Mermaid Maxim: The most common excuse for not fixing security vulnerabilities is that they simply can't exist. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

Vulnerabilities Trump Threats Maxim: If you know the vulnerabilities (weaknesses), you’ve got a shot at understanding the threats (the probability that the weaknesses will be exploited, how, and by whom). Plus you might even be ok if you get the threats all wrong. But if you focus only on the threats, you’re probably in trouble.

Comment: It’s hard to predict the threats accurately, but threats (real or imagined) are great for scaring an organization into action. It’s not so hard to find the vulnerabilities if you really want to, but it is usually difficult to get anybody to do anything about them. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

Ass Sets Maxim: Most security programs focus on protecting the wrong assets.

Comment: Often the focus is excessively on physical assets, not more important intangible assets such as intellectual property, trade secrets, good will, an organization’s reputation, customer and vendor privacy, etc. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

That’s Entertainment Maxim: Ceremonial Security (a.k.a. “Security Theater”) will usually be confused with Real Security; even when it is not, it will be favored over Real Security.

Comment: Thus, after September 11, airport screeners confiscated passengers’ fingernail clippers, apparently under the theory that a hijacker might threaten the pilot with a bad manicure. At the same time, there was no significant screening of the cargo and luggage loaded onto passenger airplanes.

Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

Somebody Must’ve Thought It Through Maxim: The more important the security application, the less careful and critical thought and research has gone into it.

Comment: Research-based practice is rare in important security applications. For example, while the security of candy and soda vending machines has been carefully analyzed and researched, the security of nuclear materials has not. Perhaps this is because when we have a very important security application, committees, bureaucrats, power grabbers, business managers, and linear/plodding/unimaginative thinkers take over.

Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

We’ll Worry About it Later Maxim: Effective security is difficult enough when you design it in from first principles. It almost never works to retrofit it in, or to slap security on at the last minute, especially onto inventory technology. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

Mission Creep Maxim: Any given device, system, or program that is designed for inventory will very quickly come to be viewed—quite incorrectly—as a security device, system, or program. Comment: This is a sure recipe for lousy security. Examples include RFIDs and GPS. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

Double Edge Sword Maxim: Within a few months of its availability, new technology helps the bad guys at least as much as it helps the good guys. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

A Priest, a Minister, and a Rabbi Maxim: People lacking imagination, skepticism, and a sense of humor should not work in the security field. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

Scapegoat Maxim: The main purpose of an official inquiry after a serious security incident is to find somebody to blame, not to fix the problems. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

Throw the Bums Out Maxim: An organization that fires high-level security managers when there is a major security incident, or severely disciplines or fires low-level security personnel when there is a minor incident, will never have good security. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

That’s Why They Pay Us the Big Bucks Maxim: Security is nigh near impossible. It’s extremely difficult to stop a determined adversary. Often the best you can do is discourage him, and maybe minimize the consequences when he does attack. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

You Could’ve Knocked Me Over with a Feather Maxim 2: Having been amazed once, security managers, manufacturers, vendors, and end users will be equally amazed the next time around. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

You Could’ve Knocked Me Over with a Feather Maxim 1: Security managers, manufacturers, vendors, and end users will always be amazed at how easily their security products or programs can be defeated. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

Backwards Maxim: Most people will assume everything is secure until provided strong evidence to the contrary—exactly backwards from a reasonable approach. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

Irresponsibility Maxim: It’ll often be considered “irresponsible” to point out security vulnerabilities (including the theoretical possibility that they might exist), but you’ll rarely be called irresponsible for ignoring or covering them up. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

Feynman’s Maxim: An organization will fear and despise loyal vulnerability assessors and others who point out vulnerabilities or suggest security changes more than malicious adversaries. Comment: An entertaining example of this common phenomenon can be found in “Surely You are Joking, Mr. Feynman!”, published by W.W. Norton, 1997. During the Manhattan Project, when physicist Richard Feynman pointed out physical security vulnerabilities, he was banned from the facility, rather than having the vulnerability dealt with (which would have been easy). Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

Troublemaker Maxim: The probability that a security professional has been marginalized by his or her organization is proportional to his/her skill, creativity, knowledge, competence, and eagerness to provide effective security. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory