Professor Thaw’s research focuses on understanding the relationship between law, technology, and policy. His primary work studies cybersecurity, and he also studies privacy, computer crime, and cyber warfare. Dr. Thaw uses scientific empirical research to inform legal and policy scholarship aimed at improving the state of information security practice. By integrating empirical design and scientific method directly into his policy scholarship, David’s work seeks to improve the efficacy of cybersecurity policymaking through evidence-based approaches.
David’s current projects include the CyREN laboratory, his scholarly book project Redefining Cybersecurity Policy, and a co-authored textbook Cybersecurity: An Interdisciplinary Approach (with Gus Hurwitz and Derek Bambauer; instructor evaluation copies available upon request).
A more detailed statement of his current research follows.
My research utilizes tools of empirical science to examine questions of law and technology. I am most interested in how the regulatory tools of the administrative state and criminal law influence individuals’ experiences and influence social constructs in the Information Age. This work also intersects with topics in international and comparative law particularly as the technologically-interconnected nature of human experience increasingly transcends traditional physical and political boundaries. My empirical and scientific work also led me to found the CyREN Laboratory at the University of Pittsburgh, which conducts scientific research directly regarding cybersecurity and other emerging law and technology topics.
Building upon the foundations of regulatory studies, criminal law, and empirical science, I use interdisciplinary methods throughout my legal scholarship. My scholarly book project, Redefining Cybersecurity Policy, argues that systemic failures of cybersecurity regulatory efficacy result in large part from a lack of attention to the interdisciplinary aspects (and therefore vulnerabilities) of complex systems of human interaction. By relying too heavily on traditional theoretical models of completeness, I argue, the cybersecurity policies currently in use are too rigid and provide adversaries with roadmaps for attack. My research suggests that more flexible forms of regulation are superior for addressing cybersecurity and similar classes of complex problems in our highly interconnected society.
This study of flexible regulation, which traces back to my Ph.D. dissertation which examined cybersecurity practices in large organizations in the mid/late-2000s, has led to my most recent project which examines cyber threats to the electoral process. In a work-in-progress tentatively titled Managing Electoral Cyber Risk, I examine the means by which elections can be unlawfully influenced, the legal and technological systems in place to prevent such unlawful influence, and the limitations of those systems. The Article argues that current discussions are likely to continue two (failing) approaches found in other areas of cybersecurity: (1) a desire for a technological “silver bullet” solution; and (2) the creation of checklists to implement such solutions and “prevent” or “solve” the problem. These failures suggest the conclusion, I argue, that cyber threats to the electoral process must be addressed in the context of a comprehensive risk management framework addressing aspects of criminal, international, administrative, and election law in addition to multiple concurrent technological considerations.
This work follows from my earlier papers, The Efficacy of Cybersecurity Regulation and Enlightened Regulatory Capture, both of which use empirical methods to inform scholarly analysis of regulatory effectiveness. The Efficacy of Cybersecurity Regulation reports results of several years’ mixed-methods research examining the cybersecurity practices “on the ground” of large U.S.-based organizations. Qualitative interviews of Chief Information Security Officers (CISOs) in the late 2000s inform quantitative analysis of comprehensive data breach incidence throughout that decade, and reveal that the healthcare and finance sectors performed substantially better at preventing certain data breaches than did all other sectors after controlling for other variables. This result, combined with reports from CISOs of their direct experiences with various regulations, suggests the hypothesis that more flexible forms of regulation are more effective at achieving cybersecurity goals.
In Enlightened Regulatory Capture, I develop this hypothesis, conducting in-depth qualitative examination of the rulemaking process for the healthcare-specific cybersecurity regulations in HIPAA, which reveal a unique policymaking process that resulted in a highly flexible regulatory framework I call Federated Regulation (originally Management-Based Regulation). I conclude from this analysis and earlier work on comparative efficacy that flexible forms of regulation focusing on risk management, as opposed to risk prevention, are superior for highly heterogeneous and interconnected regulatory environments like cybersecurity.
In my forthcoming piece Cybersecurity Stovepiping, I examine a classic “directive” regulatory command in cybersecurity – the requirement for users to have complex, difficult-to-remember passwords. Using scientific analysis and tracing the history of those particular regulatory requirements, I demonstrate that this requirement has little (if any) basis in scientific theory or empirical evidence. In fact, my analysis demonstrates, the potential harms created by complex passwords vastly outweigh any slight marginal protective benefit such rules afford. This lack of a risk management-oriented framework may explain why computer security experts failed for nearly 40 years to overcome policy entrenchment and convince policymakers to eliminate password complexity requirements, which were an incorrect application of late 1970s scientific theory. (In fact, it was not until May 2017 that the National Institute of Standards and Technology finally reversed this position and recommended against complex passwords, effectively recognizing they were not a technological “silver bullet.”) This conclusion is a key driver of my examination in Managing Electoral Cyber Risk, and is the central theme of Redefining Cybersecurity Policy.
In addition to my core cybersecurity regulatory work, my scholarship also examines privacy theory in pieces such as Surveillance at the Source and the intersection of privacy, regulatory theory, and comparative and international law in Ancient Worries and Modern Fears. I also write on doctrinal matters in computer crime law, such as Criminalizing Hacking, Not Dating and a planned follow-on Article based on the work of Jim Graves, a Ph.D. candidate at Carnegie Mellon University on whose committee I serve. Jim's dissertation, among other things, empirically compares perceptions of the severity and other aspects of traditionally “similar” online and offline crimes. The results of his work suggest that classic analogies of computer crime to the physical world are flawed, and this flaw reveals possible solutions for resolving a long-standing doctrinal challenging in federal computer crime law.