Mini-Metricon 3.5 — Practical Security Metrics

August 2, 2009

Mini-Metricon 3.5 was held Monday, April 20, 2009 at the Google offices, within walking distance of Moscone Center.

Agenda #

The format of Mini-Metricon 3.5 was four grouped sessions plus an hour long CISO “Mashup.” Each session had three 20-minute presentations of ideas, followed by 30 minutes of discussion and general interaction with all attendees.

• Breakfast in room
• Google – Welcome from sponsor
• Enterprise Metrics Case Studies. Discussion leader: Steve Piliero, Center for Internet Security
  • Carolyn Wong, Ebay – Metrics at Ebay
  • Richard Seierson, Kaiser-Permanente – Foundations for Security Business Intelligence
  • John Flynn and Steve Weis, Google – Metrics at Google
• CISO MashUp. Discussion leader: Andrew Jaquith, Forrester Research
• Lunch with CISOs – provided by Google
• Metrics from Real Data. Discussion leader: Ray Kaplan, Ray Kaplan & Associates
  • Wade Baker, Verizon Business – Data Breach Investigations Project Update
  • Steve Kruse, Impruve and Bill Pankey, The Tunitas Group – Security Awareness Metrics
  • Jeremiah Grossman, Whitehat Security – Top Website Vulnerabilities
• Frameworks. Discussion Leader: Jeremy Epstein
  • Jennifer Bayuk – Frameworks for Architecture, Metrics and Risk
  • Lilian Wang, ClearPoint Metrics – Metrics Mashup
  • Fred Cohen – Metrics Framework for Legal Matters
• Enterprise plans and lessons learned. Discussion leader: Fred Cohen, Fred Cohen & Associates
  • Mauren Doyle, Northern Kentucky University – Security of Open Source Web Applications
  • Brenda Larcom, Zscaler – Attack Resistance Score
  • William Kruse, Cigital – Penetration Testing Metrics
• Betsy Nichols, Plexlogic – Closing Remarks

Program Committee #

Chair, Betsy Nichols, PlexLogic Members:

• Fred Cohen, Fred Cohen & Associates
• Jeremy Epstein, SRI International
• Ray Kaplan, Ray Kaplan and Associates
• Steve Kruse, Impruve
• Andrew Jaquith, Forrester Research
• Pete Lindstrom, Spire Security
• Steve Piliero, Center for Internet Security
• Lilian Wang, ClearPoint Metrics

Original Call for Participation #

Mini-Metricon 3.5 will be held this year on Monday, April 20, 2009 within walking distance of Moscone Center, the location of the RSA 2009 Conference to be held during the same week in San Francisco, CA. Metricon 3.5 is an informal workshop designed to facilitate exchange of new ideas as well as practical experience in using metrics to drive better security, compliance, and risk management. The day will be divided equally between open/moderated exchange and short informal presentations. Participants are expected to come prepared to actively interact as either presenters or active listeners.

• Place: Google Offices (within walking distance of Moscone in SanFrancisco, CA.)
• Time: 8:30am to 4:30pm
• Participation: Invitation only
• Attendance: Limited to 50 people
• Program: Practical Security Metrics
• Sponsor: Google, Inc.

Important dates

• 19 Jan 2009 - Responses Due to this Call
• 6 Feb 2009 - Notification of Acceptance
• 20 Apr 2009 - Metricon 3.5 Workshop

Additional information will be posted at as it becomes available.

Due to space limitations, we are asking all who are interested in participating to send an email to metricon3.5@securitymetrics.org. Please provide some information about who you are, what is your interest/experience with metrics, what metrics you can bring to discuss, and your preferred level of participation. Possible levels of participation include: presenter and active audience participant.

Presenters: Please provide an abstract of 5 paragraphs or less that describes the nature of the metrics and metric results that you would like to present. Plagiarism is dishonest and the organizers of this workshop will take appropriate action if dishonesty of this sort is discovered. Submission of recent, previously published work as well as simultaneous submissions to multiple venues is entirely acceptable but only if you disclose this in your proposal.

Active audience participants: Please indicate areas of specific interest.

Some links to examples of past well-received presentations are:

For enterprise programs:

• eBay Presentation
• Intel Presentation

For quantitative results:

• Verizon Presentation
• Whitehat Presentation

Criteria for evaluation

Based on the results from a survey of interests of the securitymetrics.org community in the Nov-Dec 2008 timeframe, the Program Committee has defined the following criteria for evaluating proposals for participation in Metricon 3.5:

For presenters: The topics of highest interest, based upon survey results are case studies and metrics that matter – defintions and how to interpret results. Selection criteria are:

• Is the material new?
• Is the material relevant to the topics of highest interest to the community?
• Is the material immediately useful?
• Is the matrical timely? Does it address current events and trends?

For active audience participants: The primary criteria are willingness to share information–both good and bad–about their security metrics initiatives, whether thier respective programs are mature or just starting.

Notification

To get invitations out well beforehand, we need all email submissions to be sent by Monday, 19 Jan 2009. Our goal is to send invitations to participate by 6 Feb 2009.

Visit securitymetrics.org for digests, presentations, and handouts from past Metricon Workshops.

Please direct any questions to metricon3.5@securitymetrics.org.