People introduce vulnerability.
This is the superclass of guidelines related to human behavior. It is presently a placeholder. We have not defined any subsidiary guidelines and, for the present, do not intend to. It is meant to make clear the dichotomy between technologically and socially related advice.
Note that the existence of this class is predicated on the assumption that the "system" under discussion does include the humans who use it.
There is a distinction between behavior of the "good guys" and the "bad guys." We do not regard adversary behavior as falling under this class. This class covers what might be called "inappropriate" good guy behavior, sometimes called "abuse." Adversarial behaviors are covered in an entirely different group of documents called "attack patterns."
Copyright © Carnegie Mellon University 2005-2012.
This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at firstname.lastname@example.org.
The Build Security In (BSI) portal is sponsored by the U.S. Department of Homeland Security (DHS), National Cyber Security Division. The Software Engineering Institute (SEI) develops and operates BSI. DHS funding supports the publishing of all site content.
THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS FURNISHED ON AN “AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.