There are an unlimited number of security vulnerabilities for a given security device, system, or program, most of which will never be discovered (by the good guys or bad guys).

The ease of defeating a security device or system is proportional to how confident/arrogant the designer, manufacturer, or user is about it, and to how often they use words like "impossible" or "tamper-proof".

The confidence that people have in security is inversely proportional to how much they know about it.

If you're not running scared, you have bad security or a bad security product.

The amount of careful thinking that has gone into a given security device, system, or program is inversely proportional to the amount of high-technology it uses.

The more excited people are about a given security technology, the less they understand (1) that technology and (2) their own security problems.

Control will usually get confused with Security.

Low-tech attacks work (even against high-tech devices and systems).

The amount that (non-security) senior managers in any organization know about security is inversely proportional to (1) how easy they think security is, and (2) how much they will micro-manage security and invent arbitrary rules.

When a (non-security) senior manager, bureaucrat, or government official talks publicly about security, he or she will usually say something stupid, unrealistic, inaccurate, and/or naive.

The problem with common sense is that it is not all that common.

There are effective, simple, & low-cost counter- measures (at least partial countermeasures) to most vulnerabilities.

But users, manufacturers, managers, & bureaucrats will be reluctant to implement them for reasons of inertia, pride, bureaucracy, fear, wishful thinking, and/or cognitive dissonance.

No serious security vulnerability, including blatantly obvious ones, will be dealt with until there is overwhelming evidence and widespread recognition that adversaries have already catastrophically exploited it. In other words, "significant psychological (or literal) damage is required before any significant security changes will be made".

No salesperson, engineer, or executive of a company that sells security products or services is prepared to answer a significant question about vulnerabilities, and few potential customers will ever ask them one.

Most security products and services will be chosen by the end-user based on purchase price plus hype, rumor, innuendo, hearsay, and gossip.

Any security technology becomes more vulnerable to attacks when it becomes more widely used, and when it has been used for a longer period of time.

A security device, system, or program is most vulnerable near the end of its life.

The more money that can be made from defeating a technology, the more attacks, attackers, and hackers will appear.

The more a given technology is despised or distrusted, the more attacks, attackers, and hackers will appear.

The more a given technology causes hassles or annoys security personnel, the less effective it will be.

The adversaries know and understand the security hardware and strategies being employed.

Thus, "Security by Obscurity", i.e., security based on keeping long-term secrets, is not a good idea.

People and organizations can't keep secrets.

Engineers don't understand security. They think nature is the adversary, not people. They tend to work in solution space, not problem space. They think systems fail stochastically, not through intelligent malicious intent.

No security device, system, or program will ever be used properly (the way it was designed) all the time.

Few security devices, systems, or programs will ever be used properly.

Most organizations will ignore or seriously underestimate the threat from insiders.

The insider threat from careless or complacent employees & contractors exceeds the threat from malicious insiders (though the latter is not negligible.)

The probability that a security professional has been marginalized by his or her organization is proportional to his/her skill, creativity, knowledge, competence, and eagerness to provide effective security.

An organization will fear and despise loyal vulnerability assessors and others who point out vulnerabilities or suggest security changes more than malicious adversaries.

It'll often be considered "irresponsible" to point out security vulnerabilities (including the theoretical possibility that they might exist), but you'll rarely be called irresponsible for ignoring or covering them up.

Most people will assume everything is secure until provided strong evidence to the contrary--exactly backwards from a reasonable approach.

Security managers, manufacturers, vendors, and end users will always be amazed at how easily their security products or programs can be defeated.

Having been amazed once, security managers, manufacturers, vendors, and end users will be equally amazed the next time around.

Security is nigh near impossible. It's extremely difficult to stop a determined adversary. Often the best you can do is discourage him, and maybe minimize the consequences when he does attack.

An organization that fires high- level security managers when there is a major security incident, or severely disciplines or fires low-level security personnel when there is a minor incident, will never have good security.

Most of the time when security appears to be working, it's because no adversary is currently prepared to attack.

People lacking imagination, skepticism, and a sense of humor should not work in the security field.

The effectiveness of a security device, system, or program is inversely proportional to how angry or upset people get about the idea that there might be vulnerabilities.

Within a few months of its availability, new technology helps the bad guys at least as much as it helps the good guys.

Any given device, system, or program that is designed for inventory will very quickly come to be viewed--quite incorrectly--as a security device, system, or program.

Effective security is difficult enough when you design it in from first principles. It almost never works to retrofit it in, or to slap security on at the last minute, especially onto inventory technology.

The more important the security application, the less careful and critical thought has gone into it.

Ceremonial Security (a.k.a. "Security Theater") will usually be confused with Real Security; even when it is not, it will be favored over Real Security.

Most security programs focus on protecting the wrong assets.

If you know the vulnerabilities (weaknesses), you've got a shot at understanding the threats (the probability that the weaknesses will be exploited and by whom). Plus you might even be ok if you get the threats all wrong. But if you focus only on the threats, you're probably in trouble.

The most common excuse for not fixing security vulnerabilities is that they simply can't exist.

The second most common excuse for not fixing security vulnerabilities is that "we have many layers of security", i.e., we rely on "Security in Depth".

The third most common excuse for not fixing security vulnerabilities is that "all security devices, systems, and programs can be defeated". (This is typically expressed by the same person who initially invoked the Mermaid Maxim.)

The fourth most common excuse for not fixing security vulnerabilities is that "our adversaries are too stupid and/or unresourceful to figure that out."

For any given security program, the amount of critical, skeptical, and intelligent thinking that has been undertaken is inversely proportional to how strongly the strategy of "Security in Depth" (layered security) is embraced.

Security is an illusionary ideal created by people who have an overvalued sense of their own self worth.

Security is practically achieved by making the cost of obtaining or damaging an asset higher than the value of the asset itself.