In an organization that's been plagued by a number of security breaches recently, the board demands an overhaul of the existing information security policies. What's the primary rationale behind having comprehensive information security policies in place?