Call for Papers

          4th International Workshop on Quality of Protection
                               (QoP 2008)

                            October 27, 2008
                          Alexandria, VA, USA

                        An ACM CCS 2008 workshop


In the last few decades, Information Security has gained numerous
standards, industrial certifications, and risk analysis methodologies.
However, the field still lacks the strong, quantitative,
measurement-based assurance that we find in other fields. For example,
Networking researchers have created and utilize Quality of Service
(QoS), Service Level Agreements (SLAs), and performance evaluation
measures. Empirical Software Engineering has made similar advances
with software measures: processes to measure the quality and
reliability of software exist and are appreciated in industry.

Security looks different. Even a fairly sophisticated standard such as
ISO17799 has an intrinsically qualitative nature. Notions such as
Security Metrics, Quality of Protection (QoP) or Protection Level
Agreement (PLA) have surfaced in the literature, but they still have a
qualitative flavor. Furthermore, many recorded security incidents have
a non-IT cause. As a result, security requires a much wider notion of
"system" than do most other fields in computer science. In addition to
the IT infrastructure, the "system" in security includes users, work
processes, and organizational structures.

The goal of the QoP Workshop is to help security research progress
towards a notion of Quality of Protection in Security comparable to
the notion of Quality of Service in Networking, Software Reliability,
or measures in Empirical Software Engineering.


Original submissions are solicited from industry and academic experts
to presents their work, plans and views related to Quality of
Protection. The topics of interest include but are not limited to:

     * Industrial experience
     * Security risk analysis
     * Security measures
     * Reliability analysis
     * Security quality assurance
     * Measurement-based decision making and risk management
     * Empirical assessment of security architectures and solutions
     * Mining data from attack and vulnerability repositories
     * Measurement theory
     * Formal theories of security measures
     * Security measurement and monitoring
     * Experimental validation of models
     * Simulation and statistical analysis
     * Stochastic modeling


     * May 15, 2008 - Paper submission due
     * July 11, 2008 - Acceptance notification
     * August 10, 2008 - Camera-ready papers due


     * Andy Ozment, US
     * Ketil Stolen, SINTEF, NO


     * Alessandro Acquisti - Carnegie Mellon University (US)
     * Guenter Bitz - SAP (DE)
     * Jean Camp - Indiana University (US)
     * Dieter Gollmann - TU Hamburg-Harburg (DE)
     * Sushil Jajodia - George Mason University (US)
     * Hongxia Jin - IBM Almaden Research Center (US)
     * Erland Jonsson - Chalmers University of Technology (SE)
     * Audun Josang - Queensland University (AU)
     * Yucel Karabulut - SAP Research Palo Alto (US)
     * Guenter Karjoth - IBM Research (CH)
     * Volkmar Lotz - SAP (FR)
     * Fabio Massacci - University of Trento (IT)
     * John McHugh - Dalhousie University (CA)
     * Stephan Neuhaus - Saarland University (DE)
     * Andy Ozment - (US)
     * Eduardo Fernández-Medina - University of Castilla-La Mancha (ES)
     * Shari Lawrence Pfleeger - RAND Corporation (US)
     * Riccardo Scandariato - Katholieke Universiteit Leuven (BE)
     * Tomas Sander - HP Labs (US)
     * Santosh Shrivastava - University of Newcastle upon Tyne (UK)
     * Anoop Singhal - NIST (US)
     * Vipin Swarup - The MITRE Corporation (US)
     * Nicola Zannone - University of Trento (IT)


Original research papers are solicited in any of the above mentioned
topics describing significant research results. Preliminary research
results can be submitted in the form of short papers. We also solicit
industry experience reports about the use of security measures in
industrial environments. Industry papers should have at least one
author from industry or government, and will be considered for their
industrial relevance.

Papers are required (1) to explicitly state the hypothesis being
tested, or characterize the problem being solved in the form of
success criteria, and (2) to have a research methodology section. The
research methodology section should contain enough details that a
reader could reproduce the work, at least as a thought-experiment.
Where appropriate this section should include information like:
materials, apparatus and stimuli used, a description of the subjects
or data sets used, the experimental design, and the procedure

Authors should use the ACM SIG proceedings template when preparing
their submission. The page limit for the final proceedings version
will be 6 pages in double-column ACM format; short papers are limited
to 3 pages. Only PDF or PS files are accepted.


The proceedings of the workshop will be published by the ACM; it will
have an ISBN number and be included in the ACM digital library.
Authors of accepted papers will be expected to give full presentations
at the workshop.