Policies in cybersecurity are described as a set of rules and guidelines determined by agencies to ensure a company or organization complies with data security regulations and standards. These policies are essential for critical infrastructure. A significant cyber attack against these targets can devastate many people’s lives because they may be unable to access necessities like clean drinking water, electricity, or a connection to the internet. Attacks against critical infrastructure significantly impact the economy, as disruptions can negatively affect a business’s ability to function. Having clearly defined policies are critical for ensuring employees can ensure the safety of personal data and help ensure the integrity of systems within the organization. A significant threat in cyber security has been and still is human error. For instance, there is an alarming event in which a government agent found a flash drive on a bathroom floor and decided to plug it into their work computer, resulting in a massive data breach from within the network. While the employee was unaware of the flash drive contents, the lack of situational awareness is disturbing. There are even some blog posts on red team sites where users claim they dropped flash drives in parking lots of businesses to see if an employee would plug them in. Some users reported that up to 80% of these attacks were successful. Because this method of attack effectively bypasses most countermeasures put in place by organizations, all employees must be adequately trained and informed about dangers and given regular updates on potential threats. More cyber security policies need to be adapted to focus on the problem of human error. Rather than attempting a brute force attack against the company, it is much more effective to use phishing attacks, particularly against larger organizations. There is a massive and readily exploitable vulnerability when employees are unaware of the danger of these attacks and how they occur.