CFP: Security Measurements and Metrics, (Formerly the Workshop on Quality of Protection

------------------------------------------------------------------

                          Call for Papers

                           MetriSec 2009
  5th International Workshop on SECURITY MEASUREMENTS AND METRICS
      (Formerly the Workshop on Quality of Protection - QoP)

        http://www.cs.kuleuven.be/conference/MetriSec2009/

         Affiliated with the International Symposium on
       Empirical Software Engineering and Measurement (ESEM)

                         October 14, 2009
                   Lake Buena Vista, Florida, USA

------------------------------------------------------------------


WORKSHOP OVERVIEW

Quantitative assessment is a major stumbling block for software and 
system security. Although some security metrics exist, they are rarely 
adequate. The engineering importance of metrics is intuitive: you cannot 
consistently improve what you cannot measure. Economics is an additional 
driver for security metrics: customers are unlikely to pay a premium for 
security if they are unable to quantify what they receive.

The goal of the workshop is to foster research into security 
measurements and metrics and to continue building the community of 
individuals interested in this field. MetriSec continues the tradition 
started by the Quality of Protection (QoP) workshop series; this year, 
the new co-location with ESEM is an opportunity for the security metrics 
folks to meet the metrics community at large.

The organizers solicit original submissions from industry and academic 
experts on the development and application of repeatable, meaningful 
measurements in the fields of software and system security. The topics 
of interest include, but are not limited to:

* Security metrics
* Security measurement and monitoring
* Development of predictive models
* Experimental validation of models
* Formal theories of security metrics
* Security quality assurance
* Empirical assessment of security architectures and solutions
* Mining data from attack and vulnerability repositories: e.g. CVE, CVSS
* Static analysis metrics
* Simulation and statistical analysis
* Stochastic modeling
* Security risk analysis
* Industrial experience


IMPORTANT DATES

Abstract submission: May 28, 2009
Submission of paper: June 4, 2009
Acceptance notification: July 10, 2009
Submission of camera-ready: August 15, 2009


PUBLICATION

Authors of accepted papers must present their work at the workshop. The 
proceedings of the workshop will be electronically published by the IEEE.


PAPER SUBMISSION

Submissions are sought in any of the following three categories:
(a) Research papers describing original results, both theoretical and 
experimental, are solicited in any of the above mentioned topics. 
Theoretical papers should clearly state the contribution and include 
some initial validation. This year, experimental papers are particularly 
welcome. In this case authors are  required to explicitly state their 
hypothesis, to detail the methodology used, and to describe the 
experiment set-up.
(b) Preliminary research results or new ideas can be submitted in the 
form of short papers.
(c) Industry experience reports are also welcome. Industry papers should 
have at least one author from industry or government, and will be 
considered for their industrial relevance.

The page limit for the final proceedings version is 8 pages in 
double-column format; short papers are limited to 4 pages. Authors 
should use the ACM SIG Proceedings Template when preparing their 
submission. Only PDF files are accepted.


PROGRAM CHAIRS

Andy Ozment (Office of the Secretary of Defense, US)
Riccardo Scandariato (Katholieke Universiteit Leuven, BE)


WEB CHAIR

Thomas Heyman (Katholieke Universiteit Leuven, BE)