This is cache of http://securityrenaissance.com/2007/04/11/the-c-i-a-triad-%e2%80%93-weighed-and-found-wanting/. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.
The C-I-A Triad weighed and found wanting
2007-04-12 04:54:18 by Perry Carpenter in Security Renaissance
 

Believe it or not, the field of Information Security has changed! Foundational concepts, such as the traditional C-I-A triad (Confidentiality, Integrity, and Availability) are being challenged and supplanted by a more inclusive model known as the Parkerian Hexad [1]. The Parkerian Hexad augments the traditional C-I-A triad by adding three elements. The result is a set of security principles comprised of six elements.

CIA Triad

The six principles of the Parkerian Hexad are:

  • Confidentiality
  • Integrity
  • Availability
  • Possession
  • Authenticity
  • Utility

The principles composing the Parkerian Hexad are non-overlapping; meaning that each principle is absolutely necessary to ensure that security is maintained. In addition, each principle may be violated independently of each other principle. However, the principles can be relationally linked to each of the three components of the traditional C-I-A model (see Figure 2) [2].

Hexad_sm

Below are definitions [3] for each principle along with a brief scenario of how that element may be breached independently of the other elements.

  • Confidentiality: Limited observation and disclosure of knowledge.An example of an incident where confidentiality is compromised would be the early unauthorized release (leak) of information related to our latest marketing strategies – thereby allowing our competitors to prepare counter strategies.
  • Integrity: Completeness, wholeness, and readability of information and quality of being unchanged from a previous state.A simple example of a loss of integrity would be an employee modifying the body text of an email so as to create a false record of events (i.e. to show that Jane Doe said something that she did not really say).
  • Availability: Usability of information for a purpose.The explicit aim of a Denial-of-Service (DOS) attack is to compromise the availability of systems/data.
  • Possession: Holding, controlling, and having the ability to use information. Possession is the ability to truly own and control information and how it is used. We normally think of this as unauthorized or unintentional copying of information.If, for example, an employee emails company information to a non-corporate email account, we no longer have sole possession. In extreme cases, a loss of possession could result in total loss of the information (e.g. loss/theft of backup tapes for which there is no other copy of the data).Notable examples of a loss of possession usually include the loss of laptop computers or PDA’s containing customer or employee data (e.g. SSNs, credit card numbers, personal health information, etc.).
  • Authenticity: Validity, conformance, and genuineness of information.The quality of authenticity is readily understood. As the above definition suggests, it is the quality of being “the real deal.” When something does not possess authenticity, it is said to be fraudulent.Examples of a lack of authenticity include the reproduction of employee ID badges, calling into a help-desk and posing as another individual, and modifying records.
  • Utility: Usefulness of information for a purpose.Utility simply means that we can use the data, system, or device in the manner for which it exists. For example if a database, table, or other information is somehow altered in such a way as to remain accurate but unusable for its intended purpose, it has lost utility.Examples involve the use of encryption to “kidnap” data for ransom. This is accomplished via encrypting the data without the owner’s consent. In this, and similar cases, the victim maintains ownership of the data; and the data, technically, has integrity.

There is one exception to the general statement that these principles do not overlap; a breach of confidentiality will always result in a loss of sole possession. Once confidentiality is compromised, the organization is no longer fully in possession of the data because it is known by another party.

Understanding and communicating this new model for Information Security will likely result in greater depth and clarity within security related conversations.

______________________________

1. The “Parkerian Hexad” model was introduced by Donn B. Parker in his book Fighting Computer Crime (http://www.amazon.com/gp/product/0471163783/104-3218063-3795135).

2. Donn B. Parker suggests this mapping in his chapter, “Toward a New Framework for Information Security,” from The Computer Security Handbook 4th Edition., John Wiley & Sons, 2002 (p. 5.8).

3. The definition statements for each element in the “Parkerian Hexad” are taken from The Computer Security Handbook 4th Edition., John Wiley & Sons, 2002 (pp. 5.9 – 5.10).

note: this post is an excerpt from one of the author’s essays for Norwich University’s MSIA program

 
Tags: information security, information, parkerian hexad, parkerian hexad model, control information, principles, security principles, personal health information, parkerian hexad augments
 
 
 
 
 
TOP SEARCH
Expand / MinimizeClose Widget
  •  
RECENT SEARCH
Expand / Minimize
  •  
RELATED VIDEO
Expand / Minimize
SecurityRatty FAQ
Sergey Zarubin, 31yo
CISSP, CCSP
Moscow, Russia