Sasha Romanosky is a senior policy researcher at the RAND Corporation, an appointed Member of the Data Privacy and Integrity Advisory Committee (DPIAC) at the Department of Homeland Security, and a former cyber policy advisor at the Pentagon in the Office of the Secretary of Defense for Policy (OSDP).
He researches the economics of cyber security, privacy, and national security. For example, he has examined whether data breach notification laws reduced consumer identity theft, and when firms are more likely to be sued (and settle) when they suffer a data breach. He studied the cost of data breaches in order to understand whether corporate losses are really as severe as is commonly believed, and he collected a dataset of cyber insurance policies to examine how insurance carriers price cyber risk. He has also studied private sector attribution of cyber incidents, and their impact to law enforcement, and the intelligence community.
Romanosky was a research fellow in the Information Law Institute at New York University, and a security professional for over 10 years. He is one of the original coauthors of the Common Vulnerability Scoring System (CVSS), an open standard for scoring computer vulnerabilities, and EPSS, the Exploit Prediction Scoring System. While in DoD, he oversaw two of the Department's most critical vulnerability programs, and advised on other matters related to cyber security and cyber policy.
Romanosky holds a Ph.D. in public policy and management from Carnegie Mellon University, and a B.S. in electrical engineering from the University of Calgary, Canada.
Selected Publications
Sasha Romanosky, Lillian Ablon, Andreas Kuehn,Therese Jones, "Content Analysis of Cyber Insurance Policies: How do Carriers Price Cyber Risk?" Journal of Cybersecurity, 2019 (forthcoming)
Sasha Romanosky, "Cost and Consequences of Cyber Incidents," Journal of Cybersecurity, 2(2), 2016
Sasha Romanosky, Zachary Goldman, "Understanding Cyber Collateral Damage," Journal of National Security Law and Policy, 9(1), 2017
Sasha Romanosky, David Hoffman, Alessandro Acquisti, "Empirical Analysis of Data Breach Litigation," Journal of Empirical Legal Studies, 11(1), 2014
Romanosky, Sasha, Martin C. Libicki, Zev Winkelman, and Olesya Tkacheva, Internet Freedom Software and Illicit Activity: Supporting Human Rights Without Enabling Criminals, RAND Corporation (RR-1151-DOS), 2015
Sasha Romanosky, Alessandro Acquisti, Rahul Telang, "Do Data Breach Disclosure Laws Reduce Identity Theft?" Journal of Policy Analysis and Management, 30(2), 2011
Sasha Romanosky, Alessandro Acquisti, "Privacy Costs and Personal Data Protection: Economic and Legal Perspectives of Ex Ante Regulation, Ex Post Liability and Information Disclosure," Berkeley Technology Law Journal, 24(3), 2009