Measuring security effectiveness.


Welcome to, a community website for security practitioners. offers a community blog (this website) and a members-only mailing list.


aggregation · benchmarking · catalog project · definitions · empirical studies · metricon · modeling · ROI · visualization


Review the proceedings from the Metricon 8 conference, which was held on March 1st, 2013 at the RSA Conference in San Francisco.

Join the mailing list.

Metricon X — Opening Remarks

- - posted in metricon | Comments

This is the nominal text of Andy Jaquith’s opening remarks for Metricon X, delivered on March 21, 2019. It has been lightly edited for clarity and a few identities have been slightly disguised.


I appreciate everybody coming today. It’s a great turnout for a conference that we rather deliberately did not advertise. If you’re here, it’s because you wanted to be here. You’ve self-selected.

The theme of the conference is “plus ça change…,” the second half of which is “plus c’est la même chose.” Colloquially: “the more things change, the more they stay the same.” So what we’re really here to talk about are the constants and the change. But because I suspect that we will have ample time to reheat some of the old chestnuts (the constants), I’d like to offer a few remarks on the changes — that is, notable happenings in the world of security metrics over the last 12 years.

Metricon X — Agenda

- - posted in metricon | Comments

Metricon X will be held on March 21st and 22nd at the Stevens Institute of Technology in Jersey City, NJ.

The theme of the conference is: “Metrics that Matters – Help Management with Decision Making and Improve Security Posture of the Organization”

The agenda follows. Chatham House Rules apply.

Metricon X — Call for Papers

- - posted in metricon | Comments was started by a group of obsessive security and risk professionals way back in the dark ages of security — the early 2000s. The first gathering of “security quants” was held in September 2006, with eight more conferences following, plus 6 mini-conferences. As Metricon celebrates its tenth conference, it is worth reflecting on a body of practice that is now well over ten years old.

Metricon X will be held in March 2019. It will ask and answer the following questions:

Metricon 9 — Conference Agenda

- - posted in metricon, news | Comments

Friday, February 28, 2014

  • Open reception/light refreshments
  • Welcome! Metricon 8 recap & “Breaking the mold of security metrics” (Pete Lindstrom / Bob Rudis)
  • Expecting the Unexpected: Using Public Vulnerability Data for Resource Planning (Kymberlee Price, BlackBerry Incident Response Team Incident Manager)
  • Lunch & Unveiling Patterns within “Security Metrics”
  • Methods for Large-scale Measurement of the Security of Internet Ecosystems (Christophe Huygens, Professor, Katholieke Universiteit Leuven)
  • Measuring Third-party Security Risk (Stephen Boyer, BitSight)
  • Seeing the Elephant – Using collected data points to design and roll out software initiatives (Geoffrey Hill, Artis-Secure)
  • Behind The Curtains of the SilverSky Report (Andrew Jaquith, CTO, SilverSky)
  • Behind The Curtains of the Verizon DBIR (Jay Jacobs, Verizon)
  • Security, Visualized (Katherine Brocklehurst, Tripwire)
  • Lightning Talks

Metricon 9 — Call for Papers

- - posted in metricon, news | Comments

Call for Papers for Metricon 9

Metricon is the annual conference dedicated to security metrics. We are excited to announce Metricon 9 — an all-day metrics workshop. We invite practitioners to present practical and novel approaches for measuring information security effectiveness.

When: Friday, February 28, 2014 (the Friday of RSA); All day event

Where: Near or at RSA; specific location TBD

Theme: Behind the Curtains: From Data to Insight