Metricon 5 — Older But Wiser

August 23, 2010

Metricon 5 was held Tuesday, August 10th, 2010, co-located with the 19th USENIX Security Symposium in Washington, DC. This page contains the details of the meeting, including its CFP, the final agenda, and the meeting’s Digest.

Program #

• Andrew Jaquith, Forrester Research – Five Years of Security Metrics: A Look Back
• Richard Seiersen, Kaiser Permanente – Practical Security Metrics in the 4th Dimension
• RH Powell, Akamai – Weathering Storms in the Cloud: Analyzing Massive Distributed Denial of Service Attacks to Better Prepare for the Future
• John S Quarterman, Quarterman Creations/CREC at the UT Austin School of Business – Spam Reputation as Output Measure of Infosec
• Gina Fisk, Los Alamos National Laboratories – Optimizing Performance Management using Adaptive Metrics, Fitness Functions, and the Balanced Score Card
• Fabio Massacci, Universita’ di Trento – Which is the Right Source for Vulnerability Studies? An Empirical Analysis on Mozilla Firefox
• Elizabeth Nichols, PlexLogic – Security Metrics: What’s Hot and What’s Not
• Laura Glowick, Federal Home Loan Bank of Boston – Enterprise Security Dashboard and FHLB’s metrics catalog
• Alex Hutton, Verizon Security Intelligence, – Bridging Risk Modeling, Threat Modeling, and Operational Metrics With the VERIS Framework
• Michael Smith, Fish Catchers Heavy Industries – Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks
• Rump session: open-mic discussion of current research and topics of shared interest
• Beer! Sponsored by Blue Canopy

After the event, Andrew conducted a post-event survey of the participants.

Venue

Metricon 5 was held at the Marriott Woodman Park Hotel, 2660 Woodley Road Northwest, Washington, DC, on August 10th, 2010. It is co-located with the USENIX Security 2010 Symposium.

Event Sponsors

Program Committee #

Conference chairs:

• Andrew Jaquith, Forrester Research
• Khalid Kark, Forrester Research

Program committee members:

• Jennifer Bayuk, Stevens Institute of Technology
• Dan Geer, In-Q-Tel
• Chris Walsh, SurePayroll
• Wade Baker, Verizon Risk Intelligence
• Ray Kaplan, Ray Kaplan & Associates
• Michael Smith, Akamai Technologies
• Daniel Arista, Syracuse Research Corporation

Original Call for Participation #

Metricon 5 is the fifth annual conference dedicated to security metrics. It is a forum for presenting new approaches for measuring information security effectiveness, with a bias towards practical, specific approaches. Topics and presentations will be selected for their novelty and merit, and their potential to stimulate discussion.

With five years of organized conferences in the history books, this year’s theme, appropriately, is Older But Wiser. Four years ago, presenters at the first Metricon discussed software security, benchmarking, identity management, enterprise case studies and many other topics. Since then, researchers and enterprises have continued to investigate new techniques. What have we learned? Given that we are trying to measure, measuring the security metrics field (and the success or failures of our own efforts) is also our responsibility.

The program is organized along three temporal perspectives:

• Metrics Past. Which metrics techniques from 2006 worked, and which did not? And how can knowledge of the past inform the present and future?
• Metrics Present. What is the state of the art as practiced ‘’today’ by leading corporations, consultants and researchers?
• Metrics Future. What new strategies for measuring security will emerge in the future?

Metricon 5 will be a one-day event, Tuesday, August 10th, 2010, co-located with the 19th USENIX Security Symposium in Washington, DC (http://www.usenix.org/events/sec10/). Metricon will begin bright and early in the morning, continue through a catered lunch in meeting room, and extend into the evening with informal discussion. Attendance will be by invitation. Capacity is limited to 60 participants.

Attendance Attendance is by invitation only. If you would like to attend, send an e-mail to metricon5@securitymetrics.org.

All participants will be expected to “come with findings” and be willing to contribute to group discussions. Politeness will be praised; questions, encouraged; lurkers, flushed out.

The proceedings of all past meetings are available here:

• Metricon 1
• Metricon 2
• Mini-Metricon 2.5
• Metricon 3
• Mini-Metricon 3.5
• Metricon 4
• Mini-Metricon 4.5

For speakers:

• Deadline for final presentation: July 30th, 2010