An examination of policies and policy governance structures at four research universities demonstrated the utility of integrating an “ideal” model for cyber security governance with the Institutional Analysis and Design Framework to study problems related to creating effective policy. Findings demonstrate how a cybersecurity governance structure, integrated with the organization’s mission and structure, provides better fit, constructs policies of appropriate scope, and is more likely to include the components of governance necessary for policy effectiveness. The capability of the methods employed by the study to identify deficiencies in cyber security governance structure that are manifested in less effective policy outcomes may aid policy makers as they strive to develop policy solutions to an ever changing security threat.