@AC - I don't think I understand your accusation. Are you saying you've heard security consultants saying something like, "The best way to protect your e-commerce site is to break in yourself and steal all the money/goods/credit card numbers, before the bad guys do!" Reminds me of the story about the business executive worried that there was a 1/1000 chance of someone taking a bomb onto his flight, his advisers told him to take a bomb himself, the chances of two bombs on one flight being only 1/1000000.

One problem is users not thinking securely, another is managers looking for a quick technological fix. Recent case: staff not listening to a doorphone before opening the door from their desks. Manager's request: install a camera so staff can see the visitor from their desks. My response: expensive solution that doesn't work, why will they look at the screen when they don't bother to listen? Cheap alternative: disable the open door from desk feature. Staff have to walk to the door and meet the visitor. Also, train the staff better, encourage them to think that security is part of their job.

Mine's the one with the meaningless "employee ID'" badge, and the list of executive's pet's names in the pocket.