Heinz Student and Faculty Present at Berkeley Security Symposium

Release Date: May 27, 2009

Sasha Romanosky, a PhD student at Carnegie Mellon's H. John Heinz III College, and Heinz College Professor Alessandro Acquisti recently presented new research at a privacy symposium hosted by the Berkeley Law School and the Berkeley Center for Law and Technology. The duo discussed three legal mechanisms policy-makers may employ to reduce harm caused by firms: ex ante safety regulation, ex post liability and information disclosure. The talk highlighted and contrasted the economic efficiencies of these mechanisms as applied to personal data and the costs incurred from breaches of these data.

"Identity theft exhibits a statistical but not identifiable instance of harm, making it difficult for consumers to bring a negligence action against firms that suffer a data breach," said Romanosky. "In this regard, ex ante safety regulation or information disclosure may be a preferred solution."

Romanosky said recent data security policies that impose a minimum standard of care have been criticized because they focus on inputs rather than outputs.

"They enforce encryption or strong authentication because these technologies are believed to prevent data breaches," he said. "However, empirical evidence supporting this is lacking."

This work leverages previous research co-authored with Heinz College Professor Rahul Telang that has attracted interest by the security industry, IT academics and now legal scholars.

The paper will appear in the Fall 2009 edition of the Berkeley Technology Law Journal.

Romanosky, CISSP, holds a Bachelor of Science degree in Electrical Engineering from the University of Calgary, Canada. He has been working with internet and security technologies for over 10 years, predominantly within the financial and e-commerce industries at companies such as Morgan Stanley and eBay. He has co-authored 2 books on security patterns and published other works on the economics of information security. Sasha developed the FoxTor tool for anonymous web browsing and is co-developer of the Common Vulnerability Scoring System (CVSS), an open framework for scoring computer vulnerabilities. He is a member of CMU's CyLab and the Usable Security and Privacy laboratory (CUPS). Sasha is currently a PhD student at the Heinz College, School of Information Systems and Public Policy at Carnegie Mellon University where he researches the Economics of Information Security.

Acquisti is an Assistant Professor of Information Technology and Public Policy at Heinz College and a Research Fellow at the Institute for the Study of Labor (IZA). He is also a member of the CMU Usable Privacy and Security Laboratory, a member of CMU Privacy Technology Center, and a partner at Carnegie Mellon CyLab. Acquisti's research focuses on what he calls the behavioral economics of privacy — in other words, understanding the trade-offs, the incentives and the behavioral and cognitive biases associated with protecting and revealing personal information.

Photo: Romanosky presenting at the Berkeley Center for Law & Technology.

-------------

Interested in supporting Heinz College students and initiatives like those featured in this story? Click here for more information.