The Parkerian Hexad: Evolving the Foundations of Information Security
By Stage Four Security
In the Beginning: The CIA Triad Reigns
In the late 20th century, Donn B. Parker, a trailblazer in information security, stood at the forefront of a rapidly evolving digital landscape. Computers were no longer confined to research labs or corporate backrooms—they were fast becoming the backbone of global commerce, healthcare, and communication.
For decades, the CIA Triad—Confidentiality, Integrity, and Availability—served as the bedrock of information security. But as Parker investigated cybercrimes through interviews with hackers and real-world breaches, he identified blind spots the Triad couldn’t explain. So, in the 1990s, he introduced a new model: the Parkerian Hexad.
The Genesis of the Hexad: Building on the CIA Triad
Through his work at SRI International and decades of field experience, Parker observed that while the Triad’s three pillars were essential, they didn’t account for threats such as:
- Loss of data control (e.g., stolen devices)
- Impersonation or data forgery
- Information that is accessible but unusable
To address these gaps, he introduced three companion elements—Possession, Authenticity, and Utility—forming a six-part framework called the Parkerian Hexad.
Aligning and Expanding the CIA Triad with the Hexad
🔒 Confidentiality → Possession
Confidentiality keeps information secret. But Parker observed that simply losing control of data (even if encrypted) posed serious risk. Possession was his answer: who holds the data matters.
Example: A hospital stores encrypted patient records on a tape drive. If a rogue employee steals the tape, confidentiality may be intact, but possession is lost, introducing risk.
📏 Integrity → Authenticity
Integrity ensures that data hasn’t been altered. Authenticity ensures the source is genuine.
Example: A wire transfer request is received by a bank. The email is unaltered (integrity), but was sent from a spoofed executive address. Without authenticity, trust fails.
⚙️ Availability → Utility
Availability ensures access, but Parker realized that Utility—how usable the data is—is equally critical.
Example: A backup server is accessible, but due to a formatting issue, the files are unreadable. Availability is preserved; utility is not.
The Hexad in a 1990s Bank: A Narrative Example
Imagine a regional bank in 1995 relying on the CIA Triad:
- Encrypts data (Confidentiality)
- Uses checksums (Integrity)
- Runs redundant servers (Availability)
Then, a hacker steals encrypted data (loss of Possession), forges an executive email (compromised Authenticity), and corrupts backup formats (lost Utility). The CIA model breaks down, but the Hexad captures it all.
Quick Reference: The Parkerian Hexad
| Element | Core Idea | Example |
|---|---|---|
| Confidentiality | Prevent unauthorized access | Employee data leak |
| Possession / Control | Maintain custody of data | Lost encrypted USB drive |
| Integrity | Ensure unaltered data | Tampered transaction logs |
| Authenticity | Verify legitimate source | Phishing with forged sender |
| Availability | Ensure access to data | DDoS on login portal |
| Utility | Maintain usability of data | Unreadable backup formats |
“The Hexad doesn’t replace the Triad—it empowers it.”
— Stage Four Security
The Hexad’s Legacy
The Parkerian Hexad stands as a testament to Donn B. Parker’s foresight. By expanding the CIA Triad, he created a more nuanced and resilient way to protect digital assets in an age of increasingly complex threats. From ransomware to social engineering, the Hexad remains more relevant than ever.
Learn it.
Know it.
Live it.