What clear expectations should we set for security practices?