Having just issued a security awareness module on 'insider threats', I'm currently researching for a future topic on 'competitive intelligence' so this story caught my imagination. The mystery about US defense contractors working in Canada being bugged by coins containing miniature transmitters has been solved: the coins were a commemorative 'poppy' issue with a special protective coating that looked suspicious to alert defense people.
Regardless of the eventual outcome in this case, the way that the suspicious coins were identified and reported up the line demonstrates good security awareness. The contractors were evidently well aware of the possibility of being bugged, enough to spot and report the susicious coins. Their managers and clients, in turn, quickly raised the alarm and so the story spread. The authorities now admit that they did not fully validate the reports but it appears they chose to err on the side of caution. We call that 'fail-safe'.
If a similar situation occurred in a regular commercial setting, how many of you and your colleagues would have identified the possible threat, or reported it? Would any of your managers have given such a report even a second thought, let alone circulated a warning? Would someone have investigated and resolved the issue? That's called 'fail-open'. Or 'fail' for short.