On my perspective I see information security similar (not equal) to policy.
Working in information security during 10 years of my life I always faced new malware, new infection, created procedures, script to fix something or to prevent something and always appear new malwares, infection, someone by passing procedures and then, you need to figure out or fight with this risk but why?
Those guys do this to personal benefit they create a new threat to get a kind of benefit (money or reputation) and then I try to eliminate all possibilities to prevent the company lose your money with simple breach.
A DoS attack or a simple SQL Injection is known to years but guess, they still working.
Now looking to scenario in my country I can say that “Policy” occur the same thing due bad people that want by pass the rules or simply stolen without guilt and how is fighting against those people?
I don’t know yet, do you know? Tell me your opinion.