These security maxims were compiled by Roger Johnston, who's with the Argonne Vulnerability Assessment Team, the Nuclear Engineering Division of the Argonne National Laboratory, which is a division of the U.S. Department of Energy. He has a Ph.D. and also his CPP credential, which is Certificate of Protection Professional.
Here's the first three:
Infinity Maxim: There are an unlimited number of security vulnerabilities for a given security device, system, or program, most of which will never be discovered (by the good guys or bad guys).
Comment: We think this, because we always find new vulnerabilities when we look at the same security device, system, or program a second or third time, and because we always find vulnerabilities that others miss, and vice versa.
Thanks for Nothin’ Maxim: A vulnerability assessment that finds no vulnerabilities or only a few is worthless and wrong.
Arrogance Maxim: The ease of defeating a security device or system is proportional to how confident/arrogant the designer, manufacturer, or user is about it, and to how often they use words like “impossible” or “tamper-proof”.
Bruce Schneier is also represented:
Schneier’s Maxim #1 (Don’t Wet Your Pants Maxim): The more excited people are about a given security technology, the less they understand (1) that technology and (2) their own security problems.
Comment: From security guru Bruce Schneier.
Schneier’s Maxim #2 (Control Freaks Maxim): Control will usually get confused with Security.
Comment: From security guru Bruce Schneier. Even when Control doesn’t get confused with Security, lots of people and organizations will use Security as an excuse to grab Control, e.g., the Patriot Act.