Preliminary Call for Paper for the 1st International Workshop on

            QUALITY of PROTECTION - QoP 2005
            Security Measurements and Metrics


          Milano, Italy, Thu. 15 September 2005.

Affiliated with 10th European Symposium on Research in Computer Security
(ESORICS 2005) in Milano (12-14 Sep).


and the 11th IEEE International Software Metrics Symposium (METRICS
2005) in Como (19-22 Sep)



Information Security in Industry has matured in the last few decades.
Standards such as ISO17799, the Common Criteria, a  number of
industrial  certification and risk analysis methodologies have raised
the bar on what is considered a good security solution from a business

Yet, if we compare Information Security with Networking or Empirical
Software Engineering we find a major difference. Networking research
has introduced concepts such as Quality of Service and Service Level
Agreements. Conferences and Journals are frequently devoted to
performance evaluation, QoS and SLAs. Empirical Software Engineering
has made similar advances. Notions such as software metrics and
measurements are well established. Processes to measure the quality
and reliability of software exist and are appreciated in industry.

Security looks different. Even a fairly sophisticated standard such as
ISO17799 has an intrinsically qualitative nature. Notions such as
Security Metrics, Quality of Protection (QoP) or Protection Level
Agreement (PLA) have surfaced in the literature but still have a
qualitative flavour. The "QoP field" in WS-Security is just a data
field to specify a cryptographic algorithm. Indeed, neither ISO17799
nor ISO15408 (the Common Criteria)  addresses QoP sufficiently.
ISO17799 is a  management standard, not directly concerned with the
actual quality of protection achieved; ISO15408 is instead a product
assessment standard and yet does not answer  the question of how a
user of a product assessed by it can achieve a high QoP within his/her
operational environment. Both standards cover just one aspect of an
effective QoP and even the combination of both would not address the
aspect sufficiently. "Best practice" standards, such as the baseline
protection standard published by many government agencies, also belong
to the category of standards that are useful, but not sufficient, for
achieving a good QoP.

Security is different also in another respect. A very large proportion
of recorded security incidents has a non-IT cause. Hence, while the
networking and software communities may concentrate on technical
features (networks and software), security requires a much wider
notion of "system", including users, work processes, organisational
structures in addition to the IT infrastructure.

The QoP Workshop intends to discuss how security research can progress
towards a notion of Quality of Protection in Security comparable to
the notion of Quality of Service in Networking, Software Reliability,
or Software Measurements and Metrics in Empirical Software

Original submissions are solicited from industry and academic experts
to presents their work, plans and views related to Quality of
Protection. The topics of interest include but are not limited to:
* Industrial Experience
* Security Risk Analysis
* Security Quality Assurance
* Measurement-based decision making and risk management
* Empirical assessment of security architectures and solutions
* Mining data from attacks and vulnerabilities repositories
* Security metrics
* Measurement theory and formal theories of security metrics
* Security measurement and monitoring,
* Experimental verification and validation of models,
* Simulation and statistical analysis, stochastic modeling
* Reliability analysis

- Stefano De Panfilis - Engineering SpA (IT)

- Fri June 10, 2005 - Paper submissions
- Fri 8 July - Notification of acceptance
- Mon 12 Sep - Wed 14 Sep ESORICS
- Thu 15 Sep - QoP Workshop
- Mon 19 Sep - Thu 22 Sep IEEE METRICS in Como

Original RESEARCH PAPERS are solicited in any of the above mentioned
topics. Research papers should be limited to 12 pages in the standard
Springer Verlag format, describing significant research results based
on sound theory or experimental assessment.

We also solicit INDUSTRY EXPERIENCE REPORTS, limited to 6 pages, about
the use of security measurements and metrics in industrial
environments. Industry papers should have at least one author from
industry or government, and will be considered for their industrial

Authors of accepted papers will be expected to give full presentations
at the workshop. Revised versions of the papers presented at the
workshop will be published by Kluwer/Springer in the Applied Security

- Imrich Chlamtac - UTDallas (US) & CreateNet (IT)
- Gerhard Eschelbeck - QUALYS (US)
- Dieter Gollmann - TU Hamburg-Harburg  (DE)
- Helmut Kurth -  ATSEC (DE)
- Bev Littlewood - City University, London (UK)
- Fabio Massacci - Univ. di Trento (IT)
- Ketil Stoelen - SINTEF (NO) & Univ. of Oslo (NO)
- Lorenzo Stringini - City University, London (UK)
- Jeannette Wing - CMU (USA)