MetriCon 3.0

MetriCon 3.0 — Third Workshop on Security Metrics 

Tuesday,29 July 2008, San Jose, California 

___________________________________________________________________ 

8:45am:Welcome words / housekeeping details - Dan Geer 

___________________________________________________________________ 

9:00am-10:30am - Models proposed and derived 

•Thomas Heyman & Christophe Huygens : "Using Model Checkers to Elicit Security 

Metrics" 

•Adam O’Donnell : "Games, Metrics, and Emergent Threats" 

•Fred Cohen : "Bringing Clarity to Security Decision Making Using Qualitative 

Metrics in 2 Dimensions" 

Discussants:Lloyd Ellam & Elizabeth Nichols 

___________________________________________________________________ 

10:45am-12:15pm - Tools and their application 

•Yolanta Beresnevichiene : "Metrics Driving Security Analytics" 

•Alain Mayer : "Security Risk Metrics: The View From the Trenches" 

•Amrit Williams : "How to Define and Implement Operationally Actionable Security 

Metrics" 

Discussants:Gunnar Peterson & Andrew Jaquith 

___________________________________________________________________ 

12:15pm-1:30pm - In-room lunch, the final 30 minutes jointly from 

•Jennifer Bayuk : "Comparing Metrics Designed for Risk-Management with Metrics 

Designed for Security" 

Discussant:Bryan Ware 

___________________________________________________________________ 

1:30pm-3:00pm - Scoring results and methods 

•James Walden : "Code Complexity and Static Analysis" 

•Karen Scarfone : "Evidence-Based, Good Enough, & Open" 

•Arshad Noor : "Identity Protection Factor" 

Discussants:Fred Cohen & Dan Conway 

___________________________________________________________________ 

3:15pm-4:45pm Enterprise plans and lessons learned 

•Caroline Wong : "eBay’sMetrics Program" 

•Clint Kreitner : "CIS’ Metrics Program" 

•Kevin Peuhkurinen : "Great-West’s Metrics Program" 

Discussants:Christine Whalley&Dan Geer 

___________________________________________________________________ 

5:00pm-5:45pm - Perimeters are the simplest possible thing to measure, right? 

•Sandeep Bhatt : "Metrics-Based Firewall Management" 

•Avishai Wool : "Firewall Configuration Errors Revisited" 

Discussant:Bob Blakley 

___________________________________________________________________ 

5:45pm-whenever:Minimalist closing remarks - Dan Geer 

Drinks & dinner in room, and whatever happens next — which it is hoped includes  lessons learned, volunteers for further episodes of MetriCon, ideas on how we can best further support ourselves jointly,etc. Perhaps we will have someone stand up and lead such a discussion; consider that part of the program still fluid.