Document the Why Behind Your Processes in Cybersecurity Policies

I completed my PhD at Indiana State University and, of course, was required to write a dissertation. My dissertation touched on the area of cyber security policy. Specifically, my dissertation was looking at research that had recently been completed that said that a cyber security policy could be written and used to compel individuals to take action. That is to say, you could have elements in a cyber security policy that would influence individuals to be more secure. To, for example, resist phishing attacks. To not click on hyperlinks. Things like that. The results of my dissertation, looking at that research, were very interesting in two particular areas. The first is, you cannot force or compel or really even influence someone to take action through a written policy. Because secondly, that’s not the design of a computer policy. A computer policy is the “why” we’re doing something. It's not how to do it and it certainly is not, let’s force the individual to do something. No. A computer security policy looks at the “why”. Not “force,” or “how.” 

Related Videos