Can information security risks essentially only be triaged according to the CIA triangle (Confidentiality, Integrity and Availability) or are there other possibilities?
1 Answers
There are lots of other possibilities.
Note that the CIA triad is not so much a model for security risks as it is for security goals/objectives. It has often been criticized for being overly simplistic and incomplete. Consequently, there are lots of alternative models and extensions of the CIA triad. One popular option is the Parkerian hexad that consists of confidentiality, possession, integrity, authenticity, availability and utility. Others have suggested extending it with authenticity and non-repudiation to the CIAAN model.
If your primary goal is threat risk modeling, there are other models to consider - which can still be associated with the CIA triad. For example, there is the STRIDE model which classifies threats via the categories spoofing, tampering, repudiation, information disclosure, denial of service and elevation of privilege. Here is how it relates to CIA:
STRIDE is what an attacker can do. TID is the attack version of CIA:
- Defenders want Confidentiality – attackers use Information Disclosure
- Defenders want Integrity – attackers use Tampering
- Defenders want Availability – attackers use Denial of Service.
But, what about Spoofing, Repudiation and Elevation of Privilege? Enter the (modern) non-linear attack:
- Spoofing and Elevation of Privilege are the entry points to pry open the doors.
- Repudiation is covering the adversary’s tracks during the initial compromise and the breach.