Meeting participants generated questions that such a study might address. They include, in no particular order:
What is an appropriate characterization of ‘high-grade threat’ and ‘high-value target’?
What are useful techniques to aid those who find themselves in charge of a high-value information system? What are good strategies to employ when a system is under attack by sophisticated adversaries (either self-motivated or organized and well-funded)?
What is the extent to which insider and other serious threats are an unacknowledged or unreported issue within various communities?
Is there information that should never be placed in electronic form?
What is the responsibility of the industry when it comes to building secure systems and what role do recent laws such as the Uniform Computer Information Transactions Act (UCITA) and the Digital Millennium Copyright Act (DMCA) play?
What are the sociological and managerial aspects of defending against high-grade threats?
What data and what metrics are needed in order to begin modeling the problem of high-grade threats against high-grade targets?
What are the upcoming technologies designed to help combat serious threats to high-value systems and what is their potential impact (e.g., what might be the future impact of quantum computing on these issues)?
Given the new kinds of system and social organization becoming prevalent (e.g. peer-to-peer) are there changes in the security business model that need to be taken into account?
Is software quality declining and therefore making the jobs of those likely to be attacked by serious, well-funded adversaries more difficult? If so, what can be done?