First Workshop on
Quality of Protection
Milan, Italy - September 15, 2005.

Workshop co-located with ESORICS & METRICS


QoP 2005 Proceedings


Invited Speaker

Call for papers


QoP 2006

QoP 2007

QoP 2008

MetriSec 2009

Call For Papers

Call For Papers in pdf file
Call For Papers in text file

Preliminary Call for Paper for the 1st International Workshop on

Quality of protection - QoP 2005

Security Measurements and Metrics

Milano, Italy, Thu. 15 September 2005.

Affiliated with 10th European Symposium on Research in Computer Security ESORICS 2005 in Milano (12-14 Sep)


the 11th IEEE International Software Metrics Symposium METRICS 2005 in Como (19-22 Sep)

Information Security in Industry has matured in the last few decades. Standards such as ISO17799, the Common Criteria, a number of industrial certification and risk analysis methodologies have raised the bar on what is considered a good security solution from a business perspective.

Yet, if we compare Information Security with Networking or Empirical Software Engineering we find a major difference. Networking research has introduced concepts such as Quality of Service and Service Level Agreements. Conferences and Journals are frequently devoted to performance evaluation, QoS and SLAs. Empirical Software Engineering has made similar advances. Notions such as software metrics and measurements are well established. Processes to measure the quality and reliability of software exist and are appreciated in industry.

Security looks different. Even a fairly sophisticated standard such as ISO17799 has an intrinsically qualitative nature. Notions such as Security Metrics, Quality of Protection (QoP) or Protection Level Agreement (PLA) have surfaced in the literature but still have a qualitative flavour. The "QoP field" in WS-Security is just a data field to specify a cryptographic algorithm. Indeed, neither ISO17799 nor ISO15408 (the Common Criteria) addresses QoP sufficiently. ISO17799 is a management standard, not directly concerned with the actual quality of protection achieved; ISO15408 is instead a product assessment standard and yet does not answer the question of how a user of a product assessed by it can achieve a high QoP within his/her operational environment. Both standards cover just one aspect of an effective QoP and even the combination of both would not address the aspect sufficiently. "Best practice" standards, such as the baseline protection standard published by many government agencies, also belong to the category of standards that are useful, but not sufficient, for achieving a good QoP.

Security is different also in another respect. A very large proportion of recorded security incidents has a non-IT cause. Hence, while the networking and software communities may concentrate on technical features (networks and software), security requires a much wider notion of "system", including users, work processes, organisational structures in addition to the IT infrastructure.

The QoP Workshop intends to discuss how security research can progress towards a notion of Quality of Protection in Security comparable to the notion of Quality of Service in Networking, Software Reliability, or Software Measurements and Metrics in Empirical Software Engineering.

Original submissions are solicited from industry and academic experts to presents their work, plans and views related to Quality of Protection. The topics of interest include but are not limited to:

  • Industrial Experience

  • Security Risk Analysis

  • Security Quality Assurance

  • Measurement-based decision making and risk management

  • Empirical assessment of security architectures and solutions

  • Mining data from attacks and vulnerabilities repositories

  • Security metrics

  • Measurement theory and formal theories of security metrics

  • Security measurement and monitoring

  • Experimental verification and validation of models

  • Simulation and statistical analysis, stochastic modeling

  • Reliability analysis

Papers should be submitted electronically in PDF using the EasyChair
electronic submission facility HERE.

- Stefano De Panfilis - Engineering SpA (IT)

Submission Date - June 10, 2005 (deadline is extended till Thursday 23 June 2005)
Notification Date - July 21, 2005
Final version for the pre-proceedings (e-prints of the University of Trento): - September 5th, 2005 (deadline is extended till Monday 12 September 2005)
ESORICS - September 12-14, 2005
Workshop Date - September 15, 2005
IEEE METRICS in Como - September 19-22, 2005
Submitted version for the post-proceedings (Springer Applied Security series): - December 5th, 2005

Original RESEARCH PAPERS are solicited in any of the above mentioned topics. Research papers should be limited to 12 pages in the standard Springer Verlag format, describing significant research results based on sound theory or experimental assessment.

We also solicit INDUSTRY EXPERIENCE REPORTS, limited to 6 pages, about the use of security measurements and metrics in industrial environments. Industry papers should have at least one author from industry or government, and will be considered for their industrial relevance.

Authors of accepted papers will be expected to give full presentations at the workshop. Revised versions of the papers presented at the workshop will be published by Kluwer/Springer in the Applied Security Series. Authors of accepted papers must follow the Springer Information for LNCS Authors' guidelines for the preparation of the manuscript and use the templates provided below.

Template for LaTeX2 [];
Template for LaTeX [];
Template for Microsoft Word [];

Imrich Chlamtac - UTDallas (US) & CreateNet (IT)
Gerhard Eschelbeck - QUALYS (US)
Dieter Gollmann - TU Hamburg-Harburg (DE)
Helmut Kurth - ATSEC (DE)
Bev Littlewood - City University, London (UK)
Fabio Massacci - Univ. di Trento (IT)
Ketil Stølen - SINTEF (NO) & Univ. of Oslo (NO)
Lorenzo Strigini - City University, London (UK)
Jeannette Wing - CMU (USA)


Alessandro Acquisti - Carnegie Mellon University (USA)
Matt Bishop - University of California (USA)
Imrich Chlamtac - UTDallas (US) & CreateNet (IT)
Yves Deswarte - LAAS-CNRS (FR)
Paolo Donzelli - University of Maryland (USA)
Gerhard Eschelbeck - QUALYS (USA)
Dieter Gollmann - TU Hamburg-Harburg (DE)
Erland Jonsson - Chalmers University of Technology (SW)
Audun Jøsang - University of Queensland, (AUS)
Svein Johan Knapskog - The Norwegian University of Science and Technology (NOR)
Helmut Kurth - ATSEC (DE)
Bev Littlewood - City University, London (UK)
Fabio Martinelli - Institute of Informatics and Telematics (IT)
Fabio Massacci - Univ. di Trento (IT)
Roy Maxion - Carnegie Mellon University (USA)
Flemming Nielson - Technical University of Denmark (DE)
Mario Piattini - University of Castilla-La Mancha (SP)
Ketil Stølen - SINTEF (NO) & Univ. of Oslo (NO)
Lorenzo Strigini - City University, London (UK)
Edgar Weippl - Vienna University of Technology (AUT)
Jeannette Wing- CMU (USA)
Marvin Zelkowitz - University of Maryland (USA)