Physical security maxims from Argonne National Laboratory

Vulnerability Assessment Team (VAT) Seals has a list of "somewhat cynical and tongue-in-cheek" security maxims that are nevertheless "essentially correct 80-90% of the time (unfortunately)."

Here are a few examples:

Insider Risk Maxim: Most organizations will ignore or seriously underestimate the threat from insiders.

Troublemaker Maxim: The probability that a security professional has been marginalized by his or her organization is proportional to his/her skill, creativity, knowledge, competence, and eagerness to provide effective security.

Feynman’s Maxim: An organization will fear and despise loyal vulnerability assessors and others who point out vulnerabilities or suggest security changes more than malicious adversaries.

Irresponsibility Maxim: It’ll often be considered “irresponsible” to point out security vulnerabilities (including the theoretical possibility that they might exist), but you’ll rarely be called irresponsible for ignoring or covering them up.

Physical security maxims from Argonne National Laboratory (via Schneier)


  1. What is great about these is them many apply to so many other situations:

    Schneier’s Maxim #2: Control will usually get confused with Security.

    That can easily be applied to the political sphere.

    Rohrbach’s Maxim: No security device, system, or program will ever be used properly (the way it was designed) all the time.

    This could be applied to the law.

    Etc ETc ETC

  2. “Feynman’s Maxim” comes from Richard Feynman’s interest/hobby of lock-picking at Los Alamos. He often pointed out to his managers how easy it was to pick locks there, and they thanked him by citing him as a security threat.

  3. My dad taught me a very important rule when I was fairly young: Always make sure you are a less attractive target than the next guy.

    That little maxim works on a surprisingly broad range of things, from avoiding speeding tickets to preventing your stuff from being stolen. No one will ever be able to stop a truly determined attacker, but if you follow the little maxim, you’ll be fine the vast majority of the time. It’s also contains a surprising amount of depth, as there are hundreds of ways to make yourself a less attractive target in any given situation.

    Please note that this maxim does not work well in dating situations.

  4. Insider Risk Maxim: Most organizations will ignore or seriously underestimate the threat from insiders.

    Doesn’t the Argonne Lab have a proofreader on staff, among all those untrustworthy insiders?

  5. Takes One to Know One: The fourth most common excuse for not fixing security vulnerabilities is that “our adversaries are too stupid and/or unresourceful to figure that out.”

    This reminds me of the ISP I use to work.

  6. Toby@7

    Nope, read that back several times now and other than your italics I can’t see any difference between your version and theirs (or anything wrong with either).

    A little help…?

  7. Ask me if I feel secure now. That’s okay, I didn’t feel all that secure before.

    For some reason these maxims I liken to Sebastian, the stray tomcat I took in four months ago. Although he’s been safe, warm, fed and received lots of attention and cuddles, mentally he’s still a struggling stray. He’s fearful, cannot get enough food and cries all the time.

    I think members of the Vulnerability Assessment Team (Seals) may be suffering from similar ailments and are mentally/emotionally vulnerable and fearful. But, that’s their job. Their paranoia may actually help them perform that job better. And, no, I don’t want their job.

    Sharon McEachern

Comments are closed.