1. It must be difficult enough, and relevant enough, that accomplishing it will lead to a measurable advance of some sort in security technology.
2. It must be possible to impartially and repeatedly rank the results of efforts by different competitors.
3. It must be interesting enough to attract widespread interest and simple enough to explain to those not involved in the field.