Hellrung’s Law: If you wait long enough, it will go away. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory.

First Law of Revision: Information necessitating a change of design will be conveyed to the designers after—and only after—the plans are complete. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory.

General “laws” that also apply to security. Fudd’s First Law of Opposition: If you push on something hard enough, it will fall over. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory.

Mahbubani’s Maxim: Organizations and security managers who cannot envision security failures, will not be able to avoid them. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory.

He Who’s Name Must Never Be Spoken Maxim: Security programs and professionals who don’t talk a lot about “the adversary” or the “bad guys” aren’t prepared for them and don’t have good security. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory.

Wolfe’s Maxim: If you don’t find it often, you often don’t find it. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory.

Any Donuts Left? Maxim: But paying attention is very difficult. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory.

Caffeine Maxim: On a day-to-day basis, security is mostly about paying attention. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory.

Cyborg Maxim: Organizations and managers who automatically think “cyber” or “computer” when somebody says “security”, don’t have good security (including good cyber or computer security). Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory.

By the Book Maxim: Full compliance with security rules and regulations is not compatible with optimal security. Comment: Because security rules & regulations are typically dumb and unrealistic (at least partially). Moreover, they often lead to over-confidence, waste time and resources, create unhelpful distractions, engender cynicism about security, and encourage employees to find workarounds to get their job done— thus making security an “us vs. them” game. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory.

Kafka’s Maxim: The people who write security rules and regulations don’t understand (1) what they are doing, or (2) how their policies drive actual security behaviors and misbehaviors. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory.

Patton’s Maxim: When everybody is thinking alike about security, then nobody is thinking. Comment: Adapted from a broader maxim by General George S. Patton (1885-1945). Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory.

Nietzsche’s Maxim: It’s not winning if the good guys have to adopt the unenlightened, illegal, or morally reprehensible tactics of the bad guys. Comment: "Whoever fights monsters should see to it that in the process he does not become a monster.” - Friedrich Nietzsche (1844-1900), Beyond Good and Evil. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory.

It’s Too Quiet Maxim: “Bad guys attack, and good guys react” is not a viable security strategy. Comment: It is necessary to be both proactive in defense, and to preemptively undermine the bad guys in offense. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory.

D(OU)BT Maxim: If you think Design Basis Threat (DBT) is something to test your security against, then you don’t understand DBT and you don’t understand your security application. Comment: If done properly—which it often is not—DBT is for purposes of allocating security resources based on probabilistic analyses, not judging security effectiveness. Moreover, if the threat probabilities in the DBT analysis are all essentially 1, the analysis is deeply flawed. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory.

Gunslingers’ Maxim: Any government security program will mistakenly focus more on dealing with force-on-force attacks than on attacks involving insider threats and more subtle, surreptitious attacks. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory.

Tucker's Maxim #3 (Failure = Success Maxim): If you're not failing when you're training or testing your security, you're not learning anything. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory.

Tucker's Maxim #2 (Toss the Dice Maxim): When the bullets start flying, it's a crapshoot and nobody can be sure how it'll turn out. Comment: So don't let it get to that point. Compiled by Roger G. Johnston, Ph.D., CPP, *Argonne National Laboratory*.

Tucker's Maxim #1 (Early Bird & Worm Maxim): An adversary is most vulnerable to detection and disruption just prior to an attack. Comment: So seize the initiative in the adversary's planning stages (from Craig Tucker). Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory.

Rig the Rig Maxim: Any supposedly “realistic” test of security is rigged. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory.