The development of best practices and checklists to improve system security has popularized techniques and technologies for strengthening systems. These techniques provide a basis for teaching the importance of assumptions in computer and information security, and the necessity of questioning them. We present an example of analyzing a set of security guidelines to determine the underlying assumptions, and give examples of how to demonstrate the importance of the assumptions to the effectiveness of the guidelines.