Parkerian Hexad

The Parkerian Hexad is a set of six elements of information security proposed by Donn B. Parker in 1998.^[1][2] The Parkerian Hexad adds three additional attributes to the three classic security attributes of the CIA triad (confidentiality, integrity, availability).

The Parkerian Hexad attributes are the following:

• Confidentiality
• Possession or Control
• Integrity
• Authenticity
• Availability
• Utility

These attributes of information are atomic in that they are not broken down into further constituents; they are non-overlapping in that they refer to unique aspects of information. Any information security breach can be described as affecting one or more of these fundamental attributes of information.^[3]

Attributes from the CIA triad

Further information: CIA triad

Confidentiality

Confidentiality refers to the "quality or state of being private or secret; known only to a limited few",^[2] or "the property that information is not made available or disclosed to unauthorized individuals, entities, or processes".^[4]

For example:

• If an enterprise's strategic plans are leaked to competitors then this is a breach of confidentiality;
• If unauthorized persons gain access to an individual's financial records then that individual's confidentiality is breached.^[1]

Integrity

Integrity refers to being correct or consistent with the intended state of information. Any unauthorized modification of data, whether deliberate or accidental, is a breach of data integrity.

For example:

• Data stored on disk are expected to be stable. If the data is changed at random by problems with a disk controller then this is a breach of integrity;
• Data generated by a medical device is transmitted and stored in the healthcare center but neither altered nor tampered with;^[5]
• Application programs are supposed to record information correctly. If the application introduces deviations from the intended values then this is a breach of integrity.^[6]

"From Donn Parker: My definition of information integrity comes from the dictionaries. Integrity means that the information is whole, sound, and unimpaired (not necessarily correct). It means nothing is missing from the information it is complete and in intended good order".^[7]

Availability

Availability means having timely access to information.

For example:

• A disk crash or denial-of-service attacks both cause a breach of availability. Any delay in response of a system that exceeds the expected service levels for that system can be described as a breach of availability.
• GPS jamming can lead to loss of Availability of the GPS system.^[8]

Parker's added attributes

Authenticity

Authenticity is the "quality of being authentic or of established authority for truth and correctness".^[9] Parker defines it thus: "is the information genuine and accurate? Does it conform to reality and have validity?"^[1] and "authoritative, valid, true, real, genuine, or worthy of acceptance or belief by reason of conformity to fact and reality".^[2]

Possession or control

Possession or control refers to the loss of data by the authorized user (even if the  ʺthiefʺ  cannot access the data).^[10] From a control systems perspective, it is any loss of control (the ability to change settings and functions) or loss of view (the ability to monitor the system’s operation and its response to controls).^[11]

Suppose a thief were to steal a sealed envelope containing a bank debit card and its personal identification number. Even if the thief did not open that envelope, it's reasonable for the victim to be concerned that the thief could do so at any time. That situation illustrates a loss of control or possession of information but does not involve the breach of confidentiality.

Utility

See also: Data quality

Utility refers to the data's usefulness.

For example:

• Suppose someone encrypted data on disk to prevent unauthorized access or undetected modifications–and then lost the decryption key: that would be a breach of utility.^[4] The data would be confidential, controlled, integral, authentic, and available–they just wouldn't be useful in that form.
• The conversion of salary data from one currency into an inappropriate currency would be a breach of utility, as would the storage of data in a format inappropriate for a specific computer architecture; e.g., EBCDIC instead of ASCII or 9-track magnetic tape instead of DVD-ROM.
• A tabular representation of data substituted for a graph could be described as a breach of utility if the substitution made it more difficult to interpret the data.

Utility is often confused with availability because breaches such as those described in these examples may also require time to work around the change in data format or presentation. However, the concept of usefulness is distinct from that of availability.^[6]

See also

• STRIDE model
• CIA triad