Professional Documents
Culture Documents
(Lecture Notes in Computer Science 10
(Lecture Notes in Computer Science 10
We can distinguish between three levels on which protection goals can be found:
First, protection goals are described on a strategic level in national security strategy
documents.
Second, protection goals are described in CIP, CIIP or cybersecurity strategies or
similar documents.
Third, protection goals are further defined and specified in sector-specific documents.
The Art of CIIP Strategy: Tacking Stock of Content and Processes 21
Not surprisingly, these goals become more concrete the further down one moves. We
look at all three of them in separate subsections.
The analysis of CIP documents shows that ‘protection goals’ vary with regard to
their specificity and purpose. On the level of national security strategies and policy
papers, goals tend to use rather general terms such as ‘prevention’, ‘mitigation of
vulnerabilities’, or ‘protection of vital interests’. We believe it would be useful to
label these kind of statements ‘protection principles’ rather than protection goals,
because they provide the general framework for CIP.
Slightly more specific protection goals are found on the second level of CIP
strategies. They are more precise and specific than the protection principles, but still
follow a systemic-abstract logic, as they refer to the totality of all CIs rather than to
one sector or to one infrastructure. Examples for “protection goals” on this aggregated
level are the goals of ‘identifying critical infrastructures and key resources’,
‘enhancing resiliency’, or ‘analyzing interdependencies and vulnerabilities’. These
goals, formulated for all CIs, can be described as ‘protection policies’, as they define
in a general way what must be protected from which threats in what way.
The third level is the sector-specific dimension. On this level, the “protection
goals” are more concrete. Examples are the goals to ensure ‘the availability, integrity
and confidentiality of information and information technology’ or ‘sustain protection
of public health and the environment’. They may be referred to as (sector-specific)
‘protection goals’.
Fig. 2.
22 M. Dunn Cavelty and M. Suter
measures, then protection goals in CIP are – or should have to be – top-level strategic-political decisions. This is an
important aspect that will be addressed in some more detail in the concluding section.