Why security decisions should never be made on paper alone