securitymetrics.org: Welcome

Welcome

Welcome to securitymetrics.org, a community website for security practitioners. Securitymetrics.org offers a community blogging service (this page) and a members-only mailing list

. See the Mailing List page for more details.

Announcing Metricon 5

Metricon 5 is the fifth annual conference dedicated to security metrics. It is a forum for presenting new approaches for measuring information security effectiveness, with a bias towards practical, specific approaches. Topics and presentations will be selected for their novelty and merit, and their potential to stimulate discussion.

With five years of organized conferences in the history books, this year's theme, appropriately, is Older But Wiser. Four years ago, presenters at the first Metricon discussed software security, benchmarking, identity management, enterprise case studies and many other topics. Since then, researchers and enterprises have continued to investigate new techniques. What have we learned? Given that we are trying to measure, measuring the security metrics field (and the success or failures of our own efforts) is also our responsibility.

The program is organized along three temporal perspectives:

Metrics Past. Which metrics techniques from 2006 worked, and which did not? And how can knowledge of the past inform the present and future?
Metrics Present. What is the state of the art as practiced today' by leading corporations, consultants and researchers?
Metrics Future. What new strategies for measuring security will emerge in the future?

Metricon 5 will be a one-day event, Tuesday, August 10th, 2010, co-located with the 19th USENIX Security Symposium in Washington, DC (http://www.usenix.org/events/sec10/). Metricon will begin bright and early in the morning, continue through a catered lunch in meeting room, and extend into the evening with informal discussion. Attendance will be by invitation. Capacity is limited to 60 participants.

Program

Time	Track
0800–0900h	Breakfast
0900–0930h	Andrew Jaquith, Forrester Research, Welcome address and ''Five Years of Security Metrics: A Look Back''
0930–1000h	Richard Seiersen, Kaiser Permanente, ''Practical Security Metrics in the 4th Dimension''
1000–1030h	RH Powell, Akamai, ''Weathering Storms in the Cloud: Analyzing Massive Distributed Denial of Service Attacks to Better Prepare for the Future''
1030–1100h	Morning break
1100–1130h	John S Quarterman, Quarterman Creations/CREC at the UT Austin School of Business, ''Spam Reputation as Output Measure of Infosec''
1130–1200h	Gina Fisk, Los Alamos National Laboratories, ''Optimizing Performance Management using Adaptive Metrics, Fitness Functions, and the Balanced Score Card''
1200–1230h	Fabio Massacci, Universita' di Trento, ''Which is the Right Source for Vulnerability Studies? An Empirical Analysis on Mozilla Firefox''
1230–1345h	Lunch
1345–1415h	Elizabeth Nichols, PlexLogic: Security Metrics, ''Security Metrics: What’s Hot and What’s Not''
1415–1445h	Laura Glowick, Federal Home Loan Bank of Boston, ''Enterprise Security Dashboard'' also: FHLB's metrics catalog
1445–1515h	Afternoon break
1515–1545h	Alex Hutton, Verizon Security Intelligence, ''Bridging Risk Modeling, Threat Modeling, and Operational Metrics With the VERIS Framework''
1545–1615h	Michael Smith, Fish Catchers Heavy Industries, ''Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks''
1615–1730	Rump session: open-mic discussion of current research and topics of shared interest
1730–	Beer! Sponsored by Blue Canopy

Venue

Metricon 5 will be held at the Marriott Woodman Park Hotel, 2660 Woodley Road Northwest, Washington, DC, on August 10th, 2010. It is co-located with the USENIX Security 2010 Symposium.

Event Sponsors

Attendance

Attendance is by invitation only. If you would like to attend, send an e-mail to metricon5 at securitymetrics dot org.

All participants will be expected to "come with findings" and be willing to contribute to group discussions. Politeness will be praised; questions, encouraged; lurkers, flushed out.

The proceedings of all past meetings are available here:

For speakers

Deadline for final presentation: July 30th, 2010

Conference chairs

Andrew Jaquith, Forrester Research
Khalid Kark, Forrester Research

Program committee members

Jennifer Bayuk, Stevens Institute of Technology
Dan Geer, In-Q-Tel
Chris Walsh, SurePayroll
Wade Baker, Verizon Risk Intelligence
Ray Kaplan, Ray Kaplan & Associates
Michael Smith, Akamai Technologies
Daniel Arista, Syracuse Research Corporation

Mini MetriCon 4.5

Mini MetriCon 4.5 was held Monday, March 1, 2010, in SanFrancisco, California, adjacent to the USA RSA 2010 Conference. The presentations are posted as embedded links in the agenda

; the original CFP

remains available as well.

