Mini-Metricon 3.5 — Practical Security Metrics

Mini-Metricon 3.5 — Practical Security Metrics

August 2, 2009

Mini-Metricon 3.5 was held Monday, April 20, 2009 at the Google offices, within walking distance of Moscone Center.

Agenda #

The format of Mini-Metricon 3.5 was four grouped sessions plus an hour long CISO “Mashup.” Each session had three 20-minute presentations of ideas, followed by 30 minutes of discussion and general interaction with all attendees.

Program Committee #

Chair, Betsy Nichols, PlexLogic Members:

  • Fred Cohen, Fred Cohen & Associates
  • Jeremy Epstein, SRI International
  • Ray Kaplan, Ray Kaplan and Associates
  • Steve Kruse, Impruve
  • Andrew Jaquith, Forrester Research
  • Pete Lindstrom, Spire Security
  • Steve Piliero, Center for Internet Security
  • Lilian Wang, ClearPoint Metrics

Original Call for Participation #

Mini-Metricon 3.5 will be held this year on Monday, April 20, 2009 within walking distance of Moscone Center, the location of the RSA 2009 Conference to be held during the same week in San Francisco, CA. Metricon 3.5 is an informal workshop designed to facilitate exchange of new ideas as well as practical experience in using metrics to drive better security, compliance, and risk management. The day will be divided equally between open/moderated exchange and short informal presentations. Participants are expected to come prepared to actively interact as either presenters or active listeners.

  • Place: Google Offices (within walking distance of Moscone in SanFrancisco, CA.)
  • Time: 8:30am to 4:30pm
  • Participation: Invitation only
  • Attendance: Limited to 50 people
  • Program: Practical Security Metrics
  • Sponsor: Google, Inc.

Important dates

  • 19 Jan 2009 - Responses Due to this Call
  • 6 Feb 2009 - Notification of Acceptance
  • 20 Apr 2009 - Metricon 3.5 Workshop

Additional information will be posted at as it becomes available.

Due to space limitations, we are asking all who are interested in participating to send an email to Please provide some information about who you are, what is your interest/experience with metrics, what metrics you can bring to discuss, and your preferred level of participation. Possible levels of participation include: presenter and active audience participant.

Presenters: Please provide an abstract of 5 paragraphs or less that describes the nature of the metrics and metric results that you would like to present. Plagiarism is dishonest and the organizers of this workshop will take appropriate action if dishonesty of this sort is discovered. Submission of recent, previously published work as well as simultaneous submissions to multiple venues is entirely acceptable but only if you disclose this in your proposal.

Active audience participants: Please indicate areas of specific interest.

Some links to examples of past well-received presentations are:

For enterprise programs:

For quantitative results:

Criteria for evaluation

Based on the results from a survey of interests of the community in the Nov-Dec 2008 timeframe, the Program Committee has defined the following criteria for evaluating proposals for participation in Metricon 3.5:

For presenters: The topics of highest interest, based upon survey results are case studies and metrics that matter – defintions and how to interpret results. Selection criteria are:

  • Is the material new?
  • Is the material relevant to the topics of highest interest to the community?
  • Is the material immediately useful?
  • Is the matrical timely? Does it address current events and trends?

For active audience participants: The primary criteria are willingness to share information–both good and bad–about their security metrics initiatives, whether thier respective programs are mature or just starting.


To get invitations out well beforehand, we need all email submissions to be sent by Monday, 19 Jan 2009. Our goal is to send invitations to participate by 6 Feb 2009.

Visit for digests, presentations, and handouts from past Metricon Workshops.

Please direct any questions to

comments powered by Disqus