Sasha Romanosky

Senior Policy Researcher

Washington Office

Education

Ph.D. in public policy and management, Carnegie Mellon University; B.S. in electrical engineering, University of Calgary

One Page Bio

Media Resources

This researcher is available for interviews.

To arrange an interview, contact the RAND Office of Media Relations at (310) 451-6913, or email media@rand.org.

More Experts

Overview

Sasha Romanosky is a senior policy researcher at the RAND Corporation, an appointed Member of DHS's Data Privacy and Integrity Advisory Committee (DPIAC), and a former cyber policy advisor at the Pentagon in the Office of the Secretary of Defense for Policy (OSDP).

He researches the economics of cyber security, privacy, insurance, cybercrime, and national security. For example, he has examined how insurance companies price cyber risk, and whether a federal reinsurance program is warranted to address catastrophic cyber risks. He examined when firms are more likely to be sued (and settle) for a data breach, and studied the cost of data breaches to understand whether corporate losses are as severe as commonly believed. He is also developing a capability to identify, collect, and apply regression, networking, and natural language processing techniques to federal civil and criminal cases, at scale.

Romanosky was a research fellow in the Information Law Institute at New York University, and a security professional for over 10 years. He is one of the original coauthors of the Common Vulnerability Scoring System (CVSS), an open standard for scoring computer vulnerabilities, and EPSS, the Exploit Prediction Scoring System. While in DoD, he oversaw two of the Department's most critical vulnerability programs, and advised on other matters related to cyber security and cyber policy.

Romanosky holds a Ph.D. in public policy and management from Carnegie Mellon University, and a B.S. in electrical engineering from the University of Calgary, Canada.

Research Focus

Previous Positions

Cyber Policy Advisor, U.S. Department of Defense

Selected Publications

Sasha Romanosky, Lillian Ablon, Andreas Kuehn,Therese Jones, "Content Analysis of Cyber Insurance Policies: How do Carriers Price Cyber Risk?" Journal of Cybersecurity, 2019 (forthcoming)

Sasha Romanosky, "Cost and Consequences of Cyber Incidents," Journal of Cybersecurity, 2(2), 2016

Sasha Romanosky, Zachary Goldman, "Understanding Cyber Collateral Damage," Journal of National Security Law and Policy, 9(1), 2017

Sasha Romanosky, David Hoffman, Alessandro Acquisti, "Empirical Analysis of Data Breach Litigation," Journal of Empirical Legal Studies, 11(1), 2014

Romanosky, Sasha, Martin C. Libicki, Zev Winkelman, and Olesya Tkacheva, Internet Freedom Software and Illicit Activity: Supporting Human Rights Without Enabling Criminals, RAND Corporation (RR-1151-DOS), 2015

Sasha Romanosky, Alessandro Acquisti, Rahul Telang, "Do Data Breach Disclosure Laws Reduce Identity Theft?" Journal of Policy Analysis and Management, 30(2), 2011

Sasha Romanosky, Alessandro Acquisti, "Privacy Costs and Personal Data Protection: Economic and Legal Perspectives of Ex Ante Regulation, Ex Post Liability and Information Disclosure," Berkeley Technology Law Journal, 24(3), 2009

Honors & Awards

Defense Medal for Exceptional Public Service, Department of Defense

Commentary

Cybersecurity

Software Supply Chain Risk Is Growing, but Mitigation Solutions Exist
Software supply chain security has emerged as a leading risk because of the massively fragmented and decentralized nature of modern software development. While we still have much to learn as a community about this risk, there are concrete steps we can take to better understand and mitigate it.
Jan 26, 2023
The Hill
Cybersecurity

Developing an Objective, Repeatable Scoring System for a Vulnerability Equities Process
If governments seek to create an objective framework for decision making about whether or when to disclose software vulnerabilities, what might that look like? What questions should be included, how should they influence the outcome and how can one interpret the results?
Feb 5, 2019
Lawfare
Security Cooperation

It's Time for the International Community to Get Serious About Vulnerability Equities
Multiple countries around the world are likely discovering, retaining and exploiting zero-day vulnerabilities without a process to properly consider the trade-offs. This needs to change. It’s time for the international community to get serious about vulnerability equities.
Nov 15, 2017
Lawfare
Cybersecurity

The Equifax Breach: Yawn, or Yikes?
In cases where personal information is exposed, such as the Equifax data breach, it is critical that consumers take steps to ensure their information is not abused. The simplest and perhaps the most effective way to enhance personal digital security is to protect account credentials using password management software.
Nov 3, 2017
Inside Sources
Cybercrime

The Future of Cyber Investigations at the FBI Is Unclear
Evidence presented by the FBI in the case of U.S. v. Jay Michaud was excluded because the agency was unwilling to reveal the software exploit used to collect it. If the FBI exposes its capabilities, other criminals can patch their computers, but concealing its techniques risks the ability to prosecute cyber criminals.
Aug 24, 2016
Inside Sources
Cybercrime

Law Enforcement Cyber Center: A New Internet Resource for Combating Cybercrime
The Law Enforcement Cyber Center provides vital information and resources to police chiefs, police officers, cybercrime investigators, and prosecutors.
Aug 11, 2015
The High Cost of Hacks
The cyber insurance industry can play a critical role in informing corporations about effective security controls, monitoring the use of those controls, and therefore help reduce the probability and magnitude of breaches. But it may be squandering this opportunity.
Mar 9, 2015
U.S. News & World Report

