What are people currently doing to achieve security objectives for their organization? Where do those security objectives originate? Who are the people who are engaged in security and what are their reasons for engagement? Give an example of what may lead management to implement policies to change an organization culture relating to security?