Understanding the CIA Triad: Is a new model required?

The convergence of the CIA Triad (i.e., Confidentiality, Integrity, and Availability) as a conceptual model is a product of time. They did not come instantly. Rather, they were a progression that started in 1976 after a US Air Force Study introduced the Confidentiality principle. Subsequently, in 1987, the Integrity principle came after commercial computing professionals realized the need to focus on data correctness. Soon, in 1988, after the Morris worm attack caused havoc to many Unix machines and the internet, the Availability principle followed suit [1]. 

The CIA Triad's simplicity in explaining information security's importance is persistent. Many professional organizations, such as ISACA and (ISC)2, continue using it to explain information security concepts. Even the National Institute of Standard Technology (NIST) Special Publication 800-12 Revision 1 (An Introduction to Information Security) refers to these three principles as important terminology for anyone delving into information security [2, p. 2]. In the same way, NIST National Vulnerability Database (NVD) refers to the CIA Triad when assigning scores using the Common Vulnerability Scoring System Calculator (please click this link and refer to Base Score Metrics, Temporal Score Metrics, and Environmental Score Metrics. Also, please refer to NIST SP 800-126: The Technical Specification for Security Content Automation Protocol - SCAP). 

Like any framework and concept, the CIA Triad is not immune to challenge to the extent many have assailed and questioned its present-time relevance. Those who assailed this conceptual model include Professors M. E. Whitman and H. J. Mattord. They said that the existing CIA Triad Model is no longer adequate in addressing the current information security need because of the constantly changing environment [3, p. 11]. In 2013, Cherdantseva et al. proposed a new reference model for information and security. They endeavored to overcome the limitation of the CIA Triad's conceptual model and address the recent trends in the Information Assurance and Security evolution, notably Diversification and De-perimeterisation. They called their proposal a Reference Model of Information Assurance and Security (RMIAS) [4, p. 547]. However, their article did not delve further into these concepts (i.e., diversification and de-perimeterisation). Furthermore, looking at their graphical illustration, common folk could quickly get a head spin. Much earlier, in 1983, Dr. Donn P. Parker introduced a new framework extending the CIA Triad [5]. His framework, known as the Parkerian Hexad, incorporated three additional concepts. These three additional concepts are authenticity (i.e., the proper attribution of the person who created the information), utility (i.e., the usefulness of the information), and possession or control (i.e., the physical state where the information is maintained). 

Understandably, concepts do change over time. Take, for example, the V's of Big Data. Initially, there were only three V's of Big Data, but now expanded to as many as ten V's [6]. However, any Big Data professionals could quickly and discretely explain each V's of Big Data's uniqueness. This distinctiveness is not the case for the CIA Triad. Each concept within the CIA Triad impacts the other concepts within it. Say, for example, Confidentiality and Integrity (i.e., confidential data or information - Confidentiality - must maintain its Integrity to have a purpose). Many information security professionals could easily explain the interaction of Confidentiality and Integrity concepts, even to the uninitiated. Likewise, any information security professional could quickly entrench the additional concepts proposed by Dr. Parker. Take, for example, Authenticity, which anyone could easily couch this concept as an element of Integrity. Usefulness is, of course, a given part of any data and information collected. It is an implicit part of the whole CIA Triad conceptual model. After all, why collect anything if it is not useful or relevant?

Many academic works have produced other information security frameworks and models (aside from those two concepts/frameworks cited above). However, all these frameworks and concepts have the same fundamental purpose. They all aim to characterize information security risks, but their efforts only unnecessarily complicate the understanding of information security risks. Introducing additional elements, as a result, only made it difficult to explain information security risks to ordinary individuals because the expanded concept would be difficult to relate to and understand [7]. Thus, maintaining the current concept but expanding each element of the CIA Triad is better than introducing additional components.

Following Occam's razor principle, we should always make preferences on concepts with few parameters and, at the same time, are easy to explain. The existing CIA Triad fits this Occam's razor principle requirement, making it still well relevant for the present need because of its simplicity and relatability. New concepts introduced by researchers could easily be integrated with one of the CIA elements.

