The convergence of the CIA Triad (i.e., Confidentiality, Integrity, and Availability) as a conceptual model is a product of time. They did not come instantly. Rather, they were a progression that started in 1976 after a US Air Force Study introduced the Confidentiality principle. Subsequently, in 1987, the Integrity principle came after commercial computing professionals realized the need to focus on data correctness. Soon, in 1988, after the Morris worm attack caused havoc to many Unix machines and the internet, the Availability principle followed suit [1].
The CIA Triad's simplicity in explaining information security's importance is persistent. Many professional organizations, such as ISACA and (ISC)2, continue using it to explain information security concepts. Even the National Institute of Standard Technology (NIST) Special Publication 800-12 Revision 1 (An Introduction to Information Security) refers to these three principles as important terminology for anyone delving into information security [2, p. 2]. In the same way, NIST National Vulnerability Database (NVD) refers to the CIA Triad when assigning scores using the Common Vulnerability Scoring System Calculator (please click this link and refer to Base Score Metrics, Temporal Score Metrics, and Environmental Score Metrics. Also, please refer to NIST SP 800-126: The Technical Specification for Security Content Automation Protocol - SCAP).
Like any framework and concept, the CIA Triad is not immune to challenge to the extent many have assailed and questioned its present-time relevance. Those who assailed this conceptual model include Professors M. E. Whitman and H. J. Mattord. They said that the existing CIA Triad Model is no longer adequate in addressing the current information security need because of the constantly changing environment [3, p. 11]. In 2013, Cherdantseva et al. proposed a new reference model for information and security. They endeavored to overcome the limitation of the CIA Triad's conceptual model and address the recent trends in the Information Assurance and Security evolution, notably Diversification and De-perimeterisation. They called their proposal a Reference Model of Information Assurance and Security (RMIAS) [4, p. 547]. However, their article did not delve further into these concepts (i.e., diversification and de-perimeterisation). Furthermore, looking at their graphical illustration, common folk could quickly get a head spin. Much earlier, in 1983, Dr. Donn P. Parker introduced a new framework extending the CIA Triad [5]. His framework, known as the Parkerian Hexad, incorporated three additional concepts. These three additional concepts are authenticity (i.e., the proper attribution of the person who created the information), utility (i.e., the usefulness of the information), and possession or control (i.e., the physical state where the information is maintained).
Understandably, concepts do change over time. Take, for example, the V's of Big Data. Initially, there were only three V's of Big Data, but now expanded to as many as ten V's [6]. However, any Big Data professionals could quickly and discretely explain each V's of Big Data's uniqueness. This distinctiveness is not the case for the CIA Triad. Each concept within the CIA Triad impacts the other concepts within it. Say, for example, Confidentiality and Integrity (i.e., confidential data or information - Confidentiality - must maintain its Integrity to have a purpose). Many information security professionals could easily explain the interaction of Confidentiality and Integrity concepts, even to the uninitiated. Likewise, any information security professional could quickly entrench the additional concepts proposed by Dr. Parker. Take, for example, Authenticity, which anyone could easily couch this concept as an element of Integrity. Usefulness is, of course, a given part of any data and information collected. It is an implicit part of the whole CIA Triad conceptual model. After all, why collect anything if it is not useful or relevant?
Many academic works have produced other information security frameworks and models (aside from those two concepts/frameworks cited above). However, all these frameworks and concepts have the same fundamental purpose. They all aim to characterize information security risks, but their efforts only unnecessarily complicate the understanding of information security risks. Introducing additional elements, as a result, only made it difficult to explain information security risks to ordinary individuals because the expanded concept would be difficult to relate to and understand [7]. Thus, maintaining the current concept but expanding each element of the CIA Triad is better than introducing additional components.
Following Occam's razor principle, we should always make preferences on concepts with few parameters and, at the same time, are easy to explain. The existing CIA Triad fits this Occam's razor principle requirement, making it still well relevant for the present need because of its simplicity and relatability. New concepts introduced by researchers could easily be integrated with one of the CIA elements.
REFERENCES
[1] Walkowskie, Debbie, "What is The CIA Triad? - Definition and Examples," Technology & IT Blog - siteskills, Dec. 05, 2020. https://siteskills.net/2020/12/05/what-is-the-cia-triad-definition-and-examples/ (accessed Oct. 09, 2022).
[2] National Institute of Standards and Technology, K. Dempsey, and V. Y. Pillitteri, "NIST An introduction to information security," National Institute of Standards and Technology, Gaithersburg, MD, NIST SP 800-12r1, Jun. 2017. doi: 10.6028/NIST.SP.800-12r1.
[3] M. E. Whitman and H. J. Mattord, Principles of Information Security, 6th Edition, 6th Edition. Course Technology, 2017. Accessed: Jun. 10, 2022. [Online].
[4] Y. Cherdantseva and J. Hilton, "A Reference Model of Information Assurance & Security," in 2013 International Conference on Availability, Reliability and Security, Regensburg, Germany, Sep. 2013, pp. 546–555. doi: 10.1109/ARES.2013.72.
[5] D. B. Parker, Fighting Computer Crime (A New Framework for Protecting Information). New York, NY: John Wiley & Sons, 1983. Accessed: Oct. 09, 2022. [Online]. Available: https://www.ojp.gov/ncjrs/virtual-library/abstracts/fighting-computer-crime
[6] TechTarget Network, "The Ultimate Guide to Big Data for Businesses," 2022. https://www.techtarget.com/searchdatamanagement/pro/The-Ultimate-Guide-to-Big-Data-for-Businesses?vgnextfmt=confirmation (accessed May 22, 2022).
[7] J. Andress, The Basics of Information Security. Boston: Syngress, 2014. doi: 10.1016/B978-0-12-800744-0.00001-4.
No comments:
Post a Comment