Login
Login

Parkerian Hexad

{{Short description|Concept in information security}}

The Parkerian Hexad is a set of six elements of information security proposed by Donn B. Parker in 1998.{{Cite book |last=Parker |first=Donn B. |title=Fighting computer crime: a new framework for protecting information |date=1998 |publisher=J. Wiley & sons |isbn=978-0-471-16378-7 |location=New York Chichester Weinheim |pages=15}}{{Cite web |last=Parker |first=Donn |date=July 2010 |title=Our excessively simplistic information security model and how to fix it |url=https://mydigitalpublication.com/publication/?i=41813&p=12&pp=1&view=issueViewer |archive-url=https://web.archive.org/web/20101231201957/http://www.issa.org/images/upload/files/Parker-Simplistic%20Information%20Security%20Model.pdf |archive-date=31 Dec 2010 |access-date=2025-02-04 |website=The ISSA Journal |page=16 |language=en-US}} The Parkerian Hexad adds three additional attributes to the three classic security attributes of the CIA triad (confidentiality, integrity, availability).

The Parkerian Hexad attributes are the following:

  • Confidentiality
  • Possession or Control
  • Integrity
  • Authenticity
  • Availability
  • Utility

These attributes of information are atomic in that they are not broken down into further constituents; they are non-overlapping in that they refer to unique aspects of information. Any information security breach can be described as affecting one or more of these fundamental attributes of information.{{Cite book |last=Ruparelia |first=Nayan B. |url=http://www.jstor.org/stable/j.ctt1c2cqk4 |title=Cloud Computing |date=2016 |publisher=The MIT Press |isbn=978-0-262-52909-9 |pages=105|jstor=j.ctt1c2cqk4 }}

Attributes from the CIA triad

{{see|CIA triad}}

=Confidentiality=

Confidentiality refers to the "quality or state of being private or secret; known only to a limited few", or "the property that information is not made available or disclosed to unauthorized individuals, entities, or processes".{{Cite web |last=Pender-Bey |first=Georgie |title=THE PARKERIAN HEXAD. The CIA Triad Model Expanded |url=http://cs.lewisu.edu/mathcs/msisprojects/papers/georgiependerbey.pdf |access-date=2025-02-09 |website=Lewis University}}

For example:

  • If an enterprise's strategic plans are leaked to competitors then this is a breach of confidentiality;
  • If unauthorized persons gain access to an individual's financial records then that individual's confidentiality is breached.

=Integrity=

Integrity refers to being correct or consistent with the intended state of information. Any unauthorized modification of data, whether deliberate or accidental, is a breach of data integrity.

For example:

  • Data stored on disk are expected to be stable. If the data is changed at random by problems with a disk controller then this is a breach of integrity;
  • Data generated by a medical device is transmitted and stored in the healthcare center but neither altered nor tampered with;{{Cn|date=April 2025}}
  • Application programs are supposed to record information correctly. If the application introduces deviations from the intended values then this is a breach of integrity.

"From Donn Parker: My definition of information integrity comes from the dictionaries. Integrity means that the information is whole, sound, and unimpaired (not necessarily correct). It means nothing is missing from the information it is complete and in intended good order".{{cite book | last1 = Hintzbergen | first1 = Jule | last2 = Hintzbergen | first2 = Kees | last3 = Baars | first3 = Hans | last4 = Smulders | first4 = André | title = Foundations of Information Security Based on Iso27001 and Iso27002 | publisher = Van Haren Publishing | series = Best Practice | year = 2010 | page = 13 | isbn = 978-90-8753-568-1 }}

=Availability=

Availability means having timely access to information.

For example:

  • A disk crash or denial-of-service attacks both cause a breach of availability. Any delay in response of a system that exceeds the expected service levels for that system can be described as a breach of availability.
  • GPS jamming can lead to loss of Availability of the GPS system.{{Cite journal |last1=Kessler |first1=Gary C. |last2=Craiger |first2=Philip |last3=Haass |first3=Jon C. |date=2018 |title=A Taxonomy Framework for Maritime Cybersecurity: A Demonstration Using the Automatic Identification System |url=http://www.transnav.eu/Article_A_Taxonomy_Framework_for_Maritime_Kessler,47,826.html |journal=TransNav |language=en |volume=12 |issue=3 |pages=429–437 |doi=10.12716/1001.12.03.01 |issn=2083-6473}}

Parker's added attributes

=Authenticity=

Authenticity is the "quality of being authentic or of established authority for truth and correctness".{{Cite journal |last=Dardick |first=Glenn S. |date=2010 |title=Cyber Forensics Assurance |url=http://ro.ecu.edu.au/adf/77 |journal=8th Australian Digital Forensics Conference |volume=Edith Cowan University |pages=November 30th 2010 |doi=10.4225/75/57B2926C40CDA}} Parker defines it thus: "is the information genuine and accurate? Does it conform to reality and have validity?" and "authoritative, valid, true, real, genuine, or worthy of acceptance or belief by reason of conformity to fact and reality".

=Possession or control=

Possession or control refers to the loss of data by the authorized user (even if the  ʺthiefʺ  cannot access the data).{{Cite journal |last1=Kessler |first1=Gary C. |last2=Craiger |first2=Philip |last3=Haass |first3=Jon C. |date=2018 |title=A Taxonomy Framework for Maritime Cybersecurity: A Demonstration Using the Automatic Identification System |url=http://www.transnav.eu/Article_A_Taxonomy_Framework_for_Maritime_Kessler,47,826.html |journal=TransNav |language=en |volume=12 |issue=3 |pages=429–437 |doi=10.12716/1001.12.03.01 |issn=2083-6473}} From a control systems perspective, it is any loss of control (the ability to change settings and functions) or loss of view (the ability to monitor the system’s operation and its response to controls).{{Cite journal |last=Boyes |first=Hugh |title=Security, Privacy, and the Built Environment |url=https://ieeexplore.ieee.org/document/7116472 |journal=IT Professional |date=2015 |volume=17 |issue=3 |pages=25–31 |doi=10.1109/MITP.2015.49 |issn=1520-9202}}

Suppose a thief were to steal a sealed envelope containing a bank debit card and its personal identification number. Even if the thief did not open that envelope, it's reasonable for the victim to be concerned that the thief could do so at any time. That situation illustrates a loss of control or possession of information but does not involve the breach of confidentiality.

=Utility=

{{see also|Data quality}}

Utility refers to the data's usefulness.

For example:

  • Suppose someone encrypted data on disk to prevent unauthorized access or undetected modifications–and then lost the decryption key: that would be a breach of utility. The data would be confidential, controlled, integral, authentic, and available–they just wouldn't be useful in that form.
  • The conversion of salary data from one currency into an inappropriate currency would be a breach of utility, as would the storage of data in a format inappropriate for a specific computer architecture; e.g., EBCDIC instead of ASCII or 9-track magnetic tape instead of DVD-ROM.
  • A tabular representation of data substituted for a graph could be described as a breach of utility if the substitution made it more difficult to interpret the data.

Utility is often confused with availability because breaches such as those described in these examples may also require time to work around the change in data format or presentation. However, the concept of usefulness is distinct from that of availability.{{Cite book |last1=Baars |first1=Hans |title=Foundations of Information Security Based on ISO27001 and ISO27002 |last2=Hintzbergen |first2=Jule |last3=Hintzbergen |first3=Kees |last4=Smulders · |first4=André |publisher=Van Haren Publishing |year=2012 |isbn=978-9087536343 |page=14}}

See also

References

{{Reflist}}

External links

  • [http://www.schneier.com/blog/archives/2006/08/updating_the_tr.html Admissibility, Authentication, Authorization, Availability, Authenticity model]
  • http://veriscommunity.net/attributes.html
  • [http://csrc.nist.gov/publications/nistpubs/800-33/sp800-33.pdf NIST Special Publication 800-33] Underlying Technical Models for Information Technology Security, Recommendations of the National Institute of Standards and Technology

Further reading

  • {{cite web

| last = Pender-Bey | first = George

| url = http://cs.lewisu.edu/mathcs/msisprojects/papers/georgiependerbey.pdf

| title = The Parkerian Hexad, the CIA Triad Model Expanded -- MSc thesis

}}

  • {{cite book

| last = Parker | first = Donn B.

| title = Fighting Computer Crime

| location = New York, NY | publisher = John Wiley & Sons | year = 1998

| isbn = 0-471-16378-3

}} The work in which Parker introduced this model.

  • {{cite book

| last = Parker | first = Donn B.

| chapter-url = http://www.computersecurityhandbook.com/csh4/chapter5.html

| chapter = Toward a New Framework for Information Security

| url = http://www.computersecurityhandbook.com/default.html

| title = The Computer Security Handbook

| edition = 4th

| editor1-first = Seymour | editor1-last = Bosworth

| editor2-first = M. E. | editor2-last = Kabay

| location =New York, NY | publisher = John Wiley & Sons | year = 2002 | isbn = 0-471-41258-9

}}

Category:Computer security

Category:Information sensitivity