MetriCon 4.0

MetriCon 4.0 was held Tuesday, August 11, 2009, in Montreal, Quebec, co-located with the USENIX Security Symposium

. See the MetriCon 4.0

page for the details of the meeting, including its CFP, the final agenda, and the meeting's Digest.

Mini MetriCon 3.5

Mini MetriCon 3.5 was held Monday, April 20, 2009, in SanFrancisco, California, adjacent to the USA RSA 2009 Conference. The presentations are posted as embedded links in the agenda

; the original CFP

remains available as well. Sadly, no Digest was ever completed.

MetriCon 3.0

The MetriCon 3.0 presentations and digest are available as attachments to the final agenda

Mini MetriCon 2.5 Presentations

The MiniMetriCon 2.5 presentations are available as attachments to the final agenda

Metrics Catalog Project:

The Metrics Catalog Project was officially launched in June 2008. A major revision has been made available as of April 2009. To see the catalog on-line you can visit:

www.metricscenter.org The open and free read-only catalog that you can explore.
www.metricscenter.net The commercial site where you can sign up for a free trial and create your own catalog. In addition, you can view the Center for Internet Security Consensus metrics with a trial account.

General information about the Metrics Catalog can be found in the following documents:

BEWARE: You will need a Javascript and Java enabled browser to optimally experience the content on these sites. Due to circumstances beyond our control, we cannot support any browser on Vista.

--Elizabeth Nichols, 3-July-2009

Logged in? Add a New entry to this blog!

January 31, 2008 7:07 PM

Retired Comedians and Missed Opportunities

There's this old joke about a comedians' retirement home that goes something like this:

An aging comedian decides to retire to a community that has just other comedians living in it. On his first day there, he does down to lunch, and there's a bunch of retired fellow comics sitting around the table.

The conversation they're having puzzles the man a bit. One of comics at the table yells out, "12!" and everybody just dies laughing. Then another one says, "44!" and a three of them laugh so hard they roll straight out of their chairs and onto the floor.

When a lull in the conversation comes, the new guy introduces himself, and asks, "Hey, what's going on? What's so funny about yelling out numbers?"

One of the comics says, "Oh, you're the new kid on the block, eh? Here's what's going on. We've all been retired for many years. We've been telling and re-telling the same old jokes for so long, we've assigned them all numbers. To save time, instead of telling the joke again, we just say the number!"

"Wow," says the new guy. "I've never seen that before. That's pretty cool. Mind if I join you?"

"Sure," the other comic says, and beckons him to sit down.

The new guy is eager to fit in. So five minutes later, he yells out, "28!" NOBODY laughs -- you could've heard a pin drop.

His voice qwavering, the new guy asks, "What's wrong? Isn't number 28 a good joke too?"

"Sure it is," pipes in the other comic. "But it's all about the delivery!"

I mention this because I can't stand Jeff Jones' quarterly festivals of FUD. Rather than complain yet again, and in detail, about how dumb vulnerability-counting is, why the methodology is flawed, why it has limited bearing on security, how the system is easily gamed, why it's colored by Jeff's obvious agenda, and why it's a tragedy that Microsoft does not do what it should, namely mine the world's most complete bug databases and code repositories for truly compelling information about code quality and application security metrics.

But I won't do that again. I'm just going to, like these comics, just yell out the shorthand.

"Jeff Jones."

Note that I'm not laughing.

By Andrew Jaquith Permalink

Weblog archives:

This site is not affillated with any organization, and the opinions expressed on this website are strictly those of the authors themselves.

To log in to the Securitymetrics.org website, create a profile first.

Attachments

MiniMetricon2.5 Agenda Final.pdf		71221 bytes
MM35 Draft Agenda.pdf		105735 bytes
metricon5 - jaquith - welcome.ppt		1569792 bytes
Agenda Draft v2.pdf		105915 bytes
metricon40.cfp.pdf		56256 bytes
post-event-survey.pdf		116492 bytes

Page Info My Prefs Log in

This page (revision-68) last changed on 13:06 23-Apr-2010 by Andrew Jaquith.

Referenced by
Left Menu

JSPWiki v2.4.1-cvs

Page Info My Prefs Log in

This page (revision-68) last changed on 13:06 23-Apr-2010 by Andrew Jaquith.