University of Pittsburgh | 3900 Forbes Avenue, Pittsburgh, PA 15260 | email@example.com
Redefining Cybersecurity Policy: An Interdisciplinary Approach to System Failures (scholarly book project connecting several threads of empirical scientific research and scholarly analysis to illuminate why cybersecurity presents a complex problem, the necessity of interdisciplinary approaches, how flexible regulation can more effectively address such complex problems, and cybersecurity might teach us about the future of managing complex problems in a globally-interconnected world) (example chapters listed below).
Cybersecurity Stovepiping (arguing that disconnects between policymakers and technical experts in lawmaking and rulemaking processes not only fail to produce positive benefits, but may actually undermine the very goals the policy set forth to achieve, using the myth of increased security through complex password requirements as a case study)
Chameleon Cyber Threat Intelligence Gathering System, Cyber Research Environment Network (CyREN) Laboratory, University of Pittsburgh School of Information Sciences– cybersecurity research project developing a method and system to collect current and prospective cyber threat intelligence data.
Honeynet Shortcomings: A Review of Historical Honeynet Approaches and Empirical Challenges (examining the history of honeynet technologies, evaluating the empirical shortcomings of those technologies, and categorizing these past deficiencies with the goal of identifying future improvements).
Using Camouflaged Cyber Simulations as a Model to Ensure Validity in Cybersecurity Experimentation (describing the Chameleon Project and formalizing a method and system for collecting real-time, recent, and empirically valid data regarding the nature, scope, and efficacy of methods for remote system compromise by overcoming validity, camouflage, and data capture shortcomings of honeypot implementations).
Efficient Defense Allocation: Empirical Examination of the Relative Efficacy of Perimeter Defense Technologies (empirical examination of the hypotheses that (1) remote information security compromises occur as a result of network "perimeter breaches"; and (2) network "perimeter" defense technologies are an efficient/effective methods for preventing the most common types of remote information security compromises).
Managing Electoral Cyber Risk (developing a framework for understanding cyber threats to election systems and the legal and technological systems which can address those threats, and arguing that a “hacking” viewpoint of such threats misunderstands the nature of the problem and mitigating unlawful electoral interference must instead be understood and characterized in terms of a comprehensive, integrated legal and technological risk management framework).
Disambiguating "Cyber" (arguing for an organized understanding of the often-conflated terms "privacy," "data protection," "cybersecurity," "cybercrime," "cyber warfare," and related terms through the axes of (1) normative versus objective evaluation; and (2) the distinctions among private, public, criminal, and international law).
Cybersecurity: An Interdisciplinary Approach (interdisciplinary instructional and reference text covering topics in cybersecurity, cybercrime, cyber conflict, and associated regulatory topics for lawyers, scientists, engineers, policymakers, and business leaders) (with Gus Hurwitz and Derek Bambauer).
Surveillance at the Source, 103 Ky. L. J. 405 (2015) (discussing the comparative lack of attention in privacy scholarship to mass surveillance by private parties as compared to that by Government entities, and arguing that in contemporary society, given that private mass surveillance is a predicate to Government surveillance, mass surveillance scholarship should specifically include the proverbial and literal "source" of the data).
Enlightened Regulatory Capture, 89 Wash. L. Rev. 329 (2014) (examining the history of the HIPAA Security Rule and arguing that its development reveals a unique, but potentially-replicable, circumstance under which public and private interests can be aligned under proper conditions to leverage regulatory capture to engage private expertise in service of public goals, using cybersecurity as an example).
The Efficacy of Cybersecurity Regulation, 30 Ga. St. U. L. Rev. 287 (2014) (presenting empirical evidence comparing the efficacy of directive regulation versus flexible regulation, and determining that flexible forms of regulation were substantially more effective at preventing certain types of data breaches than was directive regulation alone for the first decade such laws were in effect. This evidence is cross-validated with interviews of Chief Information Security Officers (CISOs) discussing their impressions "on-the-ground" of the impact of these laws and regulations on their organizations' security practices).
Criminalizing Hacking, Not Dating: Reconstructing the CFAA Intent Requirement, 103 J. Of Crim. L. & Criminology 907 (2013) (arguing that interpretations of the Computer Fraud and Abuse Act (CFAA) broadly allowing Terms-of-Service to define authorized access are overclusive, but that interpretations fully precluding such definitions are underinclusive, and suggesting that any resolution to this debate must accommodate some ability for system operators to define authorization through written language because the deterministic nature of technological "locks" inevitably will prevent such locks from precluding all activity a system owner might lawfully wish to preclude and against which the criminal law is the only reasonable deterrent).