[FDE] How important is FIPS 140-2 Level 1 cert?
dan at geer.org
dan at geer.org
Wed Dec 20 12:55:09 MST 2006
"Saqib Ali" writes:
-+-----------------
| I would like to know how much weight people usually give to the
| FIPS 140-2 Level 1 certification.
|
| If two products have exactly same feature set, but one is FIPS
| 140-2 Level 1 certified but cost twice. Would you go for it,
| considering the Level 1 is the lowest.
|
Saqib,
I do not know the answer to your question,
but what you are looking for is known as
the point of indifference -- the differential
at which the consumer is indifferent between
two alternatives. Two factors play in this:
absolute limits, if any, that prevent this game
from being played ("I won't spend over $100
on anything regardless"), and risk aversion.
Risk aversion is the more interesting one,
and folks with a decision analysis background
will know several ways to assess this. At the
risk of self-advertisement, see slides 100-115
in geer.tinho.net/measuringsecurity.tutorial.pdf
for a short explanation of what I am talking
about. (That 4-month-old version of the tutorial
will shortly be replaced with a new rev. Ask
me more questions, offlist or onlist, if you
want to pursue this.)
--dan
More information about the FDE
mailing list