topic Re: The Parkerian Hexad in Governance, Risk, Compliance

The Parkerian Hexad

Caute_cautim — Mon, 09 Oct 2023 09:40:16 GMT

Hi All

What are peoples thoughts on the Donn Parker - The Parkerian Hexad above and beyond the traditional CIA model?

https://www.staffhosteurope.com/blog/2019/03/cybersecurity-and-the-parkerian-hexad

Lend me your ears?

Regards

Caute_cautim

Re: The Parkerian Hexad

rslade — Mon, 26 Oct 2020 19:38:52 GMT

> Caute_cautim (Community Champion) posted a new topic in Governance, Risk, Compliance on 10-26-2020 03:21 PM in the (ISC)Â² Community :

> What are peoples thoughts on the Donn Parker - The Parkerian Hexad above and beyond the traditional CIA model?

Anything Don writes tend to be provocative and worth thinking about. However,
I can't honestly say that I find it worth adding to the triad. (But then, I think that
integrity is just a special case of availability, and the triad is too long. It should
just be CA.)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
Morgan Philip: Remember, when you go out not to put on too much
makeup otherwise the boys will get the wrong idea and you know
how they are. They're only after one thing.
Giselle: What's that?
Morgan Philip: I don't know. Nobody will tell me. - Enchanted
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

Re: The Parkerian Hexad

CISOScott — Tue, 27 Oct 2020 11:31:13 GMT

I find it to be duplicative and just clarifying a subset of the triad. Each of the extra 3 ideas just further explain one of the triad's main 3 points.

Possession or Control - Someone gets your data, OK you have a loss of confidentiality.

Authenticity - Is just Integrity with a fine tuning aspect turned on.

Utility - You encrypt your data and then lose the encryption key. Well the data isn't really available anymore then is it? The example they give in the article is a bad example. Saying that your data is still available AFTER you lose the decryption key? Being in possession of the data but not able to access it ,still means you have lost availability. Someone changes your salary data into another currency is a loss of Utility? No I think that would be that your data has lost it's integrity.

I feel the article did not make great arguments for adding these extra, CIA defining hexad elements.

Re: The Parkerian Hexad

CraginS — Tue, 27 Oct 2020 13:58:58 GMT

@Caute_cautim wrote:
...What are peoples thoughts on the Donn Parker - The Parkerian Hexad above and beyond the traditional CIA model?

John,

Here is where I must differ with both Grandpa Rob @rslade and Scott @CISOScott . I have for many years preferred Donn's expanded set over the basic C-I-A. I agree that it is possible to read the three added attributes as supplementing or fine tuning the basic triad, but that is only one approach, which I believe is inadequate. The three bring their own strengths to the table to round out fundamental evaluation of your security posture.

1. Possession or control. Scott said this is just related to confidentiality. Well, not really. Particularly in this age of everything to the cloud, who really has possession of and control over your data. Do you have legal contractual as well as technical provisions in place to ensure that the cloud service provider may not block you from our own data, either by accident or intentionally? As another example, who really owns your domain name? Did you contract with a hosting service that registered your domain name for you, and keeps the account in their name rather than yours? At renewal time will they hold you hostage for a price increase, or if you need to move to a higher-capacity provider, will they allow you to transfer the name away from their hosting servers?

2. Authenticity. Data may pass all integrity checks of format validity and change-record and controls, but have you put in place procedures to ensure that the data came from legitimate and recognized sources? Integrity focuses on not having existing data changed improperly. Authenticity has you considering how you got that data, from whom, and when.

3. Utility, also often called Usability. This has always been high on my list as my interest, even long before I worked in to information security, has been on human factors: How easily usable is your information not only for machine-to-machine use, but also the expected human users. I really do not care whether you store telephone numbers in your database as 12 digits with no dividers (country code, area code, exchange, final number), or credit card numbers as 16 digits, but human perception absolutely guarantees that you will have extensive input and transcription errors if you insist that human users type in or read those data fields in that space-saving format. Allowing for multiple options of preferred human-friendly input and display formats is essential to supporting accurate transfer of the data when humans are in the input or transfer process.

Which format do you wish to see and type phone numbers?

013455551212

+01-345-555-1212

+01 (345) 555-1212

by the way, my favorite exposition of Donn's model is M. E. Kabay's presentation:

The Parkerian Hexad - ME Kabaywww.mekabay.com › csh6_ch03_parkerian_hexad

Craig

Re: The Parkerian Hexad

tmekelburg1 — Tue, 27 Oct 2020 15:14:31 GMT

The CIA Triad is usually in the first chapter of any intro to security textbook. There can't be any grey areas of, "well this may or may not fit here" because it's used to teach the basics of information security. The Triad is not a comprehensive "how to" or detailed list of all things to consider. It's a simple to use diagram that gets the point across of needing Confidentially, Integrity, and Availability for information security. It's broad for a reason.

If you want to use it to expand security concepts, that's great but the Triad itself is perfectly succinct for beginners.

Re: The Parkerian Hexad

Steve-Wilme — Wed, 28 Oct 2020 16:09:46 GMT

It's useful in so far as it extends the triad in ways that mightn't be immediately obvious to someone just starting out in InfoSec. So when 'road warriors' have questioned what's this in the AUP about copying files back to the network or only storing them on one drive, you can think 'possession', if their device is lost/stolen/breaks then they haven't lost the only copy of their data. You'd be surprised as the number of 'So how can IT get my data back?' questions these people ask.

Re: The Parkerian Hexad

tmekelburg1 — Wed, 28 Oct 2020 18:58:10 GMT

I get it and I'm all for using this to help explain concepts out or think about this in different ways. I think the biggest issue @CISOScott and myself have is that the added categories of possession/control, authenticity, and utility already fit into the current Triad. It's like making a detailed list of the different Integrity and Availability threats.

I believe more impact would come of making categories that don't fit. I'm even looking at Integrity a little differently because of @rslade's comment of it being a special case of Availability.