The Parkerian Hexad

Yesterday, the first of May, Fabrizio Cilli and I engaged in a deep discussion about the adequacy of the CIA triad in today’s cybersecurity practices, particularly in the context of AI, OT, and connected devices, where safety is a significant concern. Our conversation was sparked by a thought-provoking post, which suggested to dust off the Parkerian Hexad that foresee the addition of three dimensions to the traditional CIA Triad, emphasizing the need to expand our security models to ensure AI systems are also safe for human use.

CIA-S

Tom Cornelius’ alternative model, the CIAS, incorporates Safety into the traditional CIA Triad. This model acknowledges the limitations of the CIA Triad in the era of AI, IoT, and OT, where the safety component becomes essential for guiding risk management decisions. Also this model reflects a growing recognition that cybersecurity Risk Assessment frameworks must evolve to address the complexities of modern technology.

Different dimensions

In my humble opinion, Safety and the CIA components may indeed operate on different dimensions. A breach in integrity, for example, could have direct implications for safety, showing that these aspects are intertwined yet distinct. When considering risk, it’s clear that cyber risk and safety risk are two interlinked concerns that must be assessed together.

An integrated multidimensional Physical-Cyber security approach

Today, I had the opportunity to read Enrico Frumento’s work, which presents an integrated IT-OT assessment and governance model for improved holistic cybersecurity
This approach considers the IT and the physical world as separate with an overlap, – and this resonates with our discussion

Areas of IT-OT security. Source: Ghaznavi, 2017.

Moreover this approach also introduces the idea of evaluating a different dimension of safety, as well as another dimension of trust, which is becoming increasingly relevant in the AI field.

This leads us to a multi-layered cyber risk analysis framework, such as the one depicted in the image below. This framework calls for a comprehensive approach to cybersecurity, covering layers from the geographic and physical levels up to the government layer. Each layer represents a domain of existence and a potential vector for cyber threats, requiring a thorough analysis to secure all fronts.

Cyber-Terrain Model layers. Source: Riley, 2014.
Cyber-Terrain Model layers. Source: Riley, 2014.


Incorporating Safety and Trust into this multi-layered model is a logical step, as it allows us to address the nuanced ways in which different layers can impact human safety.

For instance, a vulnerability at the network layer could compromise the safety of an OT system, leading to real-world consequences. By adding Safety as an explicit layer or dimension to this framework, we ensure that risk analyses account for potential physical harm to individuals and society, not just data and system integrity.

Conclusion

In conclusion, while the CIA Triad has served as a foundational model for cybersecurity and has stood the test of time, the evolution of technology demands that we expand our frameworks to include Safety and Trust.

A multi-layered approach might provide a logical structure for such an expansion, ensuring that we can protect against both digital and physical threats in an increasingly interconnected world.