You certainly cannot tell before you test it that such a product will operate as advertised, so there are probably no characteristics of search goods in these products. On the other hand, cryptographic products seem to have many characteristics of credence goods and few characteristics of other types. The fact that the rate of missed attacks may be acceptably low, although you cannot actually verify it, also gives IDSs some credence characteristics. At the same time, the trade-off between Type I and Type II errors that you need to make for an IDS means that a deployed IDS is probably also missing some attacks on your network, so you won't be aware of those. You can easily review the product's logs to verify that a deployed IDS is stopping some attacks on your network, so it has some experience characteristics. Similarly, information security products can have aspects of more than one category. Cars have some search characteristics, such as color, and some experience characteristics, such as fuel efficiency. Products cannot always be classified as purely search goods, experience goods, or credence goods, and real products often have aspects of each category. It is always possible that a clever adversary could develop an attack that lets him defeat the encryption that you are using, and he could then carry out this attack, perhaps reading encrypted messages, and you would have absolutely no idea that he was doing it. Even after you use encryption, you are never quite sure that it is protecting you. It takes expensive and uncommon skills to verify that data is really being protected by the use of encryption, and most people cannot easily distinguish between very weak and very strong encryption. ![]() Products that implement encryption are probably credence goods. Many medicines are credence goods, because it is difficult to tell if your recovery was really due to the medication, a placebo effect, or even simply your body recovering on its own. Organically grown produce and meat from animals raised in humane conditions are examples of credence goods it is very difficult to verify these particular properties, even after you consume goods that have them. ![]() You cannot tell before you deploy it whether or not antivirus software or an intrusion detection system (IDS) will really protect your network, for example, but you can observe warning messages and review the logs of the products after they have been deployed to verify that they are actually working.Ĭredence goods have properties that cannot easily be checked, either before or after they are consumed. Many security products are probably experience goods. If you are looking for a car with a certain fuel efficiency, perhaps getting at least 35 miles per gallon under your typical driving conditions, you cannot tell this just by looking at the car itself (although this is why laws mandate that this information be provided to consumers), but you can easily test it. Very few, if any, information security products fall into this category.Įxperience goods have properties that are not obvious before you consume them but that are easy to verify after you consume them. If you are in the market for a red car, for example, it is easy to check if a potential purchase is really red. Search goods have properties that are easy to check before you consume them. Lending credence to encryptionĮconomists divide goods into three types-search goods, experience goods, and credence goods-whose differences depend on how easy it is for consumers to verify their properties. Understanding why this makes sense requires a digression into economics. Today, the most important criterion is to use encryption that has been validated against the US government’s Security Requirements for Cryptographic Modules standard, also known as FIPS 140-2. ![]() While there is an easy way to help select encryption technology that's suitable for most business uses, that approach may not quite give you what you expect, and is a good example of why being regulatory-compliant and being secure are not the same thing. It comes with its own set of incomprehensible abbreviations and acronyms, and understanding the details of how it works requires a few years of graduate-level mathematics. Encryption is a difficult and tricky topic.
0 Comments
Leave a Reply. |