Talk:Parkerian Hexad

From Wikipedia, the free encyclopedia

I believe that the Parkerian Hexad is useful in some situations. However, I cannot accept the assertion that the three new attributes are "atomic" or "non-overlapping" in any general sense.

Consider the example given for Authenticity:

Similarly, misusing a field in a database to store information that is incorrectly labeled is a 
breach of authenticity; e.g., storing a merchant's tax code in a field labeled as the merchant's 
ZIP code would violate the authenticity of the information.

This can easily be classified as a breach of integrity: The zip code field used to have the zip code, now that data has been corrupted.

Also, consider the example of utility.

For example, suppose someone encrypted data on disk to prevent unauthorized access or undetected 
modifications – and then lost the decryption key: that would be a breach of utility. The data would 
be confidential, controlled, integral, authentic, and available – they just wouldn’t be useful in that 
form. 

Perhaps the "data on the disk" are available, the data that I put into the system is not available in this case. I think it's a classic breach of availability. I think that if data is formatted incorrectly for my system, then it isn't available. It's quite useful to talk about utility as a concept, but I don't think it's reasonable to claim that it doesn't overlap with availability (as availability has been defined for many years). Of course, if we were to define availability to be only concerned with hardware malfunctions, then sure, all the software and humanware malfunctions would not count as availability breaches, and we'd need a new name (like utility). But I don't see (at least in the article) any evidence of careful delineation.

I should emphasise that I'm not suggesting CIA is the best or only set of attributes, or even that they're non-overlapping. It all depends on the particular model you want to use for your system. The more complex your model, the more non-overlapping attributes you can have. Different models can help us think about different sets of threats and countermeasures. But I think that it takes careful work to come up with a model where the different attributes are defined and distinguished. I see no evidence that this work has been done for the Hexad, and so it seems unreasonable to claim that the 'new' attributes are "atomic" and "non-overlapping".

John Y 19:23, 17 March 2007 (UTC)

I agree with John. I guess it's Parker's assertion that these new elements are "atomic" and "non-overlapping": If so, the article should state that. Another flaw is that the hexad doesn't take account of two other elements added to the CIA triad: accountability, to give CIA²; assurance (not information assurance, but more in the sense of quality assurance), to give CIA³. The former is quite common in the literature; the latter introduced (I think) in NIST SP 800-33: Underlying Technical Models for Information Technology Security. --Ant (talk) 22:33, 18 December 2007 (UTC)