Cybersecurity Threat Modelling Part3:
Security Attributes

Ensure success with an analysis and detailed plan. Get started now!
Start Now


This article was published on: May 12, 2019

Cybercrime is estimated to cost $6 trillion annually by 2021 and is said to be the greatest threat to every business in the world. To begin understanding this complex battle between security experts and cybercriminals it helps to develop and understand a basic Threat and Risk Model.

This primer on cybersecurity threat modelling is split into 3 parts: Introduction to Risk & Asset Selection, Threat Modelling & Risk Assessment, and Security Attributes.

This is part 3: Security Attributes

In order to protect your assets, you will need use security controls that enable security attributes. A very popular model that is still in use today is called the CIA Triad. It contains the attributes:

Asset is not disclosed to the public (for instance employee payroll data).
Asset isn’t altered in any way, such as data in information systems.
Asset expiration date and availability – i.e., the lifecycle of an asset and the channels used to access it.

While these attributes are simple enough to understand and assign, they unfortunately do not conform to business language nor do they have enough variety to accommodate the multitude of assets in an organization.

In 1998, an alternative to the CIA triad was proposed by Donn B. Parker – called the Parkerian Hexad and also known as the 6 atomic elements of information – contained 3 additional attributes to the classic CIA triad.

  • Possession – a loss of control or possession of an asset but does not involve the breach of confidentiality such as a public website hacked and only the compromised data was already available to the public.
  • Authenticity – the validity of the claim of origin or the authorship of the asset, for instance cross-site-scripting (XSS) hijacks the login page from the authentic site but with a login form from another. Phishing is also a common threat to authenticity.
  • Utility – usefulness of the asset. For example, ransomware locking data no longer makes the data useful or usable.

The Parkerian Hexad has had some supplemented attributes added to it (though, these are not considered as part of the model itself). They are:

Non-repudiation – one party of a transaction cannot deny having received or sent a transaction or message.
Authentication – verifies identity of user or system.
Authorization – determines access to systems and data, and may not be limited to digital assets such as facilities.

To clarify how the attributes are determined, we can look at the following examples:

  • Encryption provides confidentiality.
  • Hashing files or documents provides integrity (such as MD5-checksum).
  • Digitally signed documents (using DocuSign or Adobe Sign for example) have multiple attributes that maintain authenticity and integrity against changes, enforce non-repudiation, and confirm authorization. If they are encrypted and hashed then they also provide confidentiality and integrity.

One point to keep in mind is that unfortunately, nothing we’ve discussed so far is in common business language and often it is the business that we try to secure in our cybersecurity efforts. A lot of the attribution models out there are more technically oriented to serve the tech community, rather than the general lines of business that would require their assets protected.

To that end we generally like using the SABSA business attributes model because it has the most business-like syntax which makes it easy to follow, assess, design security architecture, and keeps members of the business involved and informed throughout the process.

That’s all you need to get started!

If you have any questions or comments, please get in touch with us.

Get in touch with an expert

Our industry leaders are ready to explain how you can accelerate and simplify your digital transformation.
Schedule a consultation