Key points are not available for this paper at this time.
The existence of prescribed security processes in organizations does not mean the goals of the processes are achieved.
Mikko Siponen (Tue,) studied this question.