National Institute of Standards and Technology
Gaithersburg, MD USA
April 5-6, 2011

Call for Participation

The field of usable security has gained significant traction in recent years, evidenced by the annual presentation of usability papers at the top security conferences, and security papers at the top human-computer interaction (HCI) conferences. Evidence is growing that significant security vulnerabilities are often caused by security designers’ failure to account for human factors. Despite growing attention to the issue, these problems are likely to continue until the underlying development processes address usable security.

See http://www.thei3p.org/events/sausage2011.html for more details.

Usability has emerged as a significant issue in ensuring the security and privacy of computer systems. More-usable security can help avoid the inadvertent (or even deliberate) undermining of security by users. Indeed, without sufficient usability to accomplish tasks efficiently and with less effort, users will often tend to bypass security features. A small but growing community of researchers, with roots in such fields as human-computer interaction, psychology, and computer security, has been conducting research in this area.

Regardless of how familiar you are with usable security, this report is a worthwhile read.

(Cross-posted from Emergent Chaos)

After RSA, I’ll have more to say about how it came about, how it helps you and how very new school it is. But if you’re here, you should come get a deck at the Microsoft booth (1500 row).

]]> http://newschoolsecurity.com/2010/03/elevation-of-privilege-the-threat-modeling-game/feed/ 0 http://newschoolsecurity.com/2010/02/podcast-on-ism3/ http://newschoolsecurity.com/2010/02/podcast-on-ism3/#comments Mon, 08 Feb 2010 15:51:07 +0000 adam http://newschoolsecurity.com/?p=1339 Last week, I spoke at the Open Group meeting here in Seattle, and then recorded a podcast with Dana Gardner, Jim Hietala and Vicente Aceituno about ISM3 Brings Greater Standardization to Security Measurement Across Enterprise IT (audio) or you can read the transcript.

It was fun, and the podcast is short and to the point. Take a listen!

]]> http://newschoolsecurity.com/2010/02/podcast-on-ism3/feed/ 0 http://newschoolsecurity.com/2009/11/cfp-9th-workshop-on-the-economics-of-information-security-weis/ http://newschoolsecurity.com/2009/11/cfp-9th-workshop-on-the-economics-of-information-security-weis/#comments Wed, 11 Nov 2009 21:06:45 +0000 Russell http://newschoolsecurity.com/?p=940 June 7-8, 2010 Harvard University, Cambridge, MA, USA.   Full call for papers and submission information is here. 

Important dates:

• Submissions due: February 22, 2010
• Notification of acceptance: April 2, 2010
• Workshop: June 7-8, 2010

“The Workshop on the Economics of Information Security (WEIS) is the leading forum for interdisciplinary scholarship on information security, combining expertise from the fields of economics, social science, business, law, policy and computer science. [...] This workshop will build on past efforts using empirical and analytic tools to not only understand threats, but also strengthen security through novel evaluations of available solutions.[...]

“We encourage economists, computer scientists, business school researchers, legal scholars, security and privacy specialists, as well as industry experts to submit their research and attend the workshop.

“Suggested topics include (but are not limited to) empirical and theoretical studies of:

• Optimal investment in information security
• Online crime (including botnets, phishing and spam)
• Models and analysis of online crime
• Risk management and cyberinsurance
• Security standards and regulation
• Cybersecurity policy
• Privacy, confidentiality and anonymity
• Behavioral security and privacy
• Security models and metrics
• Psychology of risk and security
• Vulnerability discovery, disclosure, and patching
• Cyberwar strategy and game theory
• Incentives for information sharing and cooperation

“We highlight two key areas of particular focus for this year’s workshop. First, we encourage submissions that consider the design and evaluation of policy solutions for improving information security.  Second, given the importance of data-driven decision making, we encourage submissions with empirical components. A selection of papers accepted to this workshop will appear in an edited volume designed to help policy makers, managers, researchers and practitioners better understand the information security landscape.”

Like its predecessors, Mini Metricon 4.5 is an informal workshop designed to facilitate exchange of new ideas as well as practical experience in using metrics to drive better security, compliance, and risk management. The day will be divided between open/moderated exchange and short presentations. Participants are expected to come prepared to actively interact as either presenters or active listeners (or both).

Place: University of San Francisco (within walking distance of the Moscone Center)

Time: 8:30am to 4:30pm

Participation: by invitation.

Attendance: Limited to 80 people

If you would like to participate

Due to space limitations, we are asking all who are interested in participating to send an email to metr…@securitymetrics.org

Please provide some information about who you are, your interest/experience with metrics, what metrics you can bring to discuss, and your preferred level of participation: presenter or active audience participant.

Presenters: Please provide an abstract of 5 paragraphs or less that describes the nature of the metrics and metric results that you would like to present. Following past MetriCon practice, preference will be given to those who respond to this CfP with actual work in progress that demonstrates the value of security metrics with respect to a security-related goal.

Submission of recent, previously published work as well as simultaneous submissions to multiple venues is acceptable if disclosed in your proposal.

Active audience participants: Please indicate your area(s) of specific interest.

Examples of past well-received presentations are:

§ Intel Presentation

§ Verizon Presentation

§ Whitehat Presentation

Visit http://www.securitymetrics.org for digests, presentations, and handouts from past Metricon Workshops.

Notification

To get invitations out well beforehand, we’d like all email submissions to be in-hand by December 5. Our goal is to send invitations to participate by January 15.

Important Dates

– 05 Dec 2009 – Responses Due to this Call

– 15 Jan 2010 – Notification of Acceptance

– 01 Mar 2010 – Mini MetriCon 4.5 Workshop

Program Committee

§ Warren Axelrod, Financial Services Technology Consortium

§ Jennifer Bayuk, Bayuk.com

§ Fred Cohen, Fred Cohen and Associates

§ Lloyd Elam, SigmaRisks

§ Jeremy Epstein, SRI International

§ Dan Geer, In-Q-Tel

§ Renee Guttmann, Time Warner

§ Ray Kaplan, Ray Kaplan & Associates

§ Pete Lindstrom, Spire Security

§ Joe Magee, Vigilant

§ Elizabeth Nichols, Plexlogic

§ Steven Piliero, Center for Internet Security

§ Chris Walsh [Program Committee Chair], SurePayroll

§ Caroline Wong, eBay

Please feel free to contact the Program Chair with any questions. Inquiries beyond administrative matters will be forwarded to the Committee.

Additional information will be posted at www.securitymetrics.org as it becomes available.