Measuring security effectiveness.


Welcome to, a community website for security practitioners. offers a community blog (this website) and a members-only mailing list.


aggregation · benchmarking · catalog project · definitions · empirical studies · metricon · modeling · ROI · visualization


Review the proceedings from the Metricon 8 conference, which was held on March 1st, 2013 at the RSA Conference in San Francisco.

Join the mailing list.

Metricon X — Agenda

- - posted in metricon | Comments

Metricon X will be held on March 21st and 22nd at the Stevens Institute of Technology in Jersey City, NJ.

The theme of the conference is: “Metrics that Matters – Help Management with Decision Making and Improve Security Posture of the Organization”

The agenda follows. Chatham House Rules apply.

Metricon X — Call for Papers

- - posted in metricon | Comments was started by a group of obsessive security and risk professionals way back in the dark ages of security — the early 2000s. The first gathering of “security quants” was held in September 2006, with eight more conferences following, plus 6 mini-conferences. As Metricon celebrates its tenth conference, it is worth reflecting on a body of practice that is now well over ten years old.

Metricon X will be held in March 2019. It will ask and answer the following questions:

Metricon 9 — Conference Agenda

- - posted in metricon, news | Comments

Friday, February 28, 2014

  • Open reception/light refreshments
  • Welcome! Metricon 8 recap & “Breaking the mold of security metrics” (Pete Lindstrom / Bob Rudis)
  • Expecting the Unexpected: Using Public Vulnerability Data for Resource Planning (Kymberlee Price, BlackBerry Incident Response Team Incident Manager)
  • Lunch & Unveiling Patterns within “Security Metrics”
  • Methods for Large-scale Measurement of the Security of Internet Ecosystems (Christophe Huygens, Professor, Katholieke Universiteit Leuven)
  • Measuring Third-party Security Risk (Stephen Boyer, BitSight)
  • Seeing the Elephant – Using collected data points to design and roll out software initiatives (Geoffrey Hill, Artis-Secure)
  • Behind The Curtains of the SilverSky Report (Andrew Jaquith, CTO, SilverSky)
  • Behind The Curtains of the Verizon DBIR (Jay Jacobs, Verizon)
  • Security, Visualized (Katherine Brocklehurst, Tripwire)
  • Lightning Talks

Metricon 9 — Call for Papers

- - posted in metricon, news | Comments

Call for Papers for Metricon 9

Metricon is the annual conference dedicated to security metrics. We are excited to announce Metricon 9 — an all-day metrics workshop. We invite practitioners to present practical and novel approaches for measuring information security effectiveness.

When: Friday, February 28, 2014 (the Friday of RSA); All day event

Where: Near or at RSA; specific location TBD

Theme: Behind the Curtains: From Data to Insight

New Mailing List Server

- - posted in news | Comments

I am pleased to announce that has moved to a new virtual hosting system. The primary benefit is that we have a new mailing list server that uses Mailman, rather than Majordomo. Other changes include: