. See the Mailing List page for more details.
Announcing Metricon 5
With five years of organized conferences in the history books, this year's theme, appropriately, is Older But Wiser. Four years ago, presenters at the first Metricon discussed software security, benchmarking, identity management, enterprise case studies and many other topics. Since then, researchers and enterprises have continued to investigate new techniques. What have we learned? Given that we are trying to measure, measuring the security metrics field (and the success or failures of our own efforts) is also our responsibility.
The program is organized along three temporal perspectives:
- Metrics Past. Which metrics techniques from 2006 worked, and which did not? And how can knowledge of the past inform the present and future?
- Metrics Present. What is the state of the art as practiced today' by leading corporations, consultants and researchers?
- Metrics Future. What new strategies for measuring security will emerge in the future?
Metricon 5 will be a one-day event, Tuesday, August 10th, 2010, co-located with the 19th USENIX Security Symposium in Washington, DC (http://www.usenix.org/events/sec10/). Metricon will begin bright and early in the morning, continue through a catered lunch in meeting room, and extend into the evening with informal discussion. Attendance will be by invitation. Capacity is limited to 60 participants.
Program
Venue
Metricon 5 will be held at the Marriott Woodman Park Hotel, 2660 Woodley Road Northwest, Washington, DC, on August 10th, 2010. It is co-located with the USENIX Security 2010 Symposium.Event Sponsors
Attendance
Attendance is by invitation only. If you would like to attend, send an e-mail to metricon5 at securitymetrics dot org.All participants will be expected to "come with findings" and be willing to contribute to group discussions. Politeness will be praised; questions, encouraged; lurkers, flushed out.
The proceedings of all past meetings are available here:
For speakers
- Deadline for final presentation: July 30th, 2010
Conference chairs
- Andrew Jaquith, Forrester Research
- Khalid Kark, Forrester Research
Program committee members
- Jennifer Bayuk, Stevens Institute of Technology
- Dan Geer, In-Q-Tel
- Chris Walsh, SurePayroll
- Wade Baker, Verizon Risk Intelligence
- Ray Kaplan, Ray Kaplan & Associates
- Michael Smith, Akamai Technologies
- Daniel Arista, Syracuse Research Corporation
Mini MetriCon 4.5
Mini MetriCon 4.5 was held Monday, March 1, 2010, in SanFrancisco, California, adjacent to the USA RSA 2010 Conference. The presentations are posted as embedded links in the agenda; the original CFP remains available as well.
MetriCon 4.0
MetriCon 4.0 was held Tuesday, August 11, 2009, in Montreal, Quebec, co-located with the USENIX Security Symposium. See the MetriCon 4.0 page for the details of the meeting, including its CFP, the final agenda, and the meeting's Digest.
Mini MetriCon 3.5
Mini MetriCon 3.5 was held Monday, April 20, 2009, in SanFrancisco, California, adjacent to the USA RSA 2009 Conference. The presentations are posted as embedded links in the agenda; the original CFP remains available as well. Sadly, no Digest was ever completed.
MetriCon 3.0
The MetriCon 3.0 presentations and digest are available as attachments to the final agenda
Mini MetriCon 2.5 Presentations
The MiniMetriCon 2.5 presentations are available as attachments to the final agenda.
Metrics Catalog Project:
The Metrics Catalog Project was officially launched in June 2008. A major revision has been made available as of April 2009. To see the catalog on-line you can visit:- www.metricscenter.org The open and free read-only catalog that you can explore.
- www.metricscenter.net The commercial site where you can sign up for a free trial and create your own catalog. In addition, you can view the Center for Internet Security Consensus metrics with a trial account.
General information about the Metrics Catalog can be found in the following documents:
BEWARE: You will need a Javascript and Java enabled browser to optimally experience the content on these sites. Due to circumstances beyond our control, we cannot support any browser on Vista.
--Elizabeth Nichols, 3-July-2009
Logged in? Add a New entry to this blog!
At security conferences and events, I have noticed that the distribution of operating systems seems to differ somewhat from what I read in the papers. As my last post showed, the Internet Identity Workshop skewed decidedly in the Mac direction.
I thought it would be fun to put together a quick poll asking the members of the securitymetrics.org mailing what operating systems they used. I sent out a note asking the membership to respond to two simple questions:
- What is the operating system and e-mail client you use at work?
- What is the operating system and e-mail client you use at home (or for personal activities)?
I've compiled some preliminary statistics for your reading pleasure. Thanks to the 27 people who responded out of a total membership of about 300. That's nearly a 10% response rate in less than a day — not bad at all!
Objectives and Methodology
The goal of this little survey was to try and figure out if self-selected, security conscious people had a preference for operating systems or e-mail clients that differed markedly from the mainstream.I've compiled operating system and e-mail statistics from three related sources:
- Responses to my previous e-mail (27 replies) — what is your operating system and e-mail client at work and at home?
