January 8, 2009
Agenda # Metricon 3 was held Tuesday, 29 July 2008 at San Jose, California.
Dan Geer – Welcome words and housekeeping details Four grouped sessions to follow; each has three at-most-20 minute presentations of ideas followed by 30 minutes of reaction from discussants and general interaction with all Metricon attendees. Breaks are short as is life. Lunch, which is in-room, is long enough but no longer. Dinner, which is in-room, is as long as people want though there is nothing “to do” that is more important than making the very utmost of the day and thus keeping at it until late.
...
April 28, 2008
Esteemed colleague David Mortman has volunteered to take mailing-list approval duties off of my hands. I have revised the Mailing List page accordingly. Please address correspondence regarding the list to David (details on the Mailing List page).
February 29, 2008
Folks, the mailing list approval process is officially out of control. As you may know, we do not automatically approve applicants to the list because of my severe dislike of e-mail harvesting bots and marketeers, and because of a desire to ensure that the membership list is “clean.”
Manual vetting is the only way to do this, at the present. Unfortunately, it means that I have to manually inspect every applicant’s e-mail address.
...
October 8, 2007
Metricon 2.0 was held August 7, 2007 in Boston.
Agenda # Keynote Debate: “Do Metrics Matter?” Pro: Andrew Jaquith, Yankee Group Con: Mike Rothman, SecurityIncite Immoderator: Elizabeth A Nichols, PlexLogic Track 1. Chair: Gunnar Peterson, Arctec Group Russell Cameron Thomas, Meritology – Security Meta Metrics–Measuring Agility, Learning, and Unintended Consequence Fredrick DeQuan Lee and Brian Chess, Fortify – Security Metrics in Practice: Development of a Security Metric System to Rate Enterprise Software Eric Dalci and Robert Hines, Cigital – A Software Security Risk Classification System Track 2.
...
February 5, 2007
The redoubtable Fred Cohen organized Mini-Metricon, which was held Monday February 5th at the University of San Francisco. Sponsors were the University of San Francisco and the University of New Haven.
The full agenda is on Fred’s website.
Liveblog by Andrew Jaquith
We are here conversing about metrics. Attendees (about 26) include Fred, Betsy Nichols, Russell Thomas, Jason Zann, Mark Kadrich, Andy Sudbury, Phebe Waterfield, Jeremy Epstein, Brian Darby, Kedar Dhuru, Eddie Schwartz, Raffael Marty.
...
January 25, 2007
This page catalogs techniques for representing security data visually. Clear, cogent, meaningful visual displays of information enable the audience to rapidy grasp the essence of security issues and trends. Below are some examplars, many of which come from outside the world of information security. ( Wikipedia definition: Information Visualization )
Charts and Graphs # Summarizing Clinical Psychiatric Data (November 1997) - Edward Tufte popularized a highly efficient charting technique called “small multiples.
...
September 29, 2006
Securitymetrics.org was started by a group of obsessive security and risk professionals way back in the dark ages of security — the early 2000s. The first gathering of “security quants” was held in September 2006, with eight more conferences following, plus 6 mini-conferences. As Metricon celebrates its tenth conference, it is worth reflecting on a body of practice that is now well over ten years old.
Metricon X will be held in March 2019.
...
September 20, 2006
Metricon 1.0 was held 1 August 2006 in Vancouver, British Columbia, Canada, coincident and co-located with the 15th USENIX Security Symposium. This page has the final agenda, copies of all presentation materials, and a digest summary of the meeting itself. (As is both typical and appropriate, let me hasten to say as the scribe for the affair that all errors are mine.)
The Metricon 1.0 Agenda follows below with presentation materials from each author.
...
June 30, 2006
Benchmarking generally refers to the process of ranking or scoring security against an established standard measure. Benchmarks can be absolute or cross-sectional.
Comparative Application Security # The Security of Applications: Not All Are Created Equal (February 2002), Andrew Jaquith. This study examples the security practices of 45 web applications, and finds that the most secure e-business applications have one-quarter as many security defects as the worst – and eighty percent less risk.
...
June 20, 2006
Data Breaches # Lost Customer Information: What Does a Data Breach Cost Companies?, Ponemon Institute Survey sponsored by PGP Corporation, PDF. The Ponemon Institute’s benchmark study, sponsored by PGP Corporation, examines the costs incurred by 14 companies that experienced a data breach. Results were not hypothetical responses to possible situations; they represent cost estimates for activities resulting from data loss incidents. Application Quality # Tangible ROI Through Secure Software Engineering, Soo Hoo K, Sudbury AW, & Jaquith AR, Secure Business Quarterly, 5 pp, Q2 2001, PDF.
...