I have never ceased to be amazed by the fact that you can’t take a class in information security without
being told to do this or the other thing in accordance with “your security policy”. But nobody ever
explains what policy is, or how to write or evaluate it. This is why we have begun this research and
educational project into security policy.