Sasha Romanosky

sasha romanosky, sasha romanosky
Policy Researcher; Faculty Member, Pardee RAND Graduate School
Washington Office


Ph.D. in public policy and management, Carnegie Mellon University; B.S. in electrical engineering, University of Calgary

Media Resources

This researcher is available for interviews.

To arrange an interview, contact the RAND Office of Media Relations at (310) 451-6913, or email

More Experts


Sasha Romanosky is a policy researcher at the RAND Corporation and a member of the Pardee RAND Graduate School faculty. He researches topics in the economics of security and privacy, information policy, applied microeconomics, and law and economics.

Romanosky has published in the Journal of Policy Analysis and Management, Journal of Empirical Legal Studies, and the Berkeley Technology Law Journal; coauthored two book chapters; and written other works on information security. He was a Microsoft research fellow in the Information Law Institute at New York University and was a security professional for over 10 years within the financial and e-commerce industries at companies such as Morgan Stanley and eBay. He holds a CISSP certification and is co-author of the Common Vulnerability Scoring System (CVSS), an open standard for scoring computer vulnerabilities.

Romanosky holds a Ph.D. in public policy and management from Carnegie Mellon University and a B.S. in electrical engineering from the University of Calgary, Canada.

Selected Publications

Sasha Romanosky, Martin C. Libicki, Zev Winkelman, Olesya Tkacheva, Internet Freedom Software and Illicit Activity: Supporting Human Rights Without Enabling Criminals, RAND Corporation (RR-1151-DOS), 2015

Sasha Romanosky, David Hoffman, Alessandro Acquisti, "Empirical Analysis of Data Breach Litigation," Journal of Empirical Legal Studies, 11(1):74-104, 2014

Sasha Romanosky, Alessandro Acquisti, Rahul Telang, "Do Data Breach Disclosure Laws Reduce Identity Theft?" Journal of Policy Analysis and Management, 30(2):256-286, 2011

Sasha Romanosky, Alessandro Acquisti, "Privacy Costs and Personal Data Protection: Economic and Legal Perspectives of Ex Ante Regulation, Ex Post Liability and Information Disclosure," Berkeley Technology Law Journal, 24(3), 2009


  • Cyber illustration of a judge's gavel

    The Future of Cyber Investigations at the FBI Is Unclear

    Evidence presented by the FBI in the case of U.S. v. Jay Michaud was excluded because the agency was unwilling to reveal the software exploit used to collect it. If the FBI exposes its capabilities, other criminals can patch their computers, but concealing its techniques risks the ability to prosecute cyber criminals.

    Aug 24, 2016 Inside Sources

  • Handcuffs on a computer keyboard

    Law Enforcement Cyber Center: A New Internet Resource for Combating Cybercrime

    The Law Enforcement Cyber Center provides vital information and resources to police chiefs, police officers, cybercrime investigators, and prosecutors.

    Aug 11, 2015

  • Network diagram with a lock

    The High Cost of Hacks

    The cyber insurance industry can play a critical role in informing corporations about effective security controls, monitoring the use of those controls, and therefore help reduce the probability and magnitude of breaches. But it may be squandering this opportunity.

    Mar 9, 2015 U.S. News & World Report