What are peoples thoughts on the Donn Parker - The Parkerian Hexad above and beyond the traditional CIA model?
Lend me your ears?
I find it to be duplicative and just clarifying a subset of the triad. Each of the extra 3 ideas just further explain one of the triad's main 3 points.
Possession or Control - Someone gets your data, OK you have a loss of confidentiality.
Authenticity - Is just Integrity with a fine tuning aspect turned on.
Utility - You encrypt your data and then lose the encryption key. Well the data isn't really available anymore then is it? The example they give in the article is a bad example. Saying that your data is still available AFTER you lose the decryption key? Being in possession of the data but not able to access it ,still means you have lost availability. Someone changes your salary data into another currency is a loss of Utility? No I think that would be that your data has lost it's integrity.
I feel the article did not make great arguments for adding these extra, CIA defining hexad elements.
...What are peoples thoughts on the Donn Parker - The Parkerian Hexad above and beyond the traditional CIA model?
Here is where I must differ with both Grandpa Rob @rslade and Scott @CISOScott . I have for many years preferred Donn's expanded set over the basic C-I-A. I agree that it is possible to read the three added attributes as supplementing or fine tuning the basic triad, but that is only one approach, which I believe is inadequate. The three bring their own strengths to the table to round out fundamental evaluation of your security posture.
1. Possession or control. Scott said this is just related to confidentiality. Well, not really. Particularly in this age of everything to the cloud, who really has possession of and control over your data. Do you have legal contractual as well as technical provisions in place to ensure that the cloud service provider may not block you from our own data, either by accident or intentionally? As another example, who really owns your domain name? Did you contract with a hosting service that registered your domain name for you, and keeps the account in their name rather than yours? At renewal time will they hold you hostage for a price increase, or if you need to move to a higher-capacity provider, will they allow you to transfer the name away from their hosting servers?
2. Authenticity. Data may pass all integrity checks of format validity and change-record and controls, but have you put in place procedures to ensure that the data came from legitimate and recognized sources? Integrity focuses on not having existing data changed improperly. Authenticity has you considering how you got that data, from whom, and when.
3. Utility, also often called Usability. This has always been high on my list as my interest, even long before I worked in to information security, has been on human factors: How easily usable is your information not only for machine-to-machine use, but also the expected human users. I really do not care whether you store telephone numbers in your database as 12 digits with no dividers (country code, area code, exchange, final number), or credit card numbers as 16 digits, but human perception absolutely guarantees that you will have extensive input and transcription errors if you insist that human users type in or read those data fields in that space-saving format. Allowing for multiple options of preferred human-friendly input and display formats is essential to supporting accurate transfer of the data when humans are in the input or transfer process.
Which format do you wish to see and type phone numbers?
+01 (345) 555-1212
by the way, my favorite exposition of Donn's model is M. E. Kabay's presentation:
The CIA Triad is usually in the first chapter of any intro to security textbook. There can't be any grey areas of, "well this may or may not fit here" because it's used to teach the basics of information security. The Triad is not a comprehensive "how to" or detailed list of all things to consider. It's a simple to use diagram that gets the point across of needing Confidentially, Integrity, and Availability for information security. It's broad for a reason.
If you want to use it to expand security concepts, that's great but the Triad itself is perfectly succinct for beginners.
It's useful in so far as it extends the triad in ways that mightn't be immediately obvious to someone just starting out in InfoSec. So when 'road warriors' have questioned what's this in the AUP about copying files back to the network or only storing them on one drive, you can think 'possession', if their device is lost/stolen/breaks then they haven't lost the only copy of their data. You'd be surprised as the number of 'So how can IT get my data back?' questions these people ask.
I get it and I'm all for using this to help explain concepts out or think about this in different ways. I think the biggest issue @CISOScott and myself have is that the added categories of possession/control, authenticity, and utility already fit into the current Triad. It's like making a detailed list of the different Integrity and Availability threats.
I believe more impact would come of making categories that don't fit. I'm even looking at Integrity a little differently because of @rslade's comment of it being a special case of Availability.