Here are some of the Physical Security Maxims of Security Guru Roger G. Johnston, Ph.D., CPP of the Vulnerability Assessment Team, Argonne National Laboratory.
Infinity Maxim: There are an unlimited number of security vulnerabilities for a given security device, system, or program, most of which will never be discovered (by the good guys or bad guys).
Comment: We think this, because we always find new vulnerabilities when we look at the same security device, system, or program a second or third time, and because we always find vulnerabilities that others miss, and vice versa.
Thanks for Nothin’ Maxim: A vulnerability assessment that finds no vulnerabilities or only a few is worthless and wrong.
Arrogance Maxim: The ease of defeating a security device or system is proportional to how confident/arrogant the designer, manufacturer, or user is about it, and to how often they use words like “impossible” or “tamper-proof”.
Be Afraid, Be Very Afraid Maxim: If you’re not running scared, you have bad security or a bad security product.
Comment: Fear is a good vaccine against both arrogance and ignorance.
So We’re In Agreement Maxim: If you’re happy with your security, so are the bad guys.
Ignorance is Bliss Maxim: The confidence that people have in security is inversely proportional to how much they know about it.
Comment: Security looks easy if you’ve never taken the time to think carefully about it.
Weakest Link Maxim: The efficacy of security is determined more by what is done wrong than by what is done right.
Comment: Because the bad guys typically attack deliberately and intelligently, not randomly.
Safety Maxim: Applying the methods of safety to security doesn’t work well, but the reverse may have some merit.
Comment: Safety is typically analyzed as a stochastic problem, whereas the bad guys typically attack deliberately and intelligently, not randomly. For a discussion of the reverse problem, see RG Johnston, Journal of Safety Research 35, 245-248 (2004).
High-Tech Maxim: The amount of careful thinking that has gone into a given security device, system, or program is inversely proportional to the amount of high-technology it uses.
Comment: In security, high-technology is often taken as a license to stop thinking critically.
Dr. Who Maxim: “The more sophisticated the technology, the more vulnerable it is to primitive attack. People often overlook the obvious.”
Comment: A quote from Tom Baker as Dr. Who in The Pirate Planet (1978)
Low-Tech Maxim: Low-tech attacks work (even against high-tech devices and systems).
Comment: So don’t get too worked up about high-tech attacks.
Nowadays I work as a security consultant; I have collected eleven pages worth of Dr. Johnston's wisdom - I keep them posted on the wall by my desk at work. In designing physical security systems, and even in the evolving field of cybersecurity, I find that all of these truisms apply sooner or later. - Sean Linnane