When specifying an embedded system-to-be, a key consideration is how the embedded system will interact with its operating environment. Of particular concern is the system's vulnerability to Off-Nominal Behaviors (ONB) from human interaction. ONB vulnerability can result in human operators placing the system in an undesired state through an unforeseen sequence of events. This, in turn, can have an adverse effect on the system’s quality. Reducing ONB vulnerability can be challenging because human behavior can be unpredictable and stakeholders have a natural tendency to assume the system will be used in a predictable, nominal, manner. One approach to reducing ONB vulnerability is to specify the system as "fool-proof" as possible, during the requirements phase, where access to domain experts is at its most convenient. This also raises awareness of potential ONB problems prior to the design phase, rather than after implementation where, quite often, ONBs are addressed through off-nominal testing. This paper presents a checklist of requirement elicitation questions that can result in lower ONB vulnerability. The checklist is derived from lessons learned from using a newly developed requirements model, the Causal Component Model, on several sets of requirements. The checklist, along with an introduction to the Causal Component Model, and how it can be a useful addition to a model based design methodology, is presented in this paper.