Pro Tech

The Parkerian Hexad: Elevating Information Security Beyond the CIA Triad

While you may or may not be aware of the CIA Triad, it is a well-known set of fundamental principles of information security – Confidentiality, Integrity, and Availability. It clearly defines the relationship between information and security.

Confidentiality: Often considered the most fundamental principle of the CIA Triad, this involves protecting information from unauthorised access. It ensures that sensitive data is only accessible to those with the proper permissions. Integrity: Also part of the CIA Triad, integrity ensures that data remains accurate and unaltered. It involves protecting information from unauthorised modification or tampering, ensuring that it retains its original state and reliability.

Availability: Another core principle of the CIA Triad is that availability ensures that information and resources are accessible and usable when needed. It involves safeguarding against disruptions or outages that could impact the availability of critical systems and data. The Parkerian Hexad is a security framework that extends and complements the Triad, to include three additional elements:

Possession, Authenticity, and Utility. It points to the potential vulnerabilities between the CIA attributes. “These attributes of information are atomic in that they are not broken down into further constituents; they are non-overlapping in that they refer to unique aspects of information. Any information security breach can be described as affecting one or more of these fundamental attributes of information.”

Possession: Possession emphasises the control and ownership of information. Possession ensures that authorised entities have the rightful ownership and control over the data or resources, preventing unauthorised entities from claiming possession. Information can be confidential and have integrity, but in the hands of the wrong person, it can threaten both attributes. “Suppose a thief were to steal a sealed envelope containing a bank debit card and its personal identification number. Even if the thief did not open that envelope, it’s reasonable for the victim to be concerned that the thief could do so at any time.”

Authenticity: This principle addresses the trustworthiness of information and the assurance that it is genuine and not falsified. Authenticity ensures that users can rely on the accuracy and origin of the information. “For example, one method for verifying the authorship of a handwritten document is to compare the handwriting characteristics of the document to a sampling of others that have already been verified. For electronic information, a digital signature could be used to verify the authorship of a digital document using public-key cryptography (could also be used to verify the integrity of the document).”

Utility: This is another extension introduced by the Parkerian Hexad, emphasising the usefulness of information. Utility involves ensuring that information serves its intended purpose and provides value to authorised users while also preventing misuse. “For example, suppose someone encrypted data on disk to prevent unauthorized access or undetected modifications–and then lost the decryption key: that would be a breach of utility. The data would be confidential, controlled, integral, authentic, and available–they just wouldn’t be useful in that form.” As we go into the new year, the Parkerian Hexad builds upon the CIA Triad by incorporating Possession, Authenticity,
and Utility, providing a clearer understanding of how to address various aspects of information security, ownership, trustworthiness, and usability. All quotes sourced from (

Tom is the owner of Govern Cybersecurity.
He has over 18 years in the cybersecurity and IT industry at management level, and for the past 6 years has been a lecturer in cybersecurity at the Eastern Institute of Technology. He has earned certifications in ISO 27001 Lead Auditing, Lead Implementation, SOC2, and Ethical Hacking. These certifications are considered the international gold standard for business security.