An intruder must be expected to use any available means of penetration. The penetration may not necessary be by the most obvious means nor is it necessarily the one against which the most solid defense has been in stalled. This principle implies that computer security specialists must consider all possible means of penetration.

Moreover the penetration analysis must be done repeatedly and especially whenever the system and its security change. Strengthening one aspect of a system may simply make another means of penetration more appealing to intruders.