And beyond

I have more stories, and I suspect many of you do too. Clearly, improperly socialized security professionals create their own issues, whether because they don't bother taking reality into account or because they arrogantly assume users will make more than minor changes to their ways in order to accommodate the security system. Security policies that are difficult to follow will be bypassed by the users, and there's a good change they'll create their own security problems in the resulting confusion.

It's also important to remember that when a regular user screws up, generally there's only so much damage they can do on a well-managed system. A small programming error, on the other hand, can wreak major havoc. A couple of lines of bad code in a power-management facility, for instance, can cause and have caused major outages. The recent leak of America Online user searches was caused by a small mistake from a privileged user. Just remember the new old saying, "To err is human; to really screw up takes an administrator."