Cybersecurity and the Parkerian Hexad
Donn B. Parker was a senior information systems management consultant and researcher on information and computer security and crime, as well as an international lecturer and author on these topics.
Donn B. Parker
In 1998, ‘Information Security Magazine’ recognised him as one of the top five “Infosecurity Pioneers” and in 2000 he became a recipient into the ‘Information Systems Security Association’s Hall of Fame’, along with a number of other prestigious awards.
Donn is most well-known for challenging the ‘CIA Triad’ which consisted of 3 core elements; Confidentiality, Integrity and Availability. The CIA Triad’s 3 fundamental elements are recognised by every cybersecurity expert in the domain and are considered the heart of cybersecurity.
The CIA Triad
Parker proposed an alternative model to the classic CIA Triad that he called the Parkerian Hexad because he felt the Triad was too insufficient to describe the totality of what we need to consider in the infosec field. His Hexad model added an additional three attributes which are; Possession or Control, Integrity and Utility.
According to many others cybersecurity professionals too, the CIA model is too limited, and some elements are not covered properly. That is why Parker added the three additional elements. Recent events prove that attackers are aiming more and more at the latter than the traditional ones.
These attributes of information are non-overlapping in that they refer to unique aspects of information. Any information security breach can be described as affecting one or more of these fundamental attributes of information.
The Parkerian Hexad
Confidentiality is essentially about the visibility of information. Only the right parties have access to certain information. This seems simple, but it remains one of the biggest challenges. A familiar example is the use of HTTPS when you visit a website with sensitive information, such as that of your bank. The connection with your data has been encrypted and because of this, attackers cannot gain access to this information.
Possession or Control
For example, if attackers want to overload a service, they look for a large number of machines from which they can perform their attack simultaneously. They often use known problems in systems for this. The may steal data, and not do anything with it, but the worry is that they could as and when they wanted to – this suggests a loss of control or possession of information.
In information security, data integrity means maintaining and assuring the accuracy and completeness of data over its entire lifecycle. Integrity focuses on the changeability of information as well as systems. In other words, no one may be able to adjust information in an unauthorised or undetected manner.
Authenticity is the part where attackers focus on today. It refers to the accuracy and truth of the origin of the information. For example, a digital signature could be used to verify the user of a digital document or indeed the integrity of the document. You probably have had to pass a code after logging in, which you have received via SMS or email. This ensures that attackers cannot just take over your account with your password.
Fully functioning information systems need to be able to grant authorised access when needed. The systems used to store and process the information, along with the security controls used to protect it, and the communications channels used to protect it must be working correctly. Many different key roles are needed within a successful information security team for the CIA Triad to be provided efficiently.
Utility is all about usefulness. Imagine someone encrypted data on a disk in order to prevent unauthorised access or undetected modifications, but then they lost the decryption key. This example highlights a breach of utility. Whilst the data would be confidential, controlled, integral, authentic, and available – it just wouldn’t be useful in that form. Another example would be converting salary data from one currency into an inappropriate currency – this would be a breach of utility. Not to be confused with availability, utility may require time to work around the change in data format or presentation, but usefulness is distinct from that of availability.
We have a number of live Cyber Security roles for you to apply for right here.