- Analysis of e-mail "X-Mailer" and related headers from the securitymetrics.org mailing list (20 June 2006 to present)
- Analysis of same from metricon@securitymetrics.org traffic (i.e., paper submissions) (31 March 2006 to present)
In total, I identified 170 people who have contributed to this mailing list or sent submissions to Metricon 1.0 and 2.0. Of those, 27 provided OS/email information to me directly; I relied on header analysis for the remaining 143.
In total, I was able to identify a "preferred" operating system (either the one specified as the 'home' OS in a direct e-mail to me, or the one identified in the header) for 93 people. I identified e-mail programs for 131 people.
Operating Systems
For respondents who contacted me directly, and specified their work OS (n=27), Windows was the majority OS.| Name | # | % |
|---|---|---|
| Windows | 15 | 56% |
| Linux | 5 | 19% |
| OS X | 7 | 26% |
For home (n=28), the results are quite different:
| Name | # | % |
|---|---|---|
| Windows | 8 | 29% |
| Linux | 7 | 25% |
| OS X | 13 | 46% |
Of the 27 respondents, 14 (55%) reported using a different OS at home compared to work. After taking into account X-Mailer headers, I've concluded that for members of this list ("security conscious people"), we can conclude that when they have a choice, our members slightly prefer Macs. Amazingly enough, this suggests that Windows is a minority operating system, at least on this list. Results (n=92):
| Name | # | % |
|---|---|---|
| Windows | 38 | 41% |
| Linux | 15 | 16% |
| OS X | 39 | 42% |
E-Mail Clients
For respondents who specified their work e-mail client (n=27), Microsoft Outlook was the majority client.| Name | # | % |
|---|---|---|
| Outlook | 14 | 52% |
| Thunderbird | 4 | 15% |
| Apple Mail | 3 | 11% |
| Mutt | 2 | 7% |
| Other | 4 | 15% |
For home (n=28), the results are, once again, quite different — and quite diverse:
| Name | # | % |
|---|---|---|
| Thunderbird | 7 | 25% |
| Apple Mail | 6 | 21% |
| Outlook | 3 | 11% |
| Google Mail | 3 | 11% |
| Pine | 2 | 7% |
| Mutt | 2 | 7% |
| Other | 5 | 18% |
Of the 28 respondents, nearly 2/3 (17 or 63%) specified a different home e-mail client compared to the one they used at work. After analysis of X-Mailer headers is taken into account (n=131), I conclude that our members prefer webmail overall, and prefer free (and non-Microsoft) native clients.
| Name | # | % |
|---|---|---|
| Google Mail | 23 | 18% |
| Thunderbird | 22 | 17% |
| Apple Mail | 20 | 15% |
| Outlook | 20 | 15% |
| Lotus Notes | 10 | 8% |
| Other | 36 | 27% |
Interesting, no? Statistically relevant — maybe not! Let the debates begin in earnest!
- # attendees at Internet Identity Workshop: 150
- # attendees from US Department of Defense: 1
- # conference sessions on identity: about 40
- # conference sessions explicitly devoted to identity theft and fraud: 1
- # personal computers observed at general session, 10:10 AM today: 46
- % of general session computers that were Macs: 55% (25/46)
- % of Macs that were MacBook Pros (that is, less than a year old): 90%
- # OpenID replying parties in November 2006: 550
- # OpenID RPs today: 2500
- # personal computers observed at Microsoft-sponsored working session on CardSpace: 14
- % of Macs at Microsoft session: 42% (6/14)
This is essentially a forward reference to a comment I made to another blog, but as it is related to the nature of reporting for vulnerabilities and quantitative progress against them, perhaps it is relevant here.
The topic is the "Microsoft Security Intelligence Report 2H06" and the comments follow the initial discussion.
http://blogs.csoonline.com/microsoft_security_intelligence_report_2h06
Weblog archives:
This site is not affillated with any organization, and the opinions expressed on this website are strictly those of the authors themselves.
To log in to the Securitymetrics.org website, create a profile first.
Attachments
| MiniMetricon2.5 Agenda Final.pdf |  |
71221 bytes |
| MM35 Draft Agenda.pdf | |
105735 bytes |
| metricon5 - jaquith - welcome.ppt | |
1569792 bytes |
| Agenda Draft v2.pdf | |
105915 bytes |
| metricon40.cfp.pdf | |
56256 bytes |
| post-event-survey.pdf | |
116492 bytes |
Security Metrics: the book
Welcome
Metricon 5
Mini MetriCon 4.5
MetriCon 4.0
Mini MetriCon 3.5
MetriCon 3.0
Mini MetriCon 2.5
MetriCon 2.0
MetriCon 1.0
Who We Are
News
Recent Changes
Aggregation
Benchmarking
Empirical Studies
Metrics Catalog Project
Metrics Definitions
Return on Investment
Security Modeling
Visualization
![[RSS]](/content/images/xml.png "Aggregate the RSS feed of the entire wiki")