I would like to know how does the Common Criteria and EAL of a product determines how much security is acceptable. Below is the assignment question:
Sometimes commercial products include the fact that they are approved to meet Common Criteria at some specified Evaluated Assurance Level (often EAL 3 or EAL 4) in the product literature. Assuming that this is a true claim ( verify it by looking at the “evaluated products list” on the National Information Assurance Partnership website), why is this not enough to just say “this product meets our security requirements”? Discuss what else needs to be considered before selecting such a product for a system.