Shostack + Friends Blog Archive


Metricon 4.0 Call for Papers

I suspect at least some EC readers will be interested in the Call for Papers for Metricon 4.0, to be held in Montreal, August 11.

Metricon 4 – The Importance of Context

MetriCon 4.0 is intended as a forum for lively, practical discussion in the area of security metrics.
It is a forum for quantifiable approaches and results to problems afflicting information security
today, with a bias towards practical, specific approaches that demonstrate the value of security
metrics with respect to a security-related goal. Topics and presentations will be selected for their
potential to stimulate discussion in the workshop.
MetriCon 4.0 will be a one-day event, Tuesday, August 11, 2009, co-located with the 18th
USENIX Security Symposium
in Montreal, Quebec.
Beginning first thing in the morning, with meals taken in the meeting room, and extending into the
evening. Attendance will be by invitation and limited to 60 participants. All participants will be
expected to “come with findings” and be willing to address the group in some fashion, formally or
not. In keeping with the theme of The Importance of Context, preference will be given to the
authors of position papers/presentations who have actual work in progress that demonstrates the
value of security metrics with respect to a security-related goal.
Topics that demonstrate the importance of context include:

• Data and analyses emerging from ongoing metrics efforts
• Studies in specific subject matter areas
• Time and situation-dependent aspects of security metrics
• Long-term trend analysis and forecasts
• Measures of the depth and breadth of security defenses
• Metrics definitions that can be operationalized
• Incorporating unknown vulnerabilities into security metrics
• Security and risk modeling calibrations
• Security measures in system design
• Software assurance initiatives
• Security metrics relationship to security assessments

The program committee will also consider any innovative security metrics related work
How to Participate
Submit a short position paper or description of work done or ongoing. Your submission must be
brief — no longer than two pages including both text and graphical displays of quantitative
information. Author names and affiliations should appear first in the submission. Submissions
may be in PDF, PowerPoint, HTML, or plaintext email and must be submitted to These requests to participate are due no later than noon GMT,
Monday, May 25, 2009 (a hard deadline). You should receive an email acknowledgment of your
submission within a day or two of posting; take action if you do not.
The Program Committee will invite both attendees and presenters. Participants of either sort will
be notified of acceptance quickly — by June15, 2009. Presenters who want hardcopy materials to
be distributed at the Workshop must provide originals of those materials to the Program
Committee by July 27, 2009. All slides, position papers, and what-not will be made available to
all participants at the Workshop. No formal academic proceedings are intended, but a digest of
the meeting will be prepared and distributed to participants and the general public. (Digests for
previous MetriCon meetings are on the past event pages mentioned above.) Plagiarism is
dishonest, and the organizers of this Workshop will take appropriate action if dishonesty of this
sort is found. Submission of recent, previously published work as well as simultaneous
submissions to multiple venues is entirely acceptable, but only if you disclose this in your