Measuring security effectiveness.


Welcome to, a community website for security practitioners. offers a community blog (this website) and a members-only mailing list.


aggregation · benchmarking · catalog project · definitions · empirical studies · metricon · modeling · ROI · visualization


Review the proceedings from the Metricon 8 conference, which was held on March 1st, 2013 at the RSA Conference in San Francisco.

Join the mailing list.

Metricon 9 — Conference Agenda

- - posted in metricon, news | Comments

Friday, February 28, 2014

  • Open reception/light refreshments
  • Welcome! Metricon 8 recap & “Breaking the mold of security metrics” (Pete Lindstrom / Bob Rudis)
  • Expecting the Unexpected: Using Public Vulnerability Data for Resource Planning (Kymberlee Price, BlackBerry Incident Response Team Incident Manager)
  • Lunch & Unveiling Patterns within “Security Metrics”
  • Methods for Large-scale Measurement of the Security of Internet Ecosystems (Christophe Huygens, Professor, Katholieke Universiteit Leuven)
  • Measuring Third-party Security Risk (Stephen Boyer, BitSight)
  • Seeing the Elephant – Using collected data points to design and roll out software initiatives (Geoffrey Hill, Artis-Secure)
  • Behind The Curtains of the SilverSky Report (Andrew Jaquith, CTO, SilverSky)
  • Behind The Curtains of the Verizon DBIR (Jay Jacobs, Verizon)
  • Security, Visualized (Katherine Brocklehurst, Tripwire)
  • Lightning Talks

Metricon 9 — Call for Papers

- - posted in metricon, news | Comments

Call for Papers for Metricon 9

Metricon is the annual conference dedicated to security metrics. We are excited to announce Metricon 9 — an all-day metrics workshop. We invite practitioners to present practical and novel approaches for measuring information security effectiveness.

When: Friday, February 28, 2014 (the Friday of RSA); All day event

Where: Near or at RSA; specific location TBD

Theme: Behind the Curtains: From Data to Insight

New Mailing List Server

- - posted in news | Comments

I am pleased to announce that has moved to a new virtual hosting system. The primary benefit is that we have a new mailing list server that uses Mailman, rather than Majordomo. Other changes include:

Changes Are Coming

- - posted in news | Comments

Changes are coming to We are moving to a new hosting environment and mailing list system. More details soon.

Metricon 8 — Seven Metrics Challenges

- - posted in metricon | Comments

Metricon 8 was a one-day event, Friday, March 1, 2013, co-located with the RSA Security Conference, in San Francisco, WA. This page contains a description of the event, official proceedings, presentations, and the original CFP.