> Caute_cautim (Community Champion) posted a new topic in Governance, Risk, Compliance on 10-26-2020 03:21 PM in the (ISC)² Community :

>   What are peoples thoughts on the Donn Parker - The Parkerian Hexad above and beyond the traditional CIA model?

Anything Don writes tend to be provocative and worth thinking about. However,
I can't honestly say that I find it worth adding to the triad. (But then, I think that
integrity is just a special case of availability, and the triad is too long. It should
just be CA.)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
Morgan Philip: Remember, when you go out not to put on too much
makeup otherwise the boys will get the wrong idea and you know
how they are. They're only after one thing.
Giselle: What's that?
Morgan Philip: I don't know. Nobody will tell me. - Enchanted
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

I find it to be duplicative and just clarifying a subset of the triad. Each of the extra 3 ideas just further explain one of the triad's main 3 points.

Possession or Control - Someone gets your data, OK you have a loss of confidentiality.

Authenticity - Is just Integrity with a fine tuning aspect turned on.

Utility - You encrypt your data and then lose the encryption key. Well the data isn't really available anymore then is it? The example they give in the article is a bad example. Saying that your data is still available AFTER you lose the decryption key? Being in possession of the data but not able to access it ,still means you have lost availability. Someone changes your salary data into another currency is a loss of Utility? No I think that would be that your data has lost it's integrity.

 

I feel the article did not make great arguments for adding these extra, CIA defining hexad elements.

---

@Caute_cautim wrote:

...What are peoples thoughts on the Donn Parker - The Parkerian Hexad above and beyond the traditional CIA model?

John,

 

Here is where I must differ with both Grandpa Rob @rslade and Scott @CISOScott . I have for many years preferred Donn's expanded set over the basic C-I-A. I agree that it is possible to read the three added attributes as supplementing or fine tuning the basic triad, but that is only one approach, which I believe is inadequate. The three bring their own strengths to the table to round out fundamental evaluation of your security posture.

 

1. Possession or control. Scott said this is just related to confidentiality. Well, not really. Particularly in this age of everything to the cloud, who really has possession of and control over your data. Do you have legal contractual as well as technical provisions in place to ensure that the cloud service provider may not block you from our own data, either by accident or intentionally? As another example, who really owns your domain name? Did you contract with a hosting service that registered your domain name for you, and keeps the account in their name rather than yours? At renewal time will they hold you hostage for a price increase, or if you need to move to a higher-capacity provider, will they allow you to transfer the name away from their hosting servers?

 

2. Authenticity. Data may pass all integrity checks of format validity and change-record and controls, but have you put in place procedures to ensure that the data came from legitimate and recognized sources? Integrity focuses on not having existing data changed improperly. Authenticity has you considering how you got that data, from whom, and when.

 

3. Utility, also often called Usability. This has always been high on my list as my interest, even long before I worked in to information security, has been on human factors: How easily usable is your information not only for machine-to-machine use, but also the expected human users. I really do not care whether you store telephone numbers in your database as 12 digits with no dividers (country code, area code, exchange, final number), or credit card numbers as 16 digits, but human perception absolutely guarantees that you will have extensive input and transcription errors if you insist that human users type in or read those data fields in that space-saving format. Allowing for multiple options of preferred human-friendly input and display formats is essential to supporting accurate transfer of the data when humans are in the input or transfer process.

Which format do you wish to see and type phone numbers?

013455551212

+01-345-555-1212

+01 (345) 555-1212

 

 

by the way, my favorite exposition of Donn's model is M. E. Kabay's presentation:

The Parkerian Hexad - ME Kabaywww.mekabay.com › csh6_ch03_parkerian_hexad

 

Craig

 

The CIA Triad is usually in the first chapter of any intro to security textbook. There can't be any grey areas of, "well this may or may not fit here" because it's used to teach the basics of information security. The Triad is not a comprehensive "how to" or detailed list of all things to consider. It's a simple to use diagram that gets the point across of needing Confidentially, Integrity, and Availability for information security. It's broad for a reason.

 

If you want to use it to expand security concepts, that's great but the Triad itself is perfectly succinct for beginners.