Parkerian Hexad

Last updated

The Parkerian hexad is a set of six elements of information security proposed by Donn B. Parker in 1998. The Parkerian hexad adds three additional attributes to the three classic security attributes of the CIA triad (confidentiality, integrity, availability).

Contents

The Parkerian Hexad attributes are the following:

These attributes of information are atomic in that they are not broken down into further constituents; they are non-overlapping in that they refer to unique aspects of information. Any information security breach can be described as affecting one or more of these fundamental attributes of information.

Attributes from the CIA triad

Confidentiality

Confidentiality refers to limits on who can get what kind of information. For example, executives concerned about protecting their enterprise's strategic plans from competitors; individuals are concerned about unauthorized access to their financial records.

Integrity

Integrity refers to being correct or consistent with the intended state of information. Any unauthorized modification of data, whether deliberate or accidental, is a breach of data integrity. For example, data stored on disk are expected to be stable – they are not supposed to be changed at random by problems with a disk controller. Similarly, application programs are supposed to record information correctly and not introduce deviations from the intended values.

From Donn Parker: "My definition of information integrity comes from the dictionaries. Integrity means that the information is whole, sound, and unimpaired (not necessarily correct). It means nothing is missing from the information it is complete and in intended good order." The author's statement comes close in saying that the information is in a correct...state. Information may be incorrect or not authentic but have integrity or correct and authentic but lacking in integrity. [1]

Availability

Availability means having timely access to information. For example, a disk crash or denial-of-service attacks both cause a breach of availability. Any delay that exceeds the expected service levels for a system can be described as a breach of availability.

Parker's added attributes

Authenticity

Authenticity refers to the veracity of the claim of origin or authorship of the information. For example, one method for verifying the authorship of a hand written document is to compare the handwriting characteristics of the document to a sampling of others which have already been verified. For electronic information, a digital signature could be used to verify the authorship of a digital document using public-key cryptography (could also be used to verify the integrity of the document).

Possession or control

Possession or control: Suppose a thief were to steal a sealed envelope containing a bank debit card and its personal identification number. Even if the thief did not open that envelope, it's reasonable for the victim to be concerned that the thief could do so at any time. That situation illustrates a loss of control or possession of information but does not involve the breach of confidentiality.

Utility

Utility means usefulness. For example, suppose someone encrypted data on disk to prevent unauthorized access or undetected modifications–and then lost the decryption key: that would be a breach of utility. The data would be confidential, controlled, integral, authentic, and available–they just wouldn't be useful in that form. Similarly, conversion of salary data from one currency into an inappropriate currency would be a breach of utility, as would the storage of data in a format inappropriate for a specific computer architecture; e.g., EBCDIC instead of ASCII or 9-track magnetic tape instead of DVD-ROM. A tabular representation of data substituted for a graph could be described as a breach of utility if the substitution made it more difficult to interpret the data. Utility is often confused with availability because breaches such as those described in these examples may also require time to work around the change in data format or presentation. However, the concept of usefulness is distinct from that of availability.

See also

Related Research Articles

<span class="mw-page-title-main">Encryption</span> Process of converting plaintext to ciphertext

In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information. Encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor.

Information security, sometimes shortened to infosec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data or the unlawful use, disclosure, disruption, deletion, corruption, modification, inspection, recording, or devaluation of information. It also involves actions intended to reduce the adverse impacts of such incidents. Protected information may take any form, e.g., electronic or physical, tangible, or intangible. Information security's primary focus is the balanced protection of data confidentiality, integrity, and availability while maintaining a focus on efficient policy implementation, all without hampering organization productivity. This is largely achieved through a structured risk management process that involves:

In law, non-repudiation is a situation where a statement's author cannot successfully dispute its authorship or the validity of an associated contract. The term is often seen in a legal setting when the authenticity of a signature is being challenged. In such an instance, the authenticity is being "repudiated".

<span class="mw-page-title-main">Identity theft</span> Deliberate use of someone elses identity, usually as a method to gain a financial advantage

Identity theft, identity piracy or identity infringement occurs when someone uses another's personal identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes. The term identity theft was coined in 1964. Since that time, the definition of identity theft has been legally defined throughout both the U.K. and the U.S. as the theft of personally identifiable information. Identity theft deliberately uses someone else's identity as a method to gain financial advantages or obtain credit and other benefits. The person whose identity has been stolen may suffer adverse consequences, especially if they are falsely held responsible for the perpetrator's actions. Personally identifiable information generally includes a person's name, date of birth, social security number, driver's license number, bank account or credit card numbers, PINs, electronic signatures, fingerprints, passwords, or any other information that can be used to access a person's financial resources.

Electronic business is any kind of business or commercial transaction that includes sharing information across the internet. Commerce constitutes the exchange of products and services between businesses, groups, and individuals and can be seen as one of the essential activities of any business.

A computer security policy defines the goals and elements of an organization's computer systems. The definition can be highly formal or informal. Security policies are enforced by organizational policies or security mechanisms. A technical implementation defines whether a computer system is secure or insecure. These formal policy models can be categorized into the core security principles of Confidentiality, Integrity, and Availability. For example, the Bell-La Padula model is a confidentiality policy model, whereas the Biba model is an integrity policy model.

In cryptography, signcryption is a public-key primitive that simultaneously performs the functions of both digital signature and encryption.

Security testing is a process intended to detect flaws in the security mechanisms of an information system and as such help enable it to protect data and maintain functionality as intended. Due to the logical limitations of security testing, passing the security testing process is not an indication that no flaws exist or that the system adequately satisfies the security requirements.

<span class="mw-page-title-main">McCumber cube</span>

In 1991, John McCumber created a model framework for establishing and evaluating information security programs, now known as The McCumber Cube. This security model is depicted as a three-dimensional Rubik's Cube-like grid.

Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information. Information assurance includes protection of the integrity, availability, authenticity, non-repudiation and confidentiality of user data. IA encompasses both digital protections and physical techniques. These methods apply to data in transit, both physical and electronic forms, as well as data at rest. IA is best thought of as a superset of information security, and as the business outcome of information risk management.

Disk encryption is a technology which protects information by converting it into code that cannot be deciphered easily by unauthorized people or processes. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. It is used to prevent unauthorized access to data storage.

Anti-computer forensics or counter-forensics are techniques used to obstruct forensic analysis.

STRIDE is a model for identifying computer security threats developed by Praerit Garg and Loren Kohnfelder at Microsoft. It provides a mnemonic for security threats in six categories.

Secure USB flash drives protect the data stored on them from access by unauthorized users. USB flash drive products have been on the market since 2000, and their use is increasing exponentially. As both consumers and businesses have increased demand for these drives, manufacturers are producing faster devices with greater data storage capacities.

geli is a block device-layer disk encryption system written for FreeBSD, introduced in version 6.0. It uses the GEOM disk framework. It was designed and implemented by Paweł Jakub Dawidek.

Cloud computing security or, more simply, cloud security, refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

Donn B. Parker was an information security researcher and consultant and a 2001 Fellow of the Association for Computing Machinery. Parker had over 50 years of experience in the computer field in computer programming, computer systems management, consulting, teaching, and research.

Security service is a service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers as defined by ITU-T X.800 Recommendation.
X.800 and ISO 7498-2 are technically aligned. This model is widely recognized

In computer security, a threat is a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application.

<span class="mw-page-title-main">Levels of identity security</span>

The security features governing the security of an identity can be divided into three levels of security, i.e. Level 1 Security (L1S) (Overt), Level 2 Security (L2S) (Covert) and Level 3 Security (L3S) (Forensic). The three levels of security, in combination, provide comprehensive security coverage for identities and related documents to ensure their validity and authenticity. These are typically used to protect identity information on crucial documents such as identity cards, driving licenses and passports to ensure originality and accuracy of the identities they represent. The diagram below illustrates the different levels of security and how they ensure complete security coverage of an identity.

References

  1. Hintzbergen, Jule; Hintzbergen, Kees; Baars, Hans; Smulders, André (2010). Foundations of Information Security Based on Iso27001 and Iso27002. Best Practice. Van Haren Publishing. p. 13. ISBN   978-90-8753-568-1.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.