal Article
Examining the Costs and Causes of Cyber Incidents
Oct 10, 2016
Report
Consumer Attitudes Toward Data Breach Notifications and Loss of Personal Information
Apr 14, 2016
Infographic
Data Theft Victims, and Their Response to Breach Notifications
Apr 14, 2016
Report
Internet Freedom Software and Illicit Activity: Supporting Human Rights Without Enabling Criminals
Jun 30, 2015