After almost 30 years in IT, I've built up a good stock of stories. So it occurred to me to write some of them down. Remember - the names have been changed to protect the innocent, the guilty on the other hand ... Enjoy.
The security junior
My first IT job was at a major mainframe site. We had two DECs, an IBM 3083 and 3090 mainframes. Despite having no degree or experience, I had talked my way into a "Production Support" job here back in the 1980's. A time before the average workplace had PCs on desks. The company supplied access to the four mainframes via a network to numerous sites all over the country and I was originally hired in an operations role, running around the computer room filing massive printouts of batch runs, taking tapes to offsite storage, etc.
I quickly used my spare time to start digging into the machines, particularly the IBMs, and was given the role of managing security on them. Sounds glamorous but mostly this consisted of adding and updating accounts. At that time it was all command line on text based green screens. Naturally being the curious type, this wasn't good enough for me and I quickly started hacking together scripts and text based UIs to manage user accounts and the like.
After some time one of the other Production Support people was assigned as a junior to me to help out when needed. So I started talking to him about security and the sorts of things that could occur. After some time I noticed that despite what I had been telling him, he had not checked his own accounts and locked them up. After several reminders I got the impression he didn't really understand what a little malicious intent could do, so I decided to 'show' him exactly what I was talking about.
I waited until he had left for the day and then using a fresh user account, accessed his file area and modified a script I knew he used all the time. The next day he logged on and a short time later, ran the script. It did it's work and notified me it had finished. I then went and told him he had just given me access to some files that technically I should not have access to. Being head of security I of course have access to anything I want. But that was not the point. I told him how the script worked how it deleted itself after it finished. And how from a logging point of view, it would appear that he had done the changes. Shortly after his accounts where locked up tight.
Sometimes telling people isn't enough. You have to show them.