With five years of organized conferences in the history books, this year's theme, appropriately, is Older But Wiser. Four years ago, presenters at the first Metricon discussed software security, benchmarking, identity management, enterprise case studies and many other topics. Since then, researchers and enterprises have continued to investigate new techniques. What have we learned? Given that we are trying to measure, measuring the security metrics field (and the success or failures of our own efforts) is also our responsibility.

The program is organized along three temporal perspectives:

• Metrics Past. Which metrics techniques from 2006 worked, and which did not? And how can knowledge of the past inform the present and future?
• Metrics Present. What is the state of the art as practiced today' by leading corporations, consultants and researchers?
• Metrics Future. What new strategies for measuring security will emerge in the future?

Metricon 5 will be a one-day event, Tuesday, August 10th, 2010, co-located with the 19th USENIX Security Symposium in Washington, DC (http://www.usenix.org/events/sec10/). Metricon will begin bright and early in the morning, continue through a catered lunch in meeting room, and extend into the evening with informal discussion. Attendance will be by invitation. Capacity is limited to 60 participants.

Program

Time	Track
0800–0900h	Breakfast
0900–0930h	Andrew Jaquith, Forrester Research, Welcome address and ''Five Years of Security Metrics: A Look Back''
0930–1000h	Richard Seiersen, Kaiser Permanente, ''Practical Security Metrics in the 4th Dimension''
1000–1030h	RH Powell, Akamai, ''Weathering Storms in the Cloud: Analyzing Massive Distributed Denial of Service Attacks to Better Prepare for the Future''
1030–1100h	Morning break
1100–1130h	John S Quarterman, Quarterman Creations/CREC at the UT Austin School of Business, ''Spam Reputation as Output Measure of Infosec''
1130–1200h	Gina Fisk, Los Alamos National Laboratories, ''Optimizing Performance Management using Adaptive Metrics, Fitness Functions, and the Balanced Score Card''
1200–1230h	Fabio Massacci, Universita' di Trento, ''Which is the Right Source for Vulnerability Studies? An Empirical Analysis on Mozilla Firefox''
1230–1345h	Lunch
1345–1415h	Elizabeth Nichols, PlexLogic: Security Metrics, ''Security Metrics: What’s Hot and What’s Not''
1415–1445h	Laura Glowick, Federal Home Loan Bank of Boston, ''Enterprise Security Dashboard'' also: FHLB's metrics catalog
1445–1515h	Afternoon break
1515–1545h	Alex Hutton, Verizon Security Intelligence, ''Bridging Risk Modeling, Threat Modeling, and Operational Metrics With the VERIS Framework''
1545–1615h	Michael Smith, Fish Catchers Heavy Industries, ''Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks''
1615–1730	Rump session: open-mic discussion of current research and topics of shared interest
1730–	Beer! Sponsored by Blue Canopy

Venue

Event Sponsors

Attendance

All participants will be expected to "come with findings" and be willing to contribute to group discussions. Politeness will be praised; questions, encouraged; lurkers, flushed out.

The proceedings of all past meetings are available here:

• Metricon 1
• Metricon 2
• Mini-Metricon 2.5
• Metricon 3
• Mini-Metricon 3.5
• Metricon 4
• Mini-Metricon 4.5

For speakers

• Deadline for final presentation: July 30th, 2010

Conference chairs

• Andrew Jaquith, Forrester Research
• Khalid Kark, Forrester Research

Program committee members

• Jennifer Bayuk, Stevens Institute of Technology
• Dan Geer, In-Q-Tel
• Chris Walsh, SurePayroll
• Wade Baker, Verizon Risk Intelligence
• Ray Kaplan, Ray Kaplan & Associates
• Michael Smith, Akamai Technologies
• Daniel Arista, Syracuse Research Corporation