Third Workshop on
Quality of Protection
Workshop co-located with CCS-2007

Mon. Oct. 29 - Alexandria VA, USA
Hilton Alexandria Mark Center



Invited Speaker

Accepted papers

Call For Papers

Call For Participation




QoP 2005

QoP 2006

QoP 2008

MetriSec 2009

Call For Papers

3nd International Workshop on Quality of protection (QoP 2007)

Security Measurements and Metrics

Mon. Oct. 29- Alexandria VA, USA

Affiliated with 14th ACM Conference on Computer and Communications Security (CCS-2007).

Call For Papers in pdf file
Call For Papers in text file

In the last few decades, Information Security has gained numerous standards, industrial certifications, and risk analysis methodologies. However, security still lacks the strong, quantitative, measurement-based assurance that we find in other fields. For example, Networking researchers have created and utilize Quality of Service (QoS), Service Level Agreements (SLAs), and performance evaluation metrics. Empirical Software Engineering has made similar advances with software metrics: processes to measure the quality and reliability of software exist and are appreciated in industry.

Security looks different. Even a fairly sophisticated standard such as ISO17799 has an intrinsically qualitative nature. Notions such as Security Metrics, Quality of Protection (QoP) or Protection Level Agreement (PLA) have surfaced in the literature, but they still have a qualitative flavor. Furthermore, many recorded security incidents have a non-IT cause. As a result, security requires a much wider notion of "system" than do most other fields in computer science. In addition to the IT infrastructure, the "system" in security includes users, work processes, and organizational structures.

The goal of the QoP Workshop is to help security research progress towards a notion of Quality of Protection in Security comparable to the notion of Quality of Service in Networking, Software Reliability, or Software Measurements and Metrics in Empirical Software Engineering.

Original submissions are solicited from industry and academic experts to presents their work, plans and views related to Quality of Protection. The topics of interest include but are not limited to:

  • Industrial experience

  • Security risk analysis

  • Security metrics

  • Reliability analysis

  • Security quality assurance

  • Measurement-based decision making and risk management

  • Empirical assessment of security architectures and solutions

  • Mining data from attack and vulnerability repositories

  • Measurement theory

  • Formal theories of security metrics

  • Security measurement & monitoring

  • Experimental validation of models

  • Simulation & statistical analysis

  • Stochastic modeling

- June 17 (Sun) - Paper submissions
- July 20 (Fri) - Authors' notification
- August 22 (Wed) - Camera ready paper due
- October 29 (Mon) - QoP Workshop

Authors of accepted papers are expected to give full presentations at the workshop. The proceedings will be published by the ACM; they will have an ISBN number and be included in the ACM digital library.

research papers are solicited in any of the above mentioned topics describing significant research results. Preliminary research results can be submitted in the form of short papers. We also solicit industry experience reports about the use of security measurements and metrics in industrial environments. Industry papers should have at least one author from industry or government, and will be considered for their industrial relevance.

Experimental papers are required (1) to explicitly state the hypothesis being tested, or the problem being solved, and (2) to have a methodology section. The methodology section should contain enough details that a reader could reproduce the work, at least as a thought-experiment. Where appropriate this section should include information like: materials, apparatus & stimuli used, a description of the subjects or data sets used, the experimental design, and the procedure followed.

Theoretical papers should succinctly state the hypothesis that results from the theory and describe an experiment for its validation.

Authors should use the ACM SIG proceedings template when preparing their submission. The page limit for the final proceedings version will be 6 pages in double-column ACM format; short papers are limited to 3 pages. Only PDF or PS files are accepted.

Papers must be submitted through EasyChair site. If you use EasyChair for the first time you may found it useful to read a short guideline.


Günter Karjoth - IBM Research (CH)
Ketil Stølen - SINTEF (NO)


Andy Ozment - University of Cambridge (UK)


Alessandro Acquisti - Carnegie Mellon University. (USA)
Guenter Bitz - SAP (DE)
Virgil D. Gligor - University of Maryland (USA)
Dieter Gollmann - TU Hamburg-Harburg (DE)
Hongxia Jin - IBM Almaden Research Center (US)
Erland Jonsson - Chalmers University of Technology (SW)
Audun Josang - Queensland University (AU)
Yucel Karabulut - SAP Research Palo Alto (US)
Volkmar Lotz - SAP (FR)
Fabio Massacci - University of Trento (IT)
Roy Maxion - Carnegie Mellon U. (USA)
John McHugh - Dalhousie U. (CA)
David M. Nicol - University of Illinois (USA)
Andy Ozment - University of Cambridge (UK)
Eduardo Fernández-Medina Patón - University of Castilla-La Mancha (SP)
Tomas Sander - HP Labs (USA)
William H. Sanders - University of Illinois at Urbana-Champaign (USA)
Peter Schoo - DoCoMo EuroLabs (DE)
Santosh Shrivastava - University of Newcastle upon Tyne (UK)
Vipin Swarup - The MITRE Corporation (USA)
Nicola Zannone - University of Trento (IT)

Previous Workshops