3

Cyber Security Objectives

Given the complex nature of cyber security technology, and the fact that cyber security threats only escalate, it might be expected that policymakers are constantly confronted with decisions on how to react to the latest threat. However, because it is often the case that decisions concerning cyber security measures are delegated to technologists, a policymaker may not actually see these decisions being made, and thus not have a chance to weigh in on the organizational impact of various alternative approaches. In fact, the cyber security arms race often seems to offer very few alternative options. Almost immediately after cyber security technology is introduced, its usage is declared industry standard by some regulatory body, and this locks organizations into the identified countermeasure approach. For example, if a regulated organization decided to use a cyber security approach that did not make use of firewalls, they would face detailed scrutiny by their regulatory auditors. It seems easier to continue keeping up with the latest security tools and technologies than rethinking an organizational approach to cyber security.

Nevertheless, if there is any lesson in Chapter 2, it is that new paradigms for cyber security are sorely needed. In this chapter, we critically examine the policy objectives that evolved with the history of cyber security as described in Chapter 2. Note that these cyber security policy objectives did not then and do not necessarily ...

Get Cyber Security Policy Guidebook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.