Mon. Oct. 27, 2008 - Alexandria VA, USA
Call for Papers
4th International Workshop on Quality of Protection (QoP 2008)
Security Measurements and Metrics
October 27, 2008
An ACM CCS 2008 workshop
A printable version of this call for papers is available
In the last few decades, Information Security has gained numerous standards, industrial certifications, and risk analysis methodologies. However, the field still lacks the strong, quantitative, measurement-based assurance that we find in other fields. For example, Networking researchers have created and utilize Quality of Service (QoS), Service Level Agreements (SLAs), and performance evaluation measures. Empirical Software Engineering has made similar advances with software measures: processes to measure the quality and reliability of software exist and are appreciated in industry.
Security looks different. Even a fairly sophisticated standard such as ISO17799 has an intrinsically qualitative nature. Notions such as Security Metrics, Quality of Protection (QoP) or Protection Level Agreement (PLA) have surfaced in the literature, but they still have a qualitative flavor. Furthermore, many recorded security incidents have a non-IT cause. As a result, security requires a much wider notion of "system" than do most other fields in computer science. In addition to the IT infrastructure, the "system" in security includes users, work processes, and organizational structures.
The goal of the QoP Workshop is to help security research progress towards a notion of Quality of Protection in Security comparable to the notion of Quality of Service in Networking, Software Reliability, or measures in Empirical Software Engineering.
Original submissions are solicited from industry and academic experts to presents their work, plans and views related to Quality of Protection. The topics of interest include but are not limited to:
Riccardo Scandariato, Katholieke Universiteit Leuven, BE
Acquisti - Carnegie Mellon
Original research papers are solicited in any of the above mentioned topics describing significant research results. Preliminary research results can be submitted in the form of short papers. We also solicit industry experience reports about the use of security measures in industrial environments. Industry papers should have at least one author from industry or government, and will be considered for their industrial relevance.
Papers are required (1) to explicitly state the hypothesis being tested, or characterize the problem being solved in the form of success criteria, and (2) to have a research methodology section. The research methodology section should contain enough details that a reader could reproduce the work, at least as a thought-experiment. Where appropriate this section should include information like: materials, apparatus and stimuli used, a description of the subjects or data sets used, the experimental design, and the procedure followed.
Authors should use the ACM SIG proceedings template when preparing their submission. The page limit for the final version will be 6 pages in double-column ACM format; short papers are limited to 3 pages. Only PDF or PS files are accepted.
The page limit for the camera ready version is 10 pages in double-column ACM format; short papers are limited to 5 pages.
The proceedings of the workshop will be published by the ACM; it will have an ISBN number and be included in the ACM digital library. Authors of accepted papers will be expected to give full presentations at the workshop.