Despite its widely acknowledged importance, the information security policy has not, to date, been the subject of explicit, empirical scrutiny, in the academic literature. To help fill this gap an exploratory research project was initiated that sought to investigate the uptake, content, dissemination and impact of information security policies in large UK-based organizations. The results of this research have indicated that whilst policies are now fairly common, at least amongst our sample, there is still a high degree of variety in terms of their content and dissemination
