The Catalog Approach
A recent attempt to catalog all possible ways in which cyber security may be measured resulted in a list of over 900 items (Herrmann 2007). The full spectrum of issues that may one day be laid before cyber security policy decision makers would be similarly long. A listing of all cyber security policy issues is not feasible to attempt because it is the type of list that would be out of date as soon as it was done. Nevertheless, a catalog approach provides structure for classification and examples of cyber security policy issues. Chapter 6 uses a catalog approach to isolate and explain decision criteria on which cyber security policy mandates are frequently based.
The primary reason for listing and explaining a set of issues is to introduce and explain the foundations of concepts that frequently recur in cyber security policy debates. A secondary reason for presenting a catalog is to impress the reader with the variety and breadth of the field of cyber security policy. A third reason is to include enough detail in the explanation of cyber security policy issues for decision makers to recognize how the consequence of a given policy may affect their enterprise, whether or not it is a policy they themselves adopt, or a policy that has been adopted by others. Given that the list is necessarily incomplete, and its purpose is elucidation and awareness, it is first necessary to present the nomenclature used to create the list, which has itself become a taxonomy of ...