Voltaire’s Maxim: The problem with common sense is that it is not all that common. Comment: Real world security blunders are often stunningly dumb. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

Big Heads Maxim: The farther up the chain of command a (non-security) manager can be found, the more likely he or she thinks that (1) they understand security and (2) security is easy. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

Father Knows Best Maxim: The amount that (non-security) senior managers in any organization know about security is inversely proportional to (1) how easy they think security is, and (2) how much they will micro-manage security and invent arbitrary rules. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

Too Good Maxim: If a given security product, technology, vendor, or techniques sounds too good to be true, it is. And it probably sucks big time. - as compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

Schneier’s Maxim #1: (Don’t Wet Your Pants Maxim): The more excited people are about a given security technology, the less they understand (1) that technology and (2) their own security problems. Comment: From Bruce Schneier. . - as compiled by [Roger G. Johnston, Ph.D., CPP], Argonne National Laboratory

Dr. Who Maxim: “The more sophisticated the technology, the more vulnerable it is to primitive attack. People often overlook the obvious.” Comment: Tom Baker as Dr. Who in The Pirate Planet (1978). - as compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

Safety Maxim: Applying the methods of safety to security doesn’t work well, but the reverse may have some merit. Comment: Safety is typically analyzed as a stochastic problem, whereas the bad guys typically attack deliberately and intelligently, not randomly. For a discussion of the reverse problem, see RG Johnston, Journal of Safety Research 35, 245-248 (2004). - as compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

Weakest Link Maxim: The efficacy of security is determined more by what is done wrong than by what is done right. Comment: Because the bad guys typically attack deliberately and intelligently, not randomly.- as compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

Ignorance is Bliss Maxim: The confidence that people have in security is inversely proportional to how much they know about it. Comment: Security looks easy if you’ve never taken the time to think carefully about it. - as compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

So We’re In Agreement Maxim: If you’re happy with your security, so are the bad guys. - as compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

Be Afraid, Be Very Afraid Maxim: If you’re not running scared, you have bad security or a bad security product. Comment: Fear is a good vaccine against both arrogance and ignorance. - as compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

Arrogance Maxim: The ease of defeating a security device or system is proportional to how confident/arrogant the designer, manufacturer, or user is about it, and to how often they use words like “impossible” or “tamper-proof”. - as compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory