Metricon 6 — Real People Generating Real Information

- - posted in metricon | Comments

Metricon 6 was a one-day event, Tuesday, August 9, 2011, co-located with USENIX, in San Francisco, CA. This page contains a description of the event, presentations, and the original CFP.


  • Richard Seiersen, Kaiser Permanente — Operation Risk Management
  • Richard Lippmann, James Riordan, Cyber Systems and Technology Group, MIT Lincoln Laboratory — Critical Control Security Metrics for Continuous Network Monitoring
  • Wendy Nather, 451 Group — Quantifying the Unquantifiable: When Risk Gets Messy
  • Brian Keefer, Jared Pfost — Moneysec: Applying the “Moneyball” philosophy to information security metrics
  • Ed Bellis, HoneyApps — That’s So Meta: Gleaning Business Context In The Vulnerability Warehouse
  • Joshua Corman, Akamai — “Shall we play a game?” and other questions from Joshua
  • Dominic White, SensePost — Corporate Threat Modeler
  • William Claycomb, Michael Hanley, CERT Insider Threat Center, Software Engineering Institute, Carnegie Mellon University — Measuring the Impact of Insider Activity
  • Jake Kouns, Director, Cyber Security and Technology Risks Underwriting at Markel Corporation — Is an organization without Cyber Liability insurance like a fish without a bicycle?
  • Allison Miller, Itai Zukerman — Operationalizing Analytics 4:10 – 4:30 Break
  • Panel — Collecting and Sharing Security Metrics: Overcoming Fear (or not!), Moderator: Mike Rothman, Securosis

Final program including session summaries.

Chris Hayes posted a great summary on his blog.

Program Committee

Chair: Alex Hutton


  • Chris Hayes
  • Jay Jacobs
  • Chris Walsh
  • Ray Kaplin
  • Pete Lindstrom
  • Allison Miller
  • Mike Dahn

Original Call For Participation

This year, Metricon 6 is excited to issue a call for participation to the InfoSec community. Occurring August 9th colocated with USENIX in San Francisco California. We will be breaking up topics into the following sections, and subsequently would be very interested to review submissions in the following subjects:

  • Metrics & Instrumentation
  • The Utility of Risk Metrics
  • Risk & Cyber Insurance
  • Methods for measuring impact
  • Incident Management Metrics
  • Operational Metrics Beyond Patches, Vulns, & Anti-Virus

The program

This year’s Metricon will be more “convention” than “defend your thesis.” Included will be panels, discussions, as well as traditional presentations. We would like to include:

  • The “Listen” Portion of our Program: Executive use of Metrics. Wanted: Executives to join a panel on the use of Metrics to make decisions. Metricon 6 is seeking executives excited to discuss metrics they are happy with, unhappy with, or just executives who want to reach out to the security metric community and give us an earful. We’re especially interested in executives who are (or have unsuccessfully tried to) use operational metrics to make business case.
  • The “Feedback” Portion of our Program: Metrics & Instrumentation. Wanted: Vendors (Product Managers?) who want to talk about their approach to developing the artifacts for their products and services and how they currently or in the future hope to help customers feed an evidence-driven approach to risk management. In addition, we are looking for security vendors who would like unobstructed feedback to the artifacts and outputs of their current products & services.
  • For Discussion: Methods for Measuring Impact. Wanted: Risk analysts, auditors and anyone else who is estimating and/or tracking the impact of incidents. How do you account for or estimate how much an organization suffers from IT Security incidents.
  • Speaking of Incidents, For Discussion: The Role of Metrics in an Incident Response Program. Wanted: IR teams and/or executives willing to talk war stories not about incident specifics but looking back, what is the role of metrics in IR (real or hypothetical), what metrics you (may or may not) collect, and why.
  • For Discussion: Risk & CyberInsurance. Wanted: Do you buy, sell, or have internal hedging practices that could be considered “cyberinsurance?” We’re seeking individuals to present on the growing practice of cyberinsurance and it’s use as a hedge against security incidents.
  • For Discussion: Operational Metrics Beyond Patches, Vulns, & Anti-Virus. It’s cliche these days to say that most operational metrics programs are of little use beyond “the big three”. Wanted: Panelists and presenters for discussions around operational metrics that are not directly the output of vuln. mgmt, patch mgmt, or A/V products.
  • The Lightning Rounds: New and Unique Approaches. 15 minute sessions showing off new research, approaches, data and models.

Vital Details

Visit for digests, presentations, and handouts from past Metricon Workshops.


To get invitations out well beforehand, we’d like all email submissions to to be in-hand by June 15th. Our goal is to send invitations to participate by June 20th.

Important Dates

  • 15 June 2011 — Responses Due to this Call
  • 20 June 2011 — Notification of Acceptance
  • 09 Aug 2011 — Metricon 6.0 Workshop

Feel Free to contact the Program Chair, Alex Hutton with any questions.