Fall Accept Rate= 100%

ComputerWorld’s Sharktank column tells the story of security implemented wrong:

DECEMBER 13, 2005 (COMPUTERWORLD) – At the airport where this pilot fish works, security has gotten a lot more attention since 9/11. “All the security doors that connect the concourses to office spaces and alleyways for service personnel needed an immediate upgrade,” says fish. “It seems that the use of a security badge was no longer adequate protection.
“So over the course of about a month, more than 50 doors were upgraded to require three-way protection. To open the door, a user needed to present a security badge (something you possess), a numeric code (something you know) and a biometric thumb scan (something you are).
“Present all three, and the door beeps and lets you in.”
One by one, the doors are brought online. The technology works, and everything looks fine — until fish decides to test the obvious.
After all, the average member of the public isn’t likely to forge a security badge, guess a multidigit number and fake a thumb scan. “But what happens if you just turn the handle without any of the above?” asks fish. “Would it set off alarms or call security?
“It turns out that if you turn the handle, the door opens.
“Despite the addition of all that technology and security on every single door, nobody bothered to check that the doors were set to lock by default.”

That reminds me of a story Eric Cole tells of a company that spend millions installing biometric readers for access. The company is all proud of it, so while he is taking a tour they have him try it. In spite of not having access, the door opens. After nearly having a heart attack, they discover that the security system was left in a “open for anything” mode after the install.
Don’t merely test that it something correctly provides access. Test that it correctly denies access as well.