Abstract

Despite its widely acknowledged importance, the information security policy has not, to date, been the subject of explicit, empirical scrutiny, in the academic literature. To help fill this gap an exploratory research project was initiated that sought to investigate the uptake, content, dissemination and impact of information security policies. To this end, a questionnaire was mailed to senior IS executives, in large UK‐based organizations, and 208 valid responses were received. The results of this research have indicated that, while policies are now fairly common, at least amongst the sample, there is still a high degree of variety in terms of their content and dissemination.