David Thaw

University of Pittsburgh | 3900 Forbes Avenue, Pittsburgh, PA 15260 | dbthaw@gmail.com


Working Papers

  • Redefining Cybersecurity Policy: An Interdisciplinary Approach to System Failures (scholarly book project connecting several threads of empirical scientific research and scholarly analysis to illuminate why cybersecurity presents a complex problem, the necessity of interdisciplinary approaches, how flexible regulation can more effectively address such complex problems, and cybersecurity might teach us about the future of managing complex problems in a globally-interconnected world) (example chapters listed below).

    • Cybersecurity Stovepiping (arguing that disconnects between policymakers and technical experts in lawmaking and rulemaking processes not only fail to produce positive benefits, but may actually undermine the very goals the policy set forth to achieve, using the myth of increased security through complex password requirements as a case study)

    • Redefining Cybersecurity (arguing that current organizational and legal policy approaches to cybersecurity are structurally inferior, focusing on risk prevention when risk management is more effective. This work is part of a larger book proposal planned to include portions of Cybersecurity Stovepiping, The Efficacy of Cybersecurity Regulation, and Enlightened Regulatory Capture as chapters and utilizing empirical data from the Chameleon system)

  • Chameleon Cyber Threat Intelligence Gathering System, Cyber Research Environment Network (CyREN) Laboratory, University of Pittsburgh School of Information Sciences– cybersecurity research project developing a method and system to collect current and prospective cyber threat intelligence data.

    • Honeynet Shortcomings: A Review of Historical Honeynet Approaches and Empirical Challenges (examining the history of honeynet technologies, evaluating the empirical shortcomings of those technologies, and categorizing these past deficiencies with the goal of identifying future improvements).

    • Using Camouflaged Cyber Simulations as a Model to Ensure Validity in Cybersecurity Experimentation (describing the Chameleon Project and formalizing a method and system for collecting real-time, recent, and empirically valid data regarding the nature, scope, and efficacy of methods for remote system compromise by overcoming validity, camouflage, and data capture shortcomings of honeypot implementations).

    • Efficient Defense Allocation: Empirical Examination of the Relative Efficacy of Perimeter Defense Technologies (empirical examination of the hypotheses that (1) remote information security compromises occur as a result of network "perimeter breaches"; and (2) network "perimeter" defense technologies are an efficient/effective methods for preventing the most common types of remote information security compromises).

  • Managing Electoral Cyber Risk (developing a framework for understanding cyber threats to election systems and the legal and technological systems which can address those threats, and arguing that a “hacking” viewpoint of such threats misunderstands the nature of the problem and mitigating unlawful electoral interference must instead be understood and characterized in terms of a comprehensive, integrated legal and technological risk management framework).

  • Ancient Worries and Modern Fears: Different Roots and Common Effects of U.S. and EU Privacy Regulation (arguing that while challenging substantive differences exist between U.S. and EU privacy regimes, because of a shared underlying commitment to avoid the same type of harm – albeit from different actors – a common compliance framework is possible across through the application of Management-Based Regulatory Delegation theory) (with Pierluigi Perri).

  • Disambiguating "Cyber" (arguing for an organized understanding of the often-conflated terms "privacy," "data protection," "cybersecurity," "cybercrime," "cyber warfare," and related terms through the axes of (1) normative versus objective evaluation; and (2) the distinctions among private, public, criminal, and international law).

  • Cybersecurity: An Interdisciplinary Approach (interdisciplinary instructional and reference text covering topics in cybersecurity, cybercrime, cyber conflict, and associated regulatory topics for lawyers, scientists, engineers, policymakers, and business leaders) (with Gus Hurwitz and Derek Bambauer).

Legal Scholarship

A comprehensive list of my publications, presentations, and related work is available in my Curriculum Vitae.