George Mason University Antonin Scalia Law School

Episode 2: Sasha Romanosky shares his thoughts on cybersecurity with James C. Cooper.

Sasha Romanosky is a senior policy researcher at the RAND Corporation, and former cyber policy advisor at the Pentagon in the Office of the Secretary of Defense for Policy (OSDP). He researches the economics of security and privacy, national security, applied microeconomics, and law and economics. For example, he has examined whether data breach notification laws reduced consumer identity theft; when and how firms are more likely to be sued when they suffer a data breach, and when they’re more likely to settle. He studied the cost of data breaches in order to understand whether corporate losses are really as severe as is commonly believed, and he collected a dataset of cyber insurance policies to examine how insurance carriers measure and price cyber risk. He has also studied private sector attribution of cyber incidents, and their impact to law enforcement, and the intelligence community. Romanosky was a research fellow in the Information Law Institute at New York University, and a security professional for over 10 years. He is one of the original coauthors of the Common Vulnerability Scoring System (CVSS), an open standard for scoring computer vulnerabilities, and EPSS, the Exploit Prediction Scoring System. While in DoD, he oversaw two of the Department’s most critical vulnerability programs, and advised on other matters related to cyber security and cyber policy. Romanosky holds a Ph.D. in public policy and management from Carnegie Mellon University, and a B.S. in electrical engineering from the University of Calgary, Canada.