August 23, 2010
Metricon 5 was held Tuesday, August 10th, 2010, co-located with the 19th USENIX Security Symposium in Washington, DC. This page contains the details of the meeting, including its CFP, the final agenda, and the meeting’s Digest.
Program # Andrew Jaquith, Forrester Research – Five Years of Security Metrics: A Look Back Richard Seiersen, Kaiser Permanente – Practical Security Metrics in the 4th Dimension RH Powell, Akamai – Weathering Storms in the Cloud: Analyzing Massive Distributed Denial of Service Attacks to Better Prepare for the Future John S Quarterman, Quarterman Creations/CREC at the UT Austin School of Business – Spam Reputation as Output Measure of Infosec Gina Fisk, Los Alamos National Laboratories – Optimizing Performance Management using Adaptive Metrics, Fitness Functions, and the Balanced Score Card Fabio Massacci, Universita’ di Trento – Which is the Right Source for Vulnerability Studies?
March 19, 2010
Mini-Metricon 4.5 was held Monday, March 1, 2010, in San Francisco, California, adjacent to the USA RSA 2010 Conference. The presentations are posted links in the this page; the original CFP is here as well.
Program # Chris Walsh, Introductory Remarks Jennifer Bayuk – Summary of Metricon 4.0 Morning Session I – Chair: Jeremy Epstein Pete Lindstrom, Spire Security – Qualitative Tuning as Preparation for Quantitative Methods Ashish Larivee, Veracode – Metrics for insights on the state of application security Morning Session II – Chair: Joe Magee Alex Hutton and Wade Baker, Verizon Business – Translating the Narrative into Metrics: The Verizon Incident Sharing Framework Anoop Singhal, NIST – Ontologies for Modeling Enterprise Level Security Metrics Afternoon Session I – Chair: Caroline Wong Christian Frühwirth, Helsinki Institute of Technology – Improving CVSS-based Vulnerability Prioritization with Business Context Information Ramon Krikken, Burton Group – Field Research: Security Metrics Programs Afternoon Session II – Chair: Ray Kaplan Panel: Metrics for Cloud Security.
September 27, 2009
Metricon 4 was held Tuesday, August 11, 2009, in Montreal, Quebec, co-located with the USENIX Security Symposium. This page contains the details of the meeting, including the original CFP, the final agenda, and the meeting’s Digest.
Baseline Scoring Methods John Nye, Reproducible Measurement as a Foundation for Security Assessment Metrics Ed Bellis, Orbitz, Orbitz SCAP Metrics Measuring Impact Lloyd Ellam, SigmaRisks – The Ugly, The Bad, and The Good Shivaraj Tenginakai – Metrics for Detecting Compromised Systems.
August 2, 2009
Mini-Metricon 3.5 was held Monday, April 20, 2009 at the Google offices, within walking distance of Moscone Center.
Agenda # The format of Mini-Metricon 3.5 was four grouped sessions plus an hour long CISO “Mashup.” Each session had three 20-minute presentations of ideas, followed by 30 minutes of discussion and general interaction with all attendees.
Breakfast in room Google – Welcome from sponsor Enterprise Metrics Case Studies. Discussion leader: Steve Piliero, Center for Internet Security Carolyn Wong, Ebay – Metrics at Ebay Richard Seierson, Kaiser-Permanente – Foundations for Security Business Intelligence John Flynn and Steve Weis, Google – Metrics at Google CISO MashUp.
June 19, 2009
Mini-Metricon 2.5 was held Monday, 7 April 2008 in San Francisco, California.
Agenda # Welcome and Introduction Moderator: Betsy Nichols, PlexLogic Introduction: Fred Cohen, Fred Cohen & Associates Welcome: Brent Rowe, RTI International Definitions/Terminology/Structures. Moderator: Fred Cohen, Fred Cohen & Associates Pete Lindstrom, Burton Group – Enterprise Security Metrics Amnon Lotem, Skybox – Model Based Metrics Anoop Singhal, NIST – Network Security and Risk Analysis Using Attack Graphs Group Discussion Critical Areas of Coverage.
January 8, 2009
Agenda # Metricon 3 was held Tuesday, 29 July 2008 at San Jose, California.
Dan Geer – Welcome words and housekeeping details Four grouped sessions to follow; each has three at-most-20 minute presentations of ideas followed by 30 minutes of reaction from discussants and general interaction with all Metricon attendees. Breaks are short as is life. Lunch, which is in-room, is long enough but no longer. Dinner, which is in-room, is as long as people want though there is nothing “to do” that is more important than making the very utmost of the day and thus keeping at it until late.
October 8, 2007
Metricon 2.0 was held August 7, 2007 in Boston.
Agenda # Keynote Debate: “Do Metrics Matter?” Pro: Andrew Jaquith, Yankee Group Con: Mike Rothman, SecurityIncite Immoderator: Elizabeth A Nichols, PlexLogic Track 1. Chair: Gunnar Peterson, Arctec Group Russell Cameron Thomas, Meritology – Security Meta Metrics–Measuring Agility, Learning, and Unintended Consequence Fredrick DeQuan Lee and Brian Chess, Fortify – Security Metrics in Practice: Development of a Security Metric System to Rate Enterprise Software Eric Dalci and Robert Hines, Cigital – A Software Security Risk Classification System Track 2.
February 5, 2007
The redoubtable Fred Cohen organized Mini-Metricon, which was held Monday February 5th at the University of San Francisco. Sponsors were the University of San Francisco and the University of New Haven.
The full agenda is on Fred’s website.
Liveblog by Andrew Jaquith
We are here conversing about metrics. Attendees (about 26) include Fred, Betsy Nichols, Russell Thomas, Jason Zann, Mark Kadrich, Andy Sudbury, Phebe Waterfield, Jeremy Epstein, Brian Darby, Kedar Dhuru, Eddie Schwartz, Raffael Marty.
September 29, 2006
Securitymetrics.org was started by a group of obsessive security and risk professionals way back in the dark ages of security — the early 2000s. The first gathering of “security quants” was held in September 2006, with eight more conferences following, plus 6 mini-conferences. As Metricon celebrates its tenth conference, it is worth reflecting on a body of practice that is now well over ten years old.
Metricon X will be held in March 2019.
September 20, 2006
Metricon 1.0 was held 1 August 2006 in Vancouver, British Columbia, Canada, coincident and co-located with the 15th USENIX Security Symposium. This page has the final agenda, copies of all presentation materials, and a digest summary of the meeting itself. (As is both typical and appropriate, let me hasten to say as the scribe for the affair that all errors are mine.)
The Metricon 1.0 Agenda follows below with presentation materials from each author.