College of Liberal Arts
JOSEPHINE WOLFF’S RESEARCH FOCUSES ON CYBERSECURITY ISSUES THAT LIE AT THE INTERSECTION OF POLICY, LAW, AND ECONOMICS, INVESTIGATING QUESTIONS SUCH AS HOW SHOULD COMPUTER SECURITY BE MEASURED AND WHO SHOULD BE HELD ACCOUNTABLE WHEN CYBERSECURITY INCIDENTS OCCUR. FOR INSTANCE, HER BOOK “YOU’LL SEE THIS MESSAGE WHEN IT IS TOO LATE”: THE LEGAL AND ECONOMIC AFTERMATH OF CYBERSECURITY BREACHES(MIT PRESS, 2018) EXPLORES WHAT HAPPENS AFTER LARGE-SCALE SECURITY BREACHES, INCLUDING RANSOMWARE, ECONOMIC ESPIONAGE, AND DENIAL-OF-SERVICE ATTACKS, COMBING THROUGH CLASS-ACTION LAWSUITS AND FINANCIAL FILINGS TO ESTABLISH WHO ENDS UP PAYING FOR THESE INCIDENTS AND HOW POLICY-MAKERS CAN ADJUST THE INCENTIVES THAT ORGANIZATIONS HAVE TO INVEST IN STRONGER SECURITY MEASURES. SHE RELIES ON A COMBINATION OF LEGAL AND ECONOMIC ANALYSIS, AS WELL AS POLICY ASSESSMENT TOOLS, TO EXPLORE THE IMPACTS OF CYBERSECURITY POLICIES AND THE OPPORTUNITIES FOR SOCIO-TECHNICAL INTERVENTIONS IN COMPUTER SECURITY.
She and MIT economist William Lehr have a joint project, funded by Cisco, to assess the economic impacts of cloud-based data breaches and the role of cyber-insurance in helping organizations manage these risks. Their work has been published in the annual Research Conference on Communications, Information and Internet Policy, as well as the Georgetown Journal of International Affairs. Another area of focus has been the unintended consequences of layering different types of cybersecurity controls together to create defense-in-depth and relying on unsubstantiated notions of “best practice” to guide security instead of strong empirical evidence. This work has been published in the Hawaii International Conference on System Sciences and the Journal of Management Information Systems.
A member of the extended faculty of the Computing Security department, as well as the RIT Center for Cybersecurity, she collaborates regularly with students and colleagues at RIT and has had opportunities to work with collaborators from natural language processing, psychology, human-computer interaction, and business on issues of cybersecurity related to their own fields.
Department of Public Policy