The Acceptable Use Policy has been a mainstay of organizational security for decades. These foundational policies were originally designed to detail sets of rules and requirements for users on an organizational network to follow while using a given network’s resources, and often contained a series of restrictions dictating what users were not permitted to do. As organizational security models have progressed, newer policies, standards, and guidelines have been progressively introduced, and often contain similar, more specific requirements that users must follow when using an organizational network. Based on these developments, we ask the following: In the increasingly complex organizational security landscape, are Acceptable Use Policies still relevant? In this study, we conduct a study utilizing 176 Acceptable Use Policies currently deployed at universities in the United States. Using a number of methods including a detailed coding of each policy, we present a summary on the current state of Acceptable Use Policies, as well as the university environment they exist in. We find that while Acceptable Use Policies are not relevant from a technical standpoint, they serve as a legal foundation to a university’s security efforts, and as such could be improved upon in the modern organizational landscape.
Weidman, Jake and Grossklags, Jens, (2019). "THE ACCEPTABLE STATE: AN ANALYSIS OF THE CURRENT STATE OF ACCEPTABLE USE POLICIES IN ACADEMIC INSTITUTIONS". In Proceedings of the 27th European Conference on Information Systems (ECIS), Stockholm & Uppsala, Sweden, June 8-14, 2019. ISBN 978-1-7336325-0-8 Research Papers.