Note: This page is part of the archive.

This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact if you have any questions about the US-CERT website archive.

Assume that Human Behavior Will Introduce Vulnerabilities into Your System

Author(s): William L. Fithen Maturity Levels and Audience Indicators: L4  / D/P  SDLC Life Cycles: Implementation  Copyright: Copyright © Carnegie Mellon University 2005-2012.


People introduce vulnerability.


This is the superclass of guidelines related to human behavior. It is presently a placeholder. We have not defined any subsidiary guidelines and, for the present, do not intend to. It is meant to make clear the dichotomy between technologically and socially related advice.

Note that the existence of this class is predicated on the assumption that the "system" under discussion does include the humans who use it.

There is a distinction between behavior of the "good guys" and the "bad guys." We do not regard adversary behavior as falling under this class. This class covers what might be called "inappropriate" good guy behavior, sometimes called "abuse." Adversarial behaviors are covered in an entirely different group of documents called "attack patterns."