From david.pym at hp.com Sat May 9 03:07:04 2009 From: david.pym at hp.com (David Pym) Date: Sat, 09 May 2009 08:07:04 +0100 Subject: [EIS] Trust Economics Workshop, UCL, 23 June, 2009 Message-ID: <4A052B98.106@hp.com> Dear All, The First Trust Economics Workshop --- An informal forum to discuss the intersection of human factors, economics and security technology research. Details below. University College London, UK 23 June 2009 --- preceding the Workshop on the Economics of Information Security (WEIS 2009) Important date: 22 May, 2009 for a 2-4 page abstract. http://www.trust-economics.org/teworkshop.html The first Trust Economics workshop discusses techniques, methods and tools for security decision making, taking into account economic, business and organizational concerns, human factors and information security technology (a 'whole-system' view). As a motivating example, enterprises and government face increasingly difficult and important security decisions related to privacy and confidentiality of data of customers and citizens. How can we improve the decision making in such situations: what weaknesses exist in the state of the art, what information do we need, what (mathematical) tools can we use and what software tools can make a difference? The purpose of the workshop is to initiate discussions about fundamentally new methods for security decision making based on sound mathematical tools utilizing deep understanding of business, human and technological aspects. We therefore invite contributions from all three areas (economics & business, human factors and technology), to discuss its potential for and relation to information security decision making. We solicit extended abstracts of 2 to 4 pages, including position and work-in-progress papers. The areas of interest are, among others: - probabilistic, stochastic, economic and formal models - human factors in security and human behavioural modelling - state-of-the-art enterprise software for security decision making - software tools to support decision making - security models and ontologies - case studies in security decision-making - measurement and monitoring of security solutions - legal and regulatory issues - risk and perception of risk - business and organisational perspectives Other subjects are most welcome-please address in your contribution how it (potentially) contributes to a whole-system view to information security decision making. Next to quality, the main selection criterion for acceptance is the potential and relevance to the topic of information security decision making. Keynote: Cliff Jones on Formal Methods in Interdisciplinary Information Systems Research Important dates: Submissions due: 22 May, 2009 Notification of acceptance: 29 May, 2009 Workshop: 23 June, 2009 at UCL, London, UK Papers should be submitted to the workshop co-chairs on Friday, 22 May, 2009, preferably in PDF format. The workshop will publish a technical report collecting all accepted abstracts. Workshop Co-chairs: Aad van Moorsel (aad.vanmoorsel at ncl.ac.uk Newcastle University School of Computing Science, UK) Julian Williams (julian.williams at abdn.ac.uk University of Aberdeen Business School, UK) Organisation Chair: Philip Inglesant (University College London, UK) Programme Committee: Robert Coles (Merrill-Lynch) Christos Ioannidis (U. Bath) Hilary Johnson (U. Bath) David Pym (HP Labs and U. Bath) Angela Sasse (UCL) Simon Shiu (HP Labs) -- Prof. David J. Pym t: +44 (0) 117 312 8012 Systems Security Lab f: +44 (0) 117 312 9250 HP Labs e: david.pym at hp.com Bristol, UK w: http://www.hpl.hp.com/personal/davpym/ Professor of Logic & Computation, University of Bath, UK Hewlett-Packard Limited Registered Office: Cain Road, Bracknell, Berks RG12 1HN. Registered No: 690597 England. The contents of this message, its subsequent correspondence, and any attachments to it are confidential and may be legally privileged. If you have received this message in error, you should delete it from your system immediately and advise the sender. Do not send, forward, or (b)cc replies, without my explicit consent. To any recipient of this message within HP, unless otherwise stated you should consider this message and attachments as "HP CONFIDENTIAL". From andy.ozment at ieee.org Wed May 27 08:28:07 2009 From: andy.ozment at ieee.org (Andy Ozment) Date: Wed, 27 May 2009 08:28:07 -0400 Subject: [EIS] CfP MetriSec 2009 - papers due June 4! Message-ID: <4A1D31D7.40709@ieee.org> ------------------------------------------------------------------ Call for Papers MetriSec 2009 5th International Workshop on SECURITY MEASUREMENTS AND METRICS (Formerly the Workshop on Quality of Protection - QoP) http://www.cs.kuleuven.be/conference/MetriSec2009/ Affiliated with the International Symposium on Empirical Software Engineering and Measurement (ESEM) October 14, 2009 Lake Buena Vista, Florida, USA ------------------------------------------------------------------ WORKSHOP OVERVIEW Quantitative assessment is a major stumbling block for software and system security. Although some security metrics exist, they are rarely adequate. The engineering importance of metrics is intuitive: you cannot consistently improve what you cannot measure. Economics is an additional driver for security metrics: customers are unlikely to pay a premium for security if they are unable to quantify what they receive. The goal of the workshop is to foster research into security measurements and metrics and to continue building the community of individuals interested in this field. MetriSec continues the tradition started by the Quality of Protection (QoP) workshop series; this year, the new co-location with ESEM is an opportunity for the security metrics folks to meet the metrics community at large. The organizers solicit original submissions from industry and academic experts on the development and application of repeatable, meaningful measurements in the fields of software and system security. The topics of interest include, but are not limited to: * Security metrics * Security measurement and monitoring * Development of predictive models * Experimental validation of models * Formal theories of security metrics * Security quality assurance * Empirical assessment of security architectures and solutions * Mining data from attack and vulnerability repositories: e.g. CVE, CVSS * Static analysis metrics * Simulation and statistical analysis * Stochastic modeling * Security risk analysis * Industrial experience IMPORTANT DATES Abstract submission: May 28 Submission of paper: June 4 Acceptance notification: July 10 Submission of camera-ready: August 15 PUBLICATION Authors of accepted papers must present their work at the workshop. The proceedings of the workshop will be electronically published by the IEEE. PAPER SUBMISSION Submissions are sought in any of the following three categories: (a) Research papers describing original results, both theoretical and experimental, are solicited in any of the above mentioned topics. Theoretical papers should clearly state the contribution and include some initial validation. This year, experimental papers are particularly welcome. In this case authors are required to explicitly state their hypothesis, to detail the methodology used, and to describe the experiment set-up. (b) Preliminary research results or new ideas can be submitted in the form of short papers. (c) Industry experience reports are also welcome. Industry papers should have at least one author from industry or government, and will be considered for their industrial relevance. The page limit for the final proceedings version is 8 pages in double-column format; short papers are limited to 4 pages. Authors should use the ACM SIG Proceedings Template when preparing their submission. Only PDF files are accepted. PROGRAM CHAIRS Andy Ozment (US) Riccardo Scandariato (Katholieke Universiteit Leuven, BE) WEB CHAIR Thomas Heyman (Katholieke Universiteit Leuven, BE)