Publications

Report
Identifying and Prioritizing Systemically Important Entities: Advancing Critical Infrastructure Security and Resilience
This report helps the Cybersecurity and Infrastructure Security Agency codify the concept of systemically important critical infrastructure by documenting the work surrounding systemic risks and cyber risks in software supply chains.
Nov 20, 2023
Report
Cyberstalking: A Growing Challenge for the U.S. Legal System
The authors enhance the understanding of cyberstalking by offering the first empirical analysis on federal cyberstalking cases. The results of in-depth interviews with law enforcement, prosecutors, and victims' advocacy groups are also presented.
Jun 29, 2023
Journal Article
Enterprise Risk Management: How Do Firms Integrate Cyber Risk?
Cyber risk has attracted boardroom-level attention. However, many cyber incidents cost companies less than 1% of annual revenues. Therefore, we examine how companies integrate cyber risk into their enterprise risk management practices.
May 26, 2023
Report
Comparison of Public and Private Sector Cybersecurity and IT Workforces
The authors develop a common taxonomy based on work roles, key tasks, and responsibilities to examine the proportion of cybersecurity and information technology work roles, workers' salaries, and demand across private and public sectors.
Feb 7, 2023
Report
Support to the DoD Cyber Workforce Zero-Based Review: Developing a Repeatable Process for Conducting ZBRs Within DoD
The zero-based review (ZBR) process described in this report constitutes a transparent, repeatable process with which the U.S. Department of Defense (DoD) can conduct future ZBRs across the DoD cyber enterprise.
Sep 19, 2022
Report
Identifying Critical IT Products and Services
Researchers have identified the software and businesses that provide critical information technology products and services and developed a framework to continue this analysis as technology evolves. They assessed both software risk and business risk.
Jul 6, 2022
Commentary
Disclosure of Software Supply Chain Risks
This Perspective presents a set of proposed disclosure rules that the U.S. Securities and Exchange Commission could implement to help address software supply chain risks and improve security.
May 26, 2022
Report
Measuring Intelligence, Surveillance, and Reconnaissance Effectiveness at the United States Central Command
The authors developed a repeatable process to measure the effectiveness of U.S. Central Command intelligence, surveillance, and reconnaissance operations; evaluate current performance; and plan for, influence, and resource future operations.
Jan 20, 2021
Tool
Measuring Intelligence, Surveillance, and Reconnaissance Effectiveness at the United States Central Command: Data Visualization Tool Documentation
The authors used Tableau to create a visualization tool that allows U.S. Central Command (CENTCOM) to display the performance and effectiveness of its support to intelligence, surveillance, and reconnaissance (ISR) roles, sub-roles, and activities.
Jan 20, 2021
Report
The Internet of Bodies: Opportunities, Risks, and Governance
"Smart" devices are increasingly being used to monitor the human body. The authors examine these technologies; explore benefits, risks, and ethical implications; survey the regulatory landscape; and make recommendations to balance risks and rewards.
Oct 29, 2020
Journal Article
Private-Sector Attribution of Cyber Incidents: Benefits and Risks to the U.S. Government
This article addresses four questions on the relationship of private sector cyberintelligence companies with the U.S. Government.
Sep 1, 2020
Commentary
Operationalizing Cyberspace as a Military Domain: Lessons for NATO
The authors of this Perspective discuss current efforts by the North Atlantic Treaty Organization (NATO) to integrate cyberspace as an operational domain, including a focus on indications and warning and adapting a framework for the NATO context.
Jun 20, 2019
Journal Article
Content Analysis of Cyber Insurance Policies: How Do Carriers Price Cyber Risk?
Thousands of data breaches occur each year with some costing millions of dollars. Consequently, cyber insurance has grown rapidly in the past decade. In this research, we conduct the first rigorous qualitative study of actual insurance policies.
Apr 30, 2019
Journal Article
Embracing and Controlling Risk Dependency in Cyber-Insurance Policy Underwriting
This article highlights how cyber risk dependencies can be taken into consideration when underwriting cyber-insurance policies.
2019
Report
Law Enforcement Cyber Center: Final Technical Report
Cybercrime is a challenge for local and state law enforcement. The Law Enforcement Cyber Center (LECC) was established to provide a resource to combat cybercrime. This report summarizes the LECC's activities and provides recommendations.
Jan 15, 2018
Journal Article
Understanding Cyber Collateral Damage
We leverage existing collateral damage methodologies in order to explore methods for assessing collateral damage from cyber incidents.
2017
Journal Article
Examining the Costs and Causes of Cyber Incidents
This research seeks to examine the composition and costs of cyber events, and attempts to address whether or not there exist incentives for firms to improve their security practices and reduce the risk of attack.
Oct 10, 2016
Report
Consumer Attitudes Toward Data Breach Notifications and Loss of Personal Information
This report sets out the results of a study of consumer attitudes toward data breaches, notifications of those breaches, and company responses to such events.
Apr 14, 2016
Infographic
Data Theft Victims, and Their Response to Breach Notifications
This infographic highlights the results of a study of consumer attitudes toward data breaches, notifications of those breaches, and company responses to such events.
Apr 14, 2016
Report
Internet Freedom Software and Illicit Activity: Supporting Human Rights Without Enabling Criminals
Examines the portfolio of tools funded by the State Department's Bureau of Democracy, Human Rights, and Labor that help support Internet freedom and assesses the impact of these tools in promoting U.S. interests without enabling criminal activity.
Jun 30, 2015