Schneiers Gates comments followed some anecdotes about how everyone can help solve the security problems facing all enterprises. "Get involved," he said. "Thats how we make changes. Otherwise security is something done to us." Most security systems affect multiple parties, he explained, but usually only one person makes the decision about how security is implemented. "At this point its a negotiation. The players with most power are the ones who get to decide what the final answer is," Schneier said. "The best way to effect security is to gain power in negotiations. The best way is to change the environment in which security decisions are being made. Change the agenda of the players. Change the outcome."Schneier said one of the best and simplest "security systems" hes seen is the local convenience store or fast food restaurant that displays a sign at the cash register that says, "Purchase free if you dont get a receipt." The system is not designed as a customer service, as it may appear, he said. Rather, its a means of co-opting the customer into keeping an eye on the store employee who may be suspected of skimming from the cash register. Nevertheless, the customer will be watching if he knows he could get something for free. "Good security systems are in line with their capabilities," he said. "The store manager is hiring you, aligning your interests with your capabilities. Very cheap security system. For the money its really good. Thats what we should strive for in security systems. The goal is to make them as effective as possible and work with the natural tendencies of people already there." Check out eWEEK.coms Security Center at security.eweek.com for security news, views and analysis. Be sure to add our eWEEK.com Security newsfeed to your RSS newsreader:
Every person has to make security work for himself, he said. "The goal of security systems is the most security for the least amount of trade-offs. The way to do that is to make the party who is best able to mitigate the risk responsible for the risk," he said, saying that computer software companies at this point do not share in the risks of software security or insecurity.