Generally speaking, I hate "what-if" scenarios. Why waste time worrying about things that don't exist? Of course, the continued threat of terrorism has what-ifs swirling through my head all the time. I don't like it, but it's now a fact of life.

On a less serious note, allow me to throw out some harmless what-if scenarios. My friend Wayne has the PIN number for his ATM card written on the back of the card. What if I swiped his card and raided his account? I wouldn't keep the money, of course; I'd just try to teach him a lesson. Then there's Marcus, who has his computer passwords on a sticky note next to his PC. The passwords haven't been changed in so long that the note has long since lost its stickiness. What if I accessed his E-mail and sent out messages on his behalf? They wouldn't be harmful; just something to teach him a lesson.

I don't plan to do these things. But I'm trying to make a point. I've been writing a lot about moral and ethical behavior lately, and I don't mean to beat a dead horse, but there seems to be an increase of "it's for your own good" behavior in the business world these days. It's a philosophy that the Deceptive Duo espouses, if you ask me (see "Deceptive Duo Preys On Poor Security Practices", May 6, p. 28). Whether you agree with this kind of behavior is a matter of opinion. But are you prepared if one of them comes knocking on your network? And do you want potentially illegal activity to teach you the lesson? Senior editor George V. Hulme takes you into the world of hacker Adrian Lamo on page 22.

Let me give you some good news about information security. The number of business-technology managers reporting attacks by malicious or otherwise annoying viruses has declined dramatically since last year, according to our annual Global Information Security Survey (see p. 36). So have denial-of-service attacks and other intrusive behavior. Are preventative technologies getting better and business-technology managers getting tougher? Or are the virus creators and hackers getting less sophisticated? There's no doubt that many managers have bolstered their technology defense systems. That's in part because of several high-profile security threats (as well as the potential threat of cyberterrorism following Sept. 11). But it's not time to let your guard down. The threat of more targeted, sophisticated attacks looms large. What's worse, some companies probably don't even know when, or if, they're under attack.

Getting back to the what-ifs, I'll admit my disdain for such scenarios is, well, unrealistic. When it comes to information security, your best bet is to explore every scenario and react appropriately. What if you aren't prepared? What if Adrian Lamo decides to peek into your network? What if some bored college student thinks it would be fun to infect your company with a virus? Or worse, what if it's already happening and you don't even know about it?

To discuss this column with other readers, please visit Stephanie Stahl's forum on the Listening Post.

To find out more about Stephanie Stahl, please visit her page on the Listening Post.