Call for Papers

     3rd International Workshop on Quality of Protection (QoP 2007)
                      Affiliated with ACM CCS

                          October 29, 2007
                        Alexandria, VA, USA


In the last few decades, Information Security has gained numerous
standards, industrial certifications, and risk analysis methodologies.
However, the field still lacks the strong, quantitative,
measurement-based assurance that we find in other fields. For example,
Networking researchers have created and utilize Quality of Service
(QoS), Service Level Agreements (SLAs), and performance evaluation
metrics. Empirical Software Engineering has made similar advances with
software metrics: processes to measure the quality and reliability of
software exist and are appreciated in industry.

Security looks different. Even a fairly sophisticated standard such as
ISO17799 has an intrinsically qualitative nature. Notions such as
Security Metrics, Quality of Protection (QoP) or Protection Level
Agreement (PLA) have surfaced in the literature, but they still have a
qualitative flavor. Furthermore, many recorded security incidents have
a non-IT cause. As a result, security requires a much wider notion of
"system" than do most other fields in computer science. In addition to
the IT infrastructure, the "system" in security includes users, work
processes, and organizational structures.

The goal of the QoP Workshop is to help security research progress
towards a notion of Quality of Protection in Security comparable to
the notion of Quality of Service in Networking, Software Reliability,
or Software Measurements and Metrics in Empirical Software

Original submissions are solicited from industry and academic experts
to presents their work, plans and views related to Quality of
Protection. The topics of interest include but are not limited to:

    * Industrial experience
    * Security risk analysis
    * Security metrics
    * Reliability analysis
    * Security quality assurance
    * Measurement-based decision making and risk management
    * Empirical assessment of security architectures and solutions
    * Mining data from attack and vulnerability repositories
    * Measurement theory
    * Formal theories of security metrics
    * Security measurement & monitoring
    * Experimental validation of models
    * Simulation & statistical analysis
    * Stochastic modeling 


    * June 6, 2007 (Wed) - Submissions due
    * July 20, 2007 (Fri) - Authors notified
    * August 22, 2007 (Wed) - Camera-ready papers due (firm deadline)
    * October 29, 2007 (Mon) - Workshop 

Authors of accepted papers will be expected to give full presentations
at the workshop. The proceedings of the workshop will be published by
the ACM; it will have an ISBN number and be included in the ACM
digital library.   

Original research papers are solicited in any of the above mentioned
topics describing significant research results. Preliminary research
results can be submitted in the form of short papers. We also solicit
industry experience reports about the use of security measurements and
metrics in industrial environments. Industry papers should have at
least one author from industry or government, and will be considered
for their industrial relevance.      

All papers should be based on sound theory or experimental assessment.
Experimental assessments must contain an explanation of the

Authors should use the ACM SIG proceedings template when preparing
their submission. The page limit for the final proceedings version
will be 6 pages in double-column ACM format; short papers are limited
to 3 pages. Only PDF or PS files are accepted.   

Guenter Karjoth - IBM Research (CH)
Ketil Stoelen - SINTEF (NO)

Andy Ozment - University of Cambridge (UK)

The program committee is still being selected, but current members
Alessandro Acquisti - Carnegie Mellon University (USA) 
Guenter Bitz - SAP (DE)
Virgil D. Gligor - University of Maryland (USA)
Dieter Gollmann- TU Hamburg-Harburg (DE)
Erland Jonsson - Chalmers University of Technology (SW)
Audun Josang - Queensland University (AU)
Yucel Karabulut - SAP Research Palo Alto (US)
Volkmar Lotz - SAP (FR)
Fabio Massacci - University of Trento (IT)
David M. Nicol - University of Illinois (USA)
Andy Ozment - University of Cambridge (UK)
Eduardo Fernandez-Medina Paton - University of Castilla-La Mancha (SP)
Tomas Sander - HP Labs (USA)
Peter Schoo - DoCoMo EuroLabs (DE)
Santosh Shrivastava - University of Newcastle upon Tyne (UK)
Vipin Swarup - The MITRE Corporation (USA)
Nicola Zannone - University of Trento (IT)


    * QoP 2006 was affiliated with the 13th ACM Conference on Computer
    and Communications Security (ACM CCS 2006). The Proceedings of QoP
    2006 are available from the ACM.  
    * QoP 2005 was affiliated with the 10th European Symposium on
    Research in Computer Security (ESORICS 2005) and the 11th IEEE
    International Software Metrics Symposium (METRICS 2005). The
    revised Proceedings of QoP 2005 are available from Springer.