ABSTRACT

Laws and regulations are created to stand the test of time due to the lengthy process to pass a regulation or law. Laws are created for the public best interest. Laws are formed by committees in response to a need given enough visibility for a legislator to see it in their best interest to act upon it. Laws also must support organizations of various sizes and industries, whereby there is an implicit expectation that the larger organizations have more resources to spend on cybersecurity and failure to do so would be viewed as not exercising due care. Criminal laws exist to punish the perpetrator of the crime, protect society from future actions, and hoping to also serve as a deterrent to others considering committing the same crime. The chief information security officer and the security department are often in a position where they are interpreting the law’s requirements for senior management.