Security Basics mailing list archives
Re: [FDE] How important is FIPS 140-2 Level 1 cert?
From: dan () geer org
Date: Wed, 20 Dec 2006 14:55:09 -0500
"Saqib Ali" writes: -+----------------- | I would like to know how much weight people usually give to the | FIPS 140-2 Level 1 certification. | | If two products have exactly same feature set, but one is FIPS | 140-2 Level 1 certified but cost twice. Would you go for it, | considering the Level 1 is the lowest. | Saqib, I do not know the answer to your question, but what you are looking for is known as the point of indifference -- the differential at which the consumer is indifferent between two alternatives. Two factors play in this: absolute limits, if any, that prevent this game from being played ("I won't spend over $100 on anything regardless"), and risk aversion. Risk aversion is the more interesting one, and folks with a decision analysis background will know several ways to assess this. At the risk of self-advertisement, see slides 100-115 in geer.tinho.net/measuringsecurity.tutorial.pdf for a short explanation of what I am talking about. (That 4-month-old version of the tutorial will shortly be replaced with a new rev. Ask me more questions, offlist or onlist, if you want to pursue this.) --dan
Current thread:
- How important is FIPS 140-2 Level 1 cert? Saqib Ali (Dec 21)
- Re: [FDE] How important is FIPS 140-2 Level 1 cert? dan (Dec 21)