REFERENCES

[1]         Walkowskie, Debbie, "What is The CIA Triad? - Definition and Examples," Technology & IT Blog - siteskills, Dec. 05, 2020. https://siteskills.net/2020/12/05/what-is-the-cia-triad-definition-and-examples/ (accessed Oct. 09, 2022).

[2]         National Institute of Standards and Technology, K. Dempsey, and V. Y. Pillitteri, "NIST An introduction to information security," National Institute of Standards and Technology, Gaithersburg, MD, NIST SP 800-12r1, Jun. 2017. doi: 10.6028/NIST.SP.800-12r1.

[3]         M. E. Whitman and H. J. Mattord, Principles of Information Security, 6th Edition, 6th Edition. Course Technology, 2017. Accessed: Jun. 10, 2022. [Online].

[4]         Y. Cherdantseva and J. Hilton, "A Reference Model of Information Assurance & Security," in 2013 International Conference on Availability, Reliability and Security, Regensburg, Germany, Sep. 2013, pp. 546–555. doi: 10.1109/ARES.2013.72.

[5]         D. B. Parker, Fighting Computer Crime (A New Framework for Protecting Information). New York, NY: John Wiley & Sons, 1983. Accessed: Oct. 09, 2022. [Online]. Available: https://www.ojp.gov/ncjrs/virtual-library/abstracts/fighting-computer-crime

[6]         TechTarget Network, "The Ultimate Guide to Big Data for Businesses," 2022. https://www.techtarget.com/searchdatamanagement/pro/The-Ultimate-Guide-to-Big-Data-for-Businesses?vgnextfmt=confirmation (accessed May 22, 2022).

[7]         J. Andress, The Basics of Information Security. Boston: Syngress, 2014. doi: 10.1016/B978-0-12-800744-0.00001-4.

Cheat Sheet for the IIBA Agile Analysis Certification

Hi Guys!

Let me know if you are interested to view the cheat sheet I prepared for the IIBA AAC Examination.  I basically tried to summarize the Agile Extension to the BABOK Guide in my attempt to understand it easily.  Of course, I do not assume any responsibility for your use of this material.

My email is amvillamorjr@yahoo.com.

It is my contribution to those who aspire to become an IIBA AAC.

Regards,
Tony

Incentivized Consumerism

I have been seeing this word floating around for a while now. I guess, my point being, is that I am struggling with this concept.

Essentially, what I understand is that because I pay you for whatever I consume, which obviously from the product you sell, I received some incentive. If that is what is meant to be how does it differ from the words like rebate or discounts. Are these two words became passe from the consumerist world we live in that we have to glamorize such terms?

I still long for a company that is owned by the people or at least its members; of course, non-members can shop in that company. However, the difference is that, at the end of the year on the occasion where it announces its profit members get their share of the company's earnings. Their share of earnings obviously is proportionate to their share of the capital and the amount they purchased from the company. I guess, this concept is a lot better than those proponents of "incentivized consumerism" where at the end of the day the only thing consumers get is a rebate or discount if they are lucky. Worst is that they get some company memorabilla such as key chain, t-shirt, or note pad. Thus, ending up not only an "incentivized consumer" but as well as a marketing vehicle.

A prosperous New Year - 2012

Well, the title is not really about greeting you but can be meant that way. Actually, it is in fact me telling my self and affirming that 2012 is really a good year for me.

The year 2012 was welcomed by me taking ownership of a plot of land in Bantayan Island. Initially a 300 square meter lot that will become an 800 square meter lot if my mother successfully procure the adjacent lot on my behalf. We were having our usual family vacation in Bantayan Island, Cebu that we chance upon those lots at the price favorable to my pocket. I have been in search for a sizable plot of land outside Manila for my preparation for my early retirement; however, to no success. Options to have a property in Panglao Island, Batangas, or Bolinao did not come into fruition. But Bantayan Island did. Interestingly, few kilometers away from the property I bought was the birthplace of my grand father from my mother side -- I guess I am being called upon to come back and help his community.

The next acquisition I got was a second hand Mazda pick-up, which I hope to use transport when I move there. In retrospect, I guess I purchased this item sooner than I need it. I am still 21 months away from my planned retirement but hope that I will make use of it while it is parked at my uncle's garage in Cebu.

Saturday, June 19, 2010

Juba, South Sudan

Already 2:15PM and am still lying in my bed. Nothing in particular is interesting here as always. I came last night from Havana to watch the game between Algeria and England. The result was drama. Today, I remember is also my youngest sister's birthday.

Still I am preoccupied by the thoughts of going to Kathmandu. I am so excited yet I still have not booked a flight. I am still not sure whether to travel on July 23 or July 30. That all depends on how my schedule would be in the weeks to follow. At least I have an idea of how much would it cost to travel to Kathmandu from here and also I have found out how best to book the travel cheaply.

Lately, after being here in Juba since May 17, I am always lost of thoughts with regards to work. No idea what is entering on my mind. The only thing I know is that work wise it is overwhelming and to have a coherence on where to start and to finish what I had started is just out of my brain.

Yesterday, I received a letter from Nilda. It is to be sent to her brother who lives in Manila. Of course, I am privy to the content. The letter was hand written that I need to type and post it by email. I am not going to delve on its content but in summary I see her struggles and feels her wants to come back to her home country. There are many obstacles to it but she is being patient. In the end, she finished letter on a high and positive tone. I am keeping it so that I can give to her brother the original document. A proof that it was my source.

Few more hours, our generator will be turned off. Part of the usual routine. Thus, it would be my time to do my own exercise. One need to be conscious of his/her physical health here in Juba or otherwise this place just wears you done.

I will try to find a way to make my stay here more endearing. And the work to be more interesting. In the end, I came here to make a difference in our workplace and the people whom we serve.

I just hope I will be successful.

November 25, 2009 - A Filipina named Nilda

This blog entry is not about me. This blog entry is about Nilda — a Filipina who has lived in Juba, South Sudan, for over two decades and is married to a South Sudanese. I am so ecstatic to meet her this morning. Another Filipina colleague mentioned her to me this morning while having breakfast. She met Nilda yesterday in a hospital, preparing food for some hospital patients. My colleague visited another colleague whose daughter was down with malaria. On our way to work, on taking our daily 15 minutes walking commute to our office, we took a quick detour and visited her at her house since it was along our way. Her place is not extraordinary. She lives in a compound along arrays of tukuls (a home made of mud). A simple way of life is what she lives. She is not married to any big shots in Sudanese society. She met her Sudanese husband in the Philippines while both were students at UPLB. She is like Emma in the biographical novel Emma’s War, except that Emma was married to a warlord and rather living the high life.

We saw her outside when she was washing her dishes. Like all the other houses here, you have to do your dishes and laundry outside. No running water exists, let alone a faucet attached to your kitchen sink or a pipe to your washing machine. Let us not go into the details of how one does their morning constitution. Sitting in a squat position while rinsing the dishes, we greeted her. She was happy to see us. I introduced myself, and she extended her wet hands (sans the soap suds). We shook hands, which is the customary gesture of greeting, and no beso-beso. She said she seldom sees Filipinos, and like us, most Filipinos she met are associated with the humanitarian sector.

I wouldn’t blame her; who wants to be here in Juba in the first place? I said it to myself quietly since this place has no amenities. We talked in Tagalog (as she prefers and calls the language given that the politically correct reference for it is Filipino). However, she gave us the option to speak in Visaya or Juba Arabic or Classical Arabic and suddenly explained the subtle differences between the two Arabic. She said she has never been back home for 22 years, although she makes regular phone calls to her brothers and sisters who still live in Manila. 

Remember, this place is Juba, South Sudan. This city is not Geneva, Rome, New York, Washington DC, or Singapore, where once you step out of your office building, you are certain to bump into a Filipino clinging to their designer wear. Rather, this country has been ravaged by war for the last five decades. This country only signed its peace deal with its northern counterpart four years ago; the situation is still volatile. Seeing the sliver of a peaceful future still is a big question. Infrastructure is very basic. The roads are just being constructed, and you are certain to be mudded during the rainy season, which is now. In addition, electricity is intermittent. To work here, we must rely on our fuel generators for electrical supply. Meeting her today was such an inspiring moment. For my ten years of working in the international humanitarian arena, I met no other compatriot like her. I cannot wait to see her again tonight to hear more of her stories. I want to know more about her background, four children, life during the war, and more about her existence in Sudan. I think I found my own Emma — a Filipina named Nilda.