Here are a few examples:
Insider Risk Maxim: Most organizations will ignore or seriously underestimate the threat from insiders.Physical security maxims from Argonne National Laboratory (via Schneier)
Troublemaker Maxim: The probability that a security professional has been marginalized by his or her organization is proportional to his/her skill, creativity, knowledge, competence, and eagerness to provide effective security.
Feynman’s Maxim: An organization will fear and despise loyal vulnerability assessors and others who point out vulnerabilities or suggest security changes more than malicious adversaries.
Irresponsibility Maxim: It’ll often be considered “irresponsible” to point out security vulnerabilities (including the theoretical possibility that they might exist), but you’ll rarely be called irresponsible for ignoring or covering them up.
Mark Frauenfelder is the founder of Boing Boing and the editor-in-chief of MAKE and Cool Tools. Twitter: @frauenfelder. His new book is Maker Dad: Lunch Box Guitars, Antigravity Jars, and 22 Other Incredibly Cool Father-Daughter DIY Projects