Biomedicine has a Journal of Negative Results in Biomedicine, edited by Bjorn Olsen from Harvard. Could a Journal of Negative Results in Security and Privacy be viable? Perhaps it’s quixotism, considering the persistent lack of reliable metrics to measure even positive outcomes in these domains. But the absence of “it should do X”-criteria does not imply impossibility to establish “it should NOT do -X” or “it should not do Y”-criteria. Marked for further deliberation.