The Parkerian Hexad

Donn Parker spent four decades at SRI International cataloging real computer-crime cases. By the late 1990s he had a problem: the cases would not fit the triad.

Parker's 1998 book Fighting Computer Crime argued that the CIA Triad, while a fine starting point, missed three real properties that real incidents violated. His proposed extension, now called the Parkerian Hexad, kept the original three and added Possession (or Control), Authenticity, and Utility.

The argument was not that the triad was wrong. It was that the triad was incomplete in ways that mattered for the practice of investigating and defending against actual computer crime. The hexad never replaced the triad in textbooks, but it lives on as a sharper tool for analyzing cases where the triad gives the wrong answer.

The first three pillars carry forward from the triad with the same definitions:

• Confidentiality: information is disclosed only to authorized parties.
• Integrity: information is unchanged except by authorized modification, and changes are detectable.
• Availability: information is accessible to authorized parties when needed.

Parker did not modify any of these. He added three more.

Possession is the property that the asset is held only by parties authorized to hold it, regardless of whether they can read it.

Confidentiality answers "can the wrong people see this?" Possession answers "do the wrong people have a copy of this?" Those are not the same question. An encrypted backup tape stolen by a thief who cannot read the contents is a possession violation, not a confidentiality violation. The owner has lost control of the artifact even though the data within remains undisclosed.

The distinction matters for three reasons:

• Future cryptanalysis. Data that is confidential today may not be confidential in twenty years. Quantum computing threatens current public-key cryptography; weak symmetric keys eventually fall to brute force. An attacker who possesses ciphertext today has bought a lottery ticket on tomorrow's compute capabilities.
• Legal and regulatory exposure. Most breach notification laws are triggered by unauthorized acquisition of data, not unauthorized disclosure. Possession alone is enough to require disclosure to regulators and customers in most jurisdictions.
• Asset accounting. "How many copies of this file exist, and where?" is a possession question. Even if every copy is encrypted, the answer matters for incident response, e-discovery, and data minimization.

Authenticity is the property that information is genuinely from the source it claims to be from.

Integrity answers "has this been changed?" Authenticity answers "did this originate where it claims to have originated?" An email that arrives with every byte intact from a forged sender has integrity in the strict sense and zero authenticity. A counterfeit twenty-dollar bill that has the right numbers in the right places has integrity but is not authentic.

In digital systems, authenticity is enforced through cryptographic signatures, certificate chains, and trusted timestamping. The distinction between integrity and authenticity becomes visible when one is present without the other. A file's hash matching tells you the file is unchanged from whatever copy produced the hash. A signature on that hash tells you who produced it. The first is integrity. The second is authenticity. You need the second to know whether the first is worth anything.

Authenticity also covers the broader concept of non-repudiation: the inability of a party to deny having performed an action. A user who logged in to a system protected by strong authentication and signed every action with their private key cannot later claim "that was not me." Authenticity makes accountability possible.

Utility is the property that information is in a form that fulfills its intended purpose.

Availability answers "is the data reachable?" Utility answers "if I reach it, can I actually use it?" The two come apart in several recognizable cases:

• An encrypted file whose decryption key has been lost. The bits are present and reachable. They are useless to the owner.
• A database in a deprecated schema that no surviving software can parse.
• A backup written to magnetic tape, when no working tape drive remains in the building.
• A document in a proprietary format from a long-defunct vendor.

In each case the data is available but not useful. The 2010 Library of Congress digital preservation report estimated that more than half of the digital records held by U.S. government agencies prior to 1985 had become unreadable due to format and media obsolescence. The data had not been deleted. It had simply lost its utility.

Utility is the property that makes archival data continuously usable, not just continuously present. The defensive technique, called digital preservation by archivists, involves periodic format migration, multiple format copies, open file formats, and abstention from proprietary formats whenever possible.

Parker used a scenario that the triad cannot describe cleanly. Consider an employee laptop, encrypted at rest with strong full-disk encryption, that is stolen from a coffee shop. Apply the CIA Triad and you get an awkward analysis: confidentiality is intact (the data cannot be read without the key), integrity is intact (no modification has occurred), and availability is degraded only for the laptop's owner (the data is unavailable to them but presumably backed up).

By the strict triad analysis, almost nothing has been violated. By any practical analysis, something significant has happened: the company has lost an asset, a regulator may need to be notified, the laptop's serial number is on someone else's hard drive, and an attacker who develops a key-recovery attack in five years will retroactively turn this into a confidentiality breach.

The hexad describes this cleanly. Possession is violated (the company no longer holds the device). Confidentiality is currently intact but at risk. Availability is degraded for the owner. The other three are not affected. That is a more honest summary of what actually happened.

The three new pillars do not replace any of the original three. They extend them. The rough alignment between the two models, often used in exam questions, is:

The mapping is useful for memorization and for exam questions, but it is not exact. Authenticity has a closer connection to integrity than to confidentiality, but a forged sender violates authenticity even without changing the message contents, which is why some authors place authenticity as a standalone pillar.

For everyday security analysis, the triad is sufficient. Reach for the hexad when:

• An incident involves loss of an asset without disclosure (stolen encrypted device, lost backup tape, exfiltrated ciphertext).
• An incident involves a forged sender or impersonation without modification of message content (business email compromise, deepfake voice authorization, signed-but-fake software).
• An incident involves data that is technically accessible but cannot serve its purpose (lost decryption keys, format obsolescence, deprecated schemas).
• An exam or framework asks you to distinguish authenticity from integrity, possession from confidentