- Assume the users will read the security policy because you've asked them to.
- Assume that policies don't apply to executives.
- Make someone responsible for managing risk, but don't give the person any power to make decisions.
- Expect end-users to forgo convenience in place of security.
- Say "no" whenever asked to approve a request.
- Stop learning about technologies and attacks.
- Hire somebody just because he or she has a lot of certifications.
- Don't cross-train the IT and security staff.
- Expect your users to remember passwords without writing them down.
Very entertaining and informative read with total of about 4 dozen points. Now if I could only find a way to get management to read it.