Re: [FDE] How important is FIPS 140-2 Level 1 cert?

[dan () geer org]

"Saqib Ali" writes:
-+-----------------
 | I would like to know how much weight people usually give to the
 | FIPS 140-2 Level 1 certification.
 | 
 | If two products have exactly same feature set, but one is FIPS
 | 140-2 Level 1 certified but cost twice. Would you go for it,
 | considering the Level 1 is the lowest.
 | 

Saqib,

I do not know the answer to your question,
but what you are looking for is known as
the point of indifference -- the differential
at which the consumer is indifferent between
two alternatives.  Two factors play in this:
absolute limits, if any, that prevent this game
from being played ("I won't spend over $100
on anything regardless"), and risk aversion.

Risk aversion is the more interesting one,
and folks with a decision analysis background
will know several ways to assess this.  At the
risk of self-advertisement, see slides 100-115
in geer.tinho.net/measuringsecurity.tutorial.pdf
for a short explanation of what I am talking
about.  (That 4-month-old version of the tutorial
will shortly be replaced with a new rev.  Ask
me more questions, offlist or onlist, if you
want to pursue this.)

--dan