I am finishing up grading final papers for my Syracuse University class on security policy.
Each semester I find I learn a great deal from reading the papers and interacting with the students about them.
I have drawn three conclusions about policy creation from my past experience at the Department of Transportation, modified slightly from the current set of papers:
(1) Policies whose impact cannot be measured cannot be enforced.
(2) Measurements which are not created in some kind of automated fashion will not persist.
(3) Measurements which are not made visible don’t exist.