Sasha Romanosky

Senior Policy Researcher

Washington Office

Education

Ph.D. in public policy and management, Carnegie Mellon University; B.S. in electrical engineering, University of Calgary

One Page Bio

Media Resources

This researcher is available for interviews.

To arrange an interview, contact the RAND Office of Media Relations at (310) 451-6913, or email media@rand.org.

More Experts

Overview

Sasha Romanosky is a senior policy researcher at the RAND Corporation, and former cyber policy advisor at the Pentagon in the Office of the Secretary of Defense for Policy (OSDP).

He researches the economics of security and privacy, national security, applied microeconomics, and law and economics. For example, he has examined whether data breach notification laws reduced consumer identity theft; when and how firms are more likely to be sued when they suffer a data breach, and when they’re more likely to settle. He studied the cost of data breaches in order to understand whether corporate losses are really as severe as is commonly believed, and he collected a dataset of cyber insurance policies to examine how insurance carriers measure and price cyber risk. He has also studied private sector attribution of cyber incidents, and their impact to law enforcement, and the intelligence community.

Romanosky was a research fellow in the Information Law Institute at New York University, and a security professional for over 10 years. He is one of the original coauthors of the Common Vulnerability Scoring System (CVSS), an open standard for scoring computer vulnerabilities, and EPSS, the Exploit Prediction Scoring System. While in DoD, he oversaw two of the Department's most critical vulnerability programs, and advised on other matters related to cyber security and cyber policy.

Romanosky holds a Ph.D. in public policy and management from Carnegie Mellon University, and a B.S. in electrical engineering from the University of Calgary, Canada.

Research Focus

Previous Positions

Cyber Policy Advisor, U.S. Department of Defense

Selected Publications

Sasha Romanosky, Lillian Ablon, Andreas Kuehn,Therese Jones, "Content Analysis of Cyber Insurance Policies: How do Carriers Price Cyber Risk?" Journal of Cybersecurity, 2019 (forthcoming)

Sasha Romanosky, "Cost and Consequences of Cyber Incidents," Journal of Cybersecurity, 2(2), 2016

Sasha Romanosky, Zachary Goldman, "Understanding Cyber Collateral Damage," Journal of National Security Law and Policy, 9(1), 2017

Sasha Romanosky, David Hoffman, Alessandro Acquisti, "Empirical Analysis of Data Breach Litigation," Journal of Empirical Legal Studies, 11(1), 2014

Sasha Romanosky, Martin C. Libicki, Zev Winkelman, Olesya Tkacheva, Internet Freedom Software and Illicit Activity: Supporting Human Rights Without Enabling Criminals, RAND Corporation (RR-1151-DOS), 2015

Sasha Romanosky, Alessandro Acquisti, Rahul Telang, "Do Data Breach Disclosure Laws Reduce Identity Theft?" Journal of Policy Analysis and Management, 30(2), 2011

Sasha Romanosky, Alessandro Acquisti, "Privacy Costs and Personal Data Protection: Economic and Legal Perspectives of Ex Ante Regulation, Ex Post Liability and Information Disclosure," Berkeley Technology Law Journal, 24(3), 2009

Honors & Awards

Defense Medal for Exceptional Public Service, Department of Defense

Commentary

Developing an Objective, Repeatable Scoring System for a Vulnerability Equities Process
If governments seek to create an objective framework for decision making about whether or when to disclose software vulnerabilities, what might that look like? What questions should be included, how should they influence the outcome and how can one interpret the results?
Feb 5, 2019 Lawfare
It's Time for the International Community to Get Serious About Vulnerability Equities
Multiple countries around the world are likely discovering, retaining and exploiting zero-day vulnerabilities without a process to properly consider the trade-offs. This needs to change. It’s time for the international community to get serious about vulnerability equities.
Nov 15, 2017 Lawfare
The Equifax Breach: Yawn, or Yikes?
In cases where personal information is exposed, such as the Equifax data breach, it is critical that consumers take steps to ensure their information is not abused. The simplest and perhaps the most effective way to enhance personal digital security is to protect account credentials using password management software.
Nov 3, 2017 Inside Sources
The Future of Cyber Investigations at the FBI Is Unclear
Evidence presented by the FBI in the case of U.S. v. Jay Michaud was excluded because the agency was unwilling to reveal the software exploit used to collect it. If the FBI exposes its capabilities, other criminals can patch their computers, but concealing its techniques risks the ability to prosecute cyber criminals.
Aug 24, 2016 Inside Sources
Law Enforcement Cyber Center: A New Internet Resource for Combating Cybercrime
The Law Enforcement Cyber Center provides vital information and resources to police chiefs, police officers, cybercrime investigators, and prosecutors.
Aug 11, 2015
The High Cost of Hacks
The cyber insurance industry can play a critical role in informing corporations about effective security controls, monitoring the use of those controls, and therefore help reduce the probability and magnitude of breaches. But it may be squandering this opportunity.
Mar 9, 2015 U.S. News & World Report

Publications

Report
Measuring Intelligence, Surveillance, and Reconnaissance Effectiveness at the United States Central Command
The authors developed a repeatable process to measure the effectiveness of U.S. Central Command intelligence, surveillance, and reconnaissance operations; evaluate current performance; and plan for, influence, and resource future operations.
Jan 20, 2021
Tool
Measuring Intelligence, Surveillance, and Reconnaissance Effectiveness at the United States Central Command: Data Visualization Tool Documentation
The authors used Tableau to create a visualization tool that allows U.S. Central Command (CENTCOM) to display the performance and effectiveness of its support to intelligence, surveillance, and reconnaissance (ISR) roles, sub-roles, and activities.
Jan 20, 2021
Report
The Internet of Bodies: Opportunities, Risks, and Governance
"Smart" devices are increasingly being used to monitor the human body. The authors examine these technologies; explore benefits, risks, and ethical implications; survey the regulatory landscape; and make recommendations to balance risks and rewards.
Oct 29, 2020
Journal Article
Private-Sector Attribution of Cyber Incidents: Benefits and Risks to the U.S. Government
This article addresses four questions on the relationship of private sector cyberintelligence companies with the U.S. Government.
Sep 1, 2020
Journal Article
Embracing and Controlling Risk Dependency in Cyber-Insurance Policy Underwriting
This article highlights how cyber risk dependencies can be taken into consideration when underwriting cyber-insurance policies.
Jan 14, 2020
Report
Operationalizing Cyberspace as a Military Domain: Lessons for NATO
The authors of this Perspective discuss current efforts by the North Atlantic Treaty Organization (NATO) to integrate cyberspace as an operational domain, including a focus on indications and warning and adapting a framework for the NATO context.
Jun 20, 2019
Journal Article
Understanding Cyber Collateral Damage
We leverage existing collateral damage methodologies in order to explore methods for assessing collateral damage from cyber incidents.
May 2, 2019
Journal Article
Content Analysis of Cyber Insurance Policies: How Do Carriers Price Cyber Risk?
Thousands of data breaches occur each year with some costing millions of dollars. Consequently, cyber insurance has grown rapidly in the past decade. In this research, we conduct the first rigorous qualitative study of actual insurance policies.
Apr 30, 2019
Report
Law Enforcement Cyber Center: Final Technical Report
Cybercrime is a challenge for local and state law enforcement. The Law Enforcement Cyber Center (LECC) was established to provide a resource to combat cybercrime. This report summarizes the LECC's activities and provides recommendations.
Jan 15, 2018
Journal Article
Examining the Costs and Causes of Cyber Incidents
This research seeks to examine the composition and costs of cyber events, and attempts to address whether or not there exist incentives for firms to improve their security practices and reduce the risk of attack.
Oct 10, 2016
Report
Consumer Attitudes Toward Data Breach Notifications and Loss of Personal Information
This report sets out the results of a study of consumer attitudes toward data breaches, notifications of those breaches, and company responses to such events.
Apr 14, 2016
Infographic
Data Theft Victims, and Their Response to Breach Notifications
This infographic highlights the results of a study of consumer attitudes toward data breaches, notifications of those breaches, and company responses to such events.
Apr 14, 2016
Report
Internet Freedom Software and Illicit Activity: Supporting Human Rights Without Enabling Criminals
Examines the portfolio of tools funded by the State Department's Bureau of Democracy, Human Rights, and Labor that help support Internet freedom and assesses the impact of these tools in promoting U.S. interests without enabling criminal activity.
Jun 30, 2015