All that being said in most cases having a rough simulation is sufficient to validate the behaviour of an application on WAN before deployment.
For those interested there is an excellent, 13years old but still relevant paper about latency: http://rescomp.stanford.edu/~cheshire/rants/Latency.html
This morning I had my son (4.5y) asking me to get him outside to ride his bicycle.
So I've asked him in turn to plan the whole thing: getting dressed, going to the place where the bicycle is stored, getting the key to open the door etc.
It was hard for him but he managed to have an "executive" plot.
So I think I'll do that little exercise again.
As a side note: would be interesting to conduct similar study on a representative population of executive officers and financial experts.
Hint for parents: to *always* explain why you want your kid to do such or such thing is a wrong path, they must know that there are circumstances (until certain age) that questioning parental authority is not allowed (and *that* could be explained: you are totally accountable on what they do and what happens to them).
I shudder when I think of one company that I worked with. They are a very high level financial institution. Guess what their AIX HMC passwords are? Can you get to them from the outside world? Yep. Could I down their production servers, a year after I worked there? Yep. Are they considered compliant to DSS/PCI standards? Yep.
I suppose AIX servers were in PCI environment (otherwise your comment is out of scope).
Then the situation you describe probabely violates the following requirements:
req. 2.1: "Don't use default passwords"
req. 8.5.4 "Immediately revoke access for any terminated users."
req. 8.5.5 "Remove/disable inactive user accounts at least every 90 days."
req. 8.5.6 "Enable accounts used by vendors for remote maintenance only during the time period needed."
req. 8.5.8 "Do not use group, shared, or generic accounts and passwords."
req. 8.5.9 "Change user passwords at least every 90 days."
req. 8.5.10 "Require a minimum password length of at least seven characters."
About the fact that you can connect to servers from outside: that means no segmentation which in its turn means that the whole internet is to be considered as part of the PCI environment of this company.
Now please tell me by WHOM are they considered compliant?
Being financial institution means that they are provider (and may be merchant too) they certainly have to be audited by a QSA (self assessment questionnaire would not be sufficient) which could mean one of tho things:
The QSA did not his job properly
The company concealed things form the QSA
Many people are unenthusiastic about their work.