Donn B. Parker: A Visionary in Information Security
Donn B. Parker (1929–2021) was a pioneering figure in the field of information security, whose career spanned over five decades and left an indelible mark on how we understand and protect digital systems. Beginning in the 1970s at SRI International, Parker documented early instances of computer crime, producing seminal works such as Crime by Computer (1976), Computer Security Management (1983), and Fighting Computer Crime: A New Framework for Protecting Information (1998). A founder of the International Information Integrity Institute (I-4) and a key contributor to the Information Systems Security Association (ISSA), his insights evolved from traditional risk management to a revolutionary critique of its limitations, cementing his legacy as both a scholar and a pragmatist. Parker’s work bridged technical expertise with ethical and practical considerations, offering a holistic vision that continues to resonate in today’s cybersecurity landscape.
The Artisans of Information Security
In Fighting Computer Crime, Parker introduced the evocative term “Information Security Artisans” to describe professionals in the field, a label that underscores his belief in the craft-like nature of their work. Unlike practitioners bound by rigid formulas or statistical models, Parker’s artisans thrive on creativity, intuition, and adaptability. He argued that traditional risk assessment—reliant on quantifiable data and predictable outcomes—was ill-suited to the unpredictable realm of cybercrime. As he famously wrote, “Information security artisans should know by now that it is impossible to obtain adequate data on loss expectancy to estimate risk to any useful degree. It involves trying to estimate the future misbehavior of unknown people, using unknown methods with unpredictable motives, against unknown targets that may cause unknown losses.” This skepticism reflects his view that the countless unknowns in cybersecurity—human behavior, emerging vulnerabilities, and evolving threats—demand a more flexible, experience-driven approach.
Parker’s artisans embody a blend of technical skill and practical wisdom, akin to traditional craftspeople shaping solutions to unique challenges. He saw their role as holistic, requiring not just mastery of systems but an intuitive grasp of potential threats. This perspective was a subtle critique of the era’s over-reliance on quantitative methods, advocating instead for a pragmatic artistry that prioritizes proactive safeguards over reactive calculations. By framing security as both an art and a science, Parker elevated the profession beyond mere technicality, aligning it with the dynamic realities of an ever-changing digital world.
The Evolution of a Philosophy
Parker’s thinking on risk-based security evolved dramatically over his career, reflecting his deepening understanding of its limitations. In his early works, such as Crime by Computer and Computer Security Management, he engaged with traditional risk management, emphasizing the identification and mitigation of threats based on likelihood and impact. These contributions helped establish foundational practices in the nascent field of computer security. However, by the early 2000s, Parker’s perspective shifted, culminating in his influential 2006 article, “Making the Case for Replacing Risk-Based Security,” published in The ISSA Journal. Here, he argued that security risks, unlike financial or operational risks, are inherently intangible and resistant to precise measurement, rendering conventional approaches unreliable.
This critique stemmed from practical observations: security teams struggled to secure funding or support when relying on hypothetical risk assessments, as executives dismissed intangible justifications. Parker proposed a transformative alternative—diligence-based security—centered on due diligence, compliance, and enablement. Due diligence emphasized measurable efforts to protect assets, compliance aligned security with legal and regulatory standards, and enablement reframed security as a facilitator of business operations rather than a cost center. This paradigm shift, reinforced by his earlier introduction of the “Parkerian Hexad” (expanding the CIA triad to include possession, authenticity, and utility), underscored his commitment to actionable, business-aligned security practices.
The Imperative of Reliable Data
Central to Parker’s framework was the critical need for reliable data, a theme woven throughout Fighting Computer Crime. He recognized that effective security hinges on detailed, accurate information about incidents, threats, and vulnerabilities. Without it, risk assessments falter, policies misalign, and responses falter. Parker advocated for robust incident reporting, historical data analysis to identify trends, and metrics to benchmark performance—tools to reduce the uncertainty he so often highlighted. Yet he also acknowledged the practical challenges: the secretive nature of cyber attacks, chronic underreporting, and the rapid evolution of threats often leave security practitioners with a dearth of actionable data.
This tension between necessity and reality fueled Parker’s push for better data collection and sharing within the security community. He believed that such efforts would enhance decision-making, refine preventive measures, and elevate education and awareness—key pillars of his holistic approach. Reliable data, in his view, was not merely a luxury but a cornerstone of a robust security framework, bridging the gap between theoretical ideals and practical execution.
A Lasting Legacy
Parker’s influence extends beyond his writings to the individuals and organizations he inspired. Figures like Gene Spafford, a colleague and security educator at Purdue’s CERIAS, and Bill Murray, a consultant echoing Parker’s focus on diligence, reflect his intellectual lineage. Organizations such as ISSA and I-4 (now part of KPMG-UK) continue to promote his principles of ethics, integrity, and comprehensive security management. His ideas permeate modern frameworks, evidenced in the emphasis on compliance, ethical practices, and security as a business enabler—echoes of his diligence-based vision.
In Computer Security Management, Parker articulated security as a multifaceted discipline, integrating technology, policy, human factors, and legal considerations. He stressed education as a bulwark against human error, policies as the backbone of enforcement, and adaptability as a response to change. These themes, alongside his broader oeuvre, positioned security as a strategic management function, not just an IT concern—a perspective that remains profoundly relevant.
Donn B. Parker’s legacy lies in his ability to challenge orthodoxy and envision security as a living practice. From his early case studies of computer crime to his later critiques of risk-based models, he offered a roadmap for navigating the uncertainties of the digital age. His artisans—adaptable, skilled, and pragmatic—continue to shape a field where the only constant is change, ensuring that his voice endures in the ongoing quest to protect information in an unpredictable world.
