Wednesday, May 04, 2011

NEW (!) Metricon is Coming, RFP Out

The CFP for Metricon 6 is alive, the deadline is June 15. If you think that the previous one [somewhat] sucked, this one will be different, since it will be about…

"Real People Generating Real Information"

This year, Metricon 6 is excited to issue a call for participation to the InfoSec community. Occurring August 9th 2011 colocated with USENIX in San Francisco California. We will be breaking up topics into the following sections, and subsequently would be very interested to review submissions in the following subjects:

• Metrics & Instrumentation
• The Utility of Risk Metrics
• Risk & Cyber Insurance
• Methods for measuring impact
• Incident Management Metrics
• Operational Metrics Beyond Patches, Vulns, & Anti-Virus


This year's Metricon will be more "convention" than "defend your thesis." Included will be panels, discussions, as well as traditional presentations. We would like to include:

The "Listen" Portion of our Program: Executive use of Metrics

WANTED: Executives to join a panel on the use of Metrics to make decisions:

Metricon 6 is seeking executives excited to discuss metrics they are happy with, unhappy with, or just executives who want to reach out to the security metric community and give us an earful.

We're especially interested in executives who are (or have unsuccessfully tried to) use operational metrics to make business case.

The "Feedback" Portion of our Program: Metrics & Instrumentation

WANTED: Vendors (Product Managers?) who want to talk about their approach to developing the artifacts for their products and services and how they currently or in the future hope to help customers feed an evidence-driven approach to risk management.

In addition, we are looking for security vendors who would like unobstructed feedback to the artifacts and outputs of their current products & services.

For Discussion: Methods for Measuring Impact

WANTED: risk analysts, auditors and anyone else who is estimating and/or tracking the impact of incidents. How do you account for or estimate how much an organization suffers from IT Security incidents.

Speaking of Incidents, For Discussion: The Role of Metrics in an Incident Response Program

WANTED: IR teams and/or executives willing to talk war stories not about incident specifics but looking back, what is the role of metrics in IR (real or hypothetical), what metrics you (may or may not) collect, and why.

For Discussion: Risk & CyberInsurance

WANTED: Do you buy, sell, or have internal hedging practices that could be considered "cyberinsurance?" We're seeking individuals to present on the growing practice of cyberinsurance and it's use as a hedge against security incidents.

For Discussion: Operational Metrics Beyond Patches, Vulns, & Anti-Virus

It's cliche these days to say that most operational metrics programs are of little use beyond "the big three". WANTED: Panelists and presenters for discussions around operational metrics that are not directly the output of vuln. mgmt, patch mgmt, or A/V products.

The Lightening Rounds: New and Unique Approaches

15 minute sessions showing off new research, approaches, data and models.


See ya there!!

Dr Anton Chuvakin