Metricon 7 was a one-day event, Tuesday, August 7, 2012, co-located with USENIX, in Bellevue, WA. This page contains a description of the event, presentations, and the original CFP.
- Anton Chuvakin — Introduction to Metricon, security metrics and workshop goals
- David Severski — Even Giant Metrics Programs Start Small
- Panel — Rules of the road for useful security metrics
- Anoop Singhal, NIST — Panel sidenote
- Constantinos Patsakis, Universitat Rovira i Virgili — Measuring security with Sec Qua (full paper)
- Christopher Carlson — What we want to see in security metrics
- Panel — What we know to work in security metrics
- Steve Mckinney — Application Security Metrics We Use
- Jon Espenschied, Angela Gunn, Microsoft Trustworthy Computing Group — Threat Genomics and Threat Modeling (full paper)
- Conclusions, results and action items by Anton Chuvakin
Adam Montville posted a great summary on his blog. His lessons learned included:
- Culture Matters
- Goals matter
- Measure what you’re told
- Adopt Goal Question Metric (GQM) methodology
- Accountability yields metricophobia
- Available data drives metrics
- Understand the audience
Chair: Dr. Anton Chuvakin
- Fred Cohen
- Ramon Krikken
- Pete Lindstrom
- Raffael Marty
- Gunnar Petersen
- Chris Walsh
- Caroline Wong
- Lance Hayden
- Alex Hutton
Original Call for Participation
Security Metrics: Useful or Bust!
How to define, generate, and communicate security metrics you can use today.
This year, Metricon 7.0 is excited to issue a call for participation to the information security community. The event will occur August 7th 2012 collocated with USENIX in Bellevue, WA.
Given that this is the 7th event, we think it is time to finally say it: security metrics must be useful now! Thus, the focus this year is on useful and usable metrics – not conceptual and theoretical stuff that sounds great, but cannot and will not be used in today’s organizations. Also, presentations and panels that talk about “How?” and “What?” will be strongly prioritized over “Why?”(and “whine”). Enterprises and tool vendors are both welcome to present! Academic researchers tacking the real-world problems are welcome as well.
We want to see:
- How you achieved “quick wins” with security metrics?
- How you define useful metrics, whether risk or operational?
- What metrics you track are the most useful?
- How did you solve a particular challenge in security metrics area?
- How your tool helps (not “can help”!) with collecting and analyzing security metric data?
- Who gets the metrics you create? How do they use them?
- What metrics you use to determine that security controls are effective?
- How organization generate actionable advice from security metrics?
- How to track that your security is improving using metrics?
We do not want:
- Uncollectable and unusable metrics
- Metrics philosophy
- Uncooked metrics that sound vaguely “interesting”
Send submissions and your ideas for panel and presentations to email@example.com.
Deadline for presentation and talk submissions is May 31st, 2012. Submissions should be sent to
If you would like to attend, and have not received an invitation, please contact any member of the program committee or send mail to
Metricon7@securitymetrics.org and include a brief statement of qualification.