----- Original Message ----- 
From: "Ian Grigg" <[EMAIL PROTECTED]>

> * In contrast, someone who knows little about cars,
> can objectively evaluate a car.  They can take it
> for a test drive and see if it feels right.  Using
> it is proving it.

I'm not totally convinced of this...  Someone with little knowledge about
cars might see the difference between a KIA and a Mercedes in one test
drive, but I would think that most affordable cars seem to drive the same
in a simple test drive (at least from my experience).  But what
a person will do is talk to his friends and get feedback, he'll learn that
some type of cars have a bad reputation and others seem to be good.
This is also done in security, take for example host security modules used
by banks, most banks make their choice  based on the vendors reputation.
Unfortunately this choice is often influenced by publicity (and the more a
certain company sells, the more money it makes, the more publicity it can
afford, the more it will sell, even if their product is not the best).

There is a marketing rule that state that there is one product that
dominates
its field in every category and gets about 80% of all sells, then there are
1-3
other products that battle for second place, all others get almost nothing.
(example for cola Coke is number 1, with Pepsi
coming second).  I don't think security products make an exception to
this.

Another way people choose products is if they are recommended.  For
example, I buy a certain toothpaste because it is recognized by the
Canadian dental association.  This is a sort of certification.  There are
certainly other example of products in everyday life that get this type
of certification that influence people's choices.  Of course, publicity
also has some degree of influence here as well.

There are no official security associations recognized by the government
that include most of the security experts we know, rather what exists is
certain standards that the government itself decides upon and are used
(FIPS 140, CC).  This lack of an independent security association to
which any security expert can become a member of is maybe the root
of the problem?

--Anton

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to