Metricon 7 — Security Metrics: Useful or Bust!

Metricon 7 — Security Metrics: Useful or Bust!

August 19, 2012

Metricon 7 was a one-day event, Tuesday, August 7, 2012, co-located with USENIX, in Bellevue, WA. This page contains a description of the event, presentations, and the original CFP.

Program #


Adam Montville posted a great summary on his blog. His lessons learned included:

  • Culture Matters
  • Goals matter
  • Measure what you’re told
  • Adopt Goal Question Metric (GQM) methodology
  • Accountability yields metricophobia
  • Available data drives metrics
  • Understand the audience

Program Committee #

Chair: Dr. Anton Chuvakin


  • Fred Cohen
  • Ramon Krikken
  • Pete Lindstrom
  • Raffael Marty
  • Gunnar Petersen
  • Chris Walsh
  • Caroline Wong
  • Lance Hayden
  • Alex Hutton

Original Call for Participation #

Security Metrics: Useful or Bust!

How to define, generate, and communicate security metrics you can use today.

This year, Metricon 7.0 is excited to issue a call for participation to the information security community. The event will occur August 7th 2012 collocated with USENIX in Bellevue, WA.

Given that this is the 7th event, we think it is time to finally say it: security metrics must be useful now! Thus, the focus this year is on useful and usable metrics – not conceptual and theoretical stuff that sounds great, but cannot and will not be used in today’s organizations. Also, presentations and panels that talk about “How?” and “What?” will be strongly prioritized over “Why?”(and “whine”). Enterprises and tool vendors are both welcome to present! Academic researchers tacking the real-world problems are welcome as well.

We want to see:

  • How you achieved “quick wins” with security metrics?
  • How you define useful metrics, whether risk or operational?
  • What metrics you track are the most useful?
  • How did you solve a particular challenge in security metrics area?
  • How your tool helps (not “can help”!) with collecting and analyzing security metric data?
  • Who gets the metrics you create? How do they use them?
  • What metrics you use to determine that security controls are effective?
  • How organization generate actionable advice from security metrics?
  • How to track that your security is improving using metrics?

We do not want:

  • Uncollectable and unusable metrics
  • Metrics philosophy
  • Uncooked metrics that sound vaguely “interesting”

Send submissions and your ideas for panel and presentations to

Deadline for presentation and talk submissions is May 31st, 2012. Submissions should be sent to

If you would like to attend, and have not received an invitation, please contact any member of the program committee or send mail to and include a brief statement of qualification.

comments powered by Disqus