“The educated don't get that way by memorizing facts; they get that way by respecting them.”

—Tom Heehler

Policy seems like a four-letter word to some people. I almost wanted to wipe that word from this book, but Michele and I quickly realized that if we didn't discuss the examples we have, the methods that we have witnessed employed, and the decisions we have helped either make or combat, then this book would be flawed.

Why is understanding how to implement policies so important? Many of the very things you read in this chapter start off sounding good, and we understand why many companies think they might work. Also, we have learned a thing or five from our customers and want to help you by sharing what we've learned.

When we pondered the best way to do this, we thought about breaking it down into sections about the good, the bad, and the ugly …but quickly my list was leaning heavy to the bad and ugly sides of the scale, so we decided to change the methodology on this.

Instead I want to present each idea or policy and then discuss it from three angles:

• What is the definition of the policy, idea, or thought?
• Why it is bad or ugly?
• And then finally, how can it be made “good”?

My hope is not to make anyone feel bad but to merely help you think through why these policies might not work and how they can be ­modified to make a positive effect in your phishing program.

Let's get started.