Sasha Romanosky

Photo of Sasha Romanosky
Senior Policy Researcher
Washington Office


Ph.D. in public policy and management, Carnegie Mellon University; B.S. in electrical engineering, University of Calgary

Media Resources

This researcher is available for interviews.

To arrange an interview, contact the RAND Office of Media Relations at (310) 451-6913, or email

More Experts


Sasha Romanosky is a senior policy researcher at the RAND Corporation, an appointed Member of the Data Privacy and Integrity Advisory Committee (DPIAC) at the Department of Homeland Security, and a former cyber policy advisor at the Pentagon in the Office of the Secretary of Defense for Policy (OSDP).

He researches  the economics of cyber security, privacy, and national security. For example, he has examined whether data breach notification laws reduced consumer identity theft, and when firms are more likely to be sued (and settle) when they suffer a data breach. He studied the cost of data breaches in order to understand whether corporate losses are really as severe as is commonly believed, and he collected a dataset of cyber insurance policies to examine how insurance carriers price cyber risk. He has also studied private sector attribution of cyber incidents, and their impact to law enforcement, and the intelligence community.  

Romanosky was a research fellow in the Information Law Institute at New York University, and a security professional for over 10 years. He is one of the original coauthors of the Common Vulnerability Scoring System (CVSS), an open standard for scoring computer vulnerabilities, and EPSS, the Exploit Prediction Scoring System. While in DoD, he oversaw two of the Department's most critical vulnerability programs, and advised on other matters related to cyber security and cyber policy.

Romanosky holds a Ph.D. in public policy and management from Carnegie Mellon University, and a B.S. in electrical engineering from the University of Calgary, Canada.

Previous Positions

Cyber Policy Advisor, U.S. Department of Defense

Selected Publications

Sasha Romanosky, Lillian Ablon, Andreas Kuehn,Therese Jones, "Content Analysis of Cyber Insurance Policies: How do Carriers Price Cyber Risk?" Journal of Cybersecurity, 2019 (forthcoming)

Sasha Romanosky, "Cost and Consequences of Cyber Incidents," Journal of Cybersecurity, 2(2), 2016

Sasha Romanosky, Zachary Goldman, "Understanding Cyber Collateral Damage," Journal of National Security Law and Policy, 9(1), 2017

Sasha Romanosky, David Hoffman, Alessandro Acquisti, "Empirical Analysis of Data Breach Litigation," Journal of Empirical Legal Studies, 11(1), 2014

Sasha Romanosky, Martin C. Libicki, Zev Winkelman, Olesya Tkacheva, Internet Freedom Software and Illicit Activity: Supporting Human Rights Without Enabling Criminals, RAND Corporation (RR-1151-DOS), 2015

Sasha Romanosky, Alessandro Acquisti, Rahul Telang, "Do Data Breach Disclosure Laws Reduce Identity Theft?" Journal of Policy Analysis and Management, 30(2), 2011

Sasha Romanosky, Alessandro Acquisti, "Privacy Costs and Personal Data Protection: Economic and Legal Perspectives of Ex Ante Regulation, Ex Post Liability and Information Disclosure," Berkeley Technology Law Journal, 24(3), 2009

Honors & Awards

  • Defense Medal for Exceptional Public Service, Department of Defense


  • Hawaii Air National Guardsmen evaluate network vulnerabilities during the Po’oihe 2015 Cyber Security Exercise at the University of Hawaii Manoa Campus, Honolulu, HI, June 4, 2015, photo by Airman 1st Class Robert Cabuco/Hawaii Air National Guard

    Developing an Objective, Repeatable Scoring System for a Vulnerability Equities Process

    If governments seek to create an objective framework for decision making about whether or when to disclose software vulnerabilities, what might that look like? What questions should be included, how should they influence the outcome and how can one interpret the results?

    Feb 5, 2019 Lawfare

  • Computer hacker with magnifying glass

    It's Time for the International Community to Get Serious About Vulnerability Equities

    Multiple countries around the world are likely discovering, retaining and exploiting zero-day vulnerabilities without a process to properly consider the trade-offs. This needs to change. It’s time for the international community to get serious about vulnerability equities.

    Nov 15, 2017 Lawfare

  • Trading information about Equifax and the company logo are displayed on a screen on the floor of the New York Stock Exchange, September 8, 2017

    The Equifax Breach: Yawn, or Yikes?

    In cases where personal information is exposed, such as the Equifax data breach, it is critical that consumers take steps to ensure their information is not abused. The simplest and perhaps the most effective way to enhance personal digital security is to protect account credentials using password management software.

    Nov 3, 2017 Inside Sources

  • Cyber illustration of a judge's gavel

    The Future of Cyber Investigations at the FBI Is Unclear

    Evidence presented by the FBI in the case of U.S. v. Jay Michaud was excluded because the agency was unwilling to reveal the software exploit used to collect it. If the FBI exposes its capabilities, other criminals can patch their computers, but concealing its techniques risks the ability to prosecute cyber criminals.

    Aug 24, 2016 Inside Sources

  • Handcuffs on a computer keyboard

    Law Enforcement Cyber Center: A New Internet Resource for Combating Cybercrime

    The Law Enforcement Cyber Center provides vital information and resources to police chiefs, police officers, cybercrime investigators, and prosecutors.

    Aug 11, 2015

  • Network diagram with a lock

    The High Cost of Hacks

    The cyber insurance industry can play a critical role in informing corporations about effective security controls, monitoring the use of those controls, and therefore help reduce the probability and magnitude of breaches. But it may be squandering this opportunity.

    Mar 9, 2015 U.S. News & World Report