Andy Ozment

Andy Ozment has worked in technology risk and cybersecurity in the government, academia, and the private sector. He has been an operator, technologist, policymaker, and executive. Andy is currently the Chief Technology Risk Officer at Capital One. He has previously been a partner and Chief Information Security Officer (CISO) at Goldman Sachs. He also served as Assistant Secretary for Cybersecurity at the Department of Homeland Security (DHS) and the deputy cyber czar at the Obama White House. Prior to joining the government, Andy researched the economics of computer security and security usability at MIT Lincoln Laboratory. While on a Marshall Scholarship, he earned a computer science PhD from the University of Cambridge and a master's in international relations from the LSE. Andy earned a bachelor's in computer science from Georgia Tech.

Congressional Testimony

House Committee On Oversight And Government Reform, Subcommittee On Information Technology. September 28, 2016. "Cybersecurity: Ensuring the Integrity of the Ballot Box" Hearing page. C-Span Video. Written statement.

House Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies. July 12, 2016. "Value of DHS' Vulnerability Assessments in Protecting our Nation's Critical Infrastructure." Hearing page. Written statement.

House Committee On Oversight And Government Reform, Subcommittee On Information Technology. April 20, 2016. "Federal Cybersecurity Detection, Response, and Mitigation" Hearing page. GPO documentation. Written statement.

Senate Committee on Homeland Security and Government Affairs. June 25, 2015. "Under Attack: Federal Cybersecurity and the OPM Data Breach." Hearing page. Video. Written statement.

House Homeland Security Committee, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies. June 24, 2015. "DHS' Efforts to Secure .Gov". Hearing page. Written statement.

House Oversight and Government Reform Committee. June 16, 2015. "OPM Data Breach". Hearing Page. C-Span Video. Written statement.

Senate Committee on Appropriations, Subcommittee on Homeland Security. April 15, 2015. "Homeland Security Subcommittee Hearing: From Protection to Partnership: Funding the DHS Role in Cybersecurity" Hearing Page. Written statement.

House Homeland Security Committee, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies. February 12, 2015. "Emerging Threats and Technologies to Protect the Homeland." Hearing Page. Written statement.

Miscellaneous Publications

Rich Bennett, Craig Callahan, Stacy Jones, Matt Levine, Merrill Miller, and Andy Ozment. "How to Live in a Post-Meltdown and -Spectre World." ACM Queue. September 25, 2018. [html] [pdf]

Ross Anderson, Tyler Moore, Shishir Nagaraja, and Andy Ozment. "Incentives and Information Security in Networks." In Algorithmic Game Theory. Edited by Noam Nisan, Tim Roughgarden, Eva Tardos, and Vijay Vazirani. Cambridge University Press. To be published in 2007.

Refereed Publications

Andy Ozment. "Improving Vulnerability Discovery Models: Problems with Definitions and Assumptions." In the proceedings of the Third Workshop on Quality of Protection (QoP'07). October 29, 2007: Alexandria, VA, USA. [pdf]

Andy Ozment. "Vulnerability Discovery and Software Security." Ph.D. Dissertation. October 9, 2007: University of Cambridge Computer Laboratory, Cambridge, UK. [pdf]

Stuart E. Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer. "The Emperor's New Security Indicators: An Evaluation of Website Authentication and the Effect of Role Playing on Usability Studies." In the proceedings of the 2007 IEEE Symposium on Security and Privacy. May 20-23, 2007: Oakland, CA, USA. [pdf]

Andy Ozment and Stuart E. Schechter. "Milk or Wine: Does Software Security Improve with Age?" In the proceedings of the Fifteenth Usenix Security Symposium. July 31 - August 4, 2006: Vancouver, BC, Canada. [pdf] [html]

Andy Ozment and Stuart E. Schechter. "Bootstrapping the Adoption of Internet Security Protocols." In the proceedings of the Fifth Workshop on the Economics of Information Security Security. June 26-28, 2006: Cambridge, UK. [pdf]

Andy Ozment, Stuart E. Schechter, and Rachna Dhamija. "Web Sites Should Not Need to Rely On Users to Secure Communications." In the proceedings of the W3C Workshop on Transparency and Usability of Web Authentication. March 15-16, 2006: New York, NY, USA. [pdf]

Andy Ozment. "Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models." In Quality of Protection: Security Measurements and Metrics. Dieter Gollman, Fabio Massacci, and Artsiom Yautsiukhin, eds. ISBN: 978-0-387-29016-4. Springer: 2006. [pdf] [Workshop]

Andy Ozment. "The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting." In the proceedings of the Fourth Workshop on the Economics of Information Security (WEIS). June 2-3, 2005: Cambridge, MA, USA. [pdf]

Andy Ozment. "Bug Auctions: Vulnerability Markets Reconsidered." In the proceedings of the Third Workshop on the Economics of Information Security (WEIS). May 13-14, 2004: Minneapolis, MN, USA. [pdf] [pdf slides]

Rupert Gatti, Stephen Lewis, Andy Ozment, Thierry Rayna, and Andrei Serjantov. "Sufficiently Secure Peer-to-Peer Networks." In the proceedings of the Third Workshop on the Economics of Information Security (WEIS). May 13-14, 2004: Minneapolis, MN, USA. [pdf] [pdf slides]

Seymour E. Goodman, Pamela Hassebroek, Davis King, and Andy Ozment. "International Coordination to Increase the Security of Critical Network Infrastructures." Journal of Information Warfare. ISSN: 1445-3312. 2:2:72-87. 2003.

Andy Ozment, Alison Smith, and Wendy Newstetter. "Causes for Cheating: Unclear Expectations in the Classroom." In the proceedings of the 2000 ASEE Annual Conference and Exposition. June 2000: St Louis, MO, USA. [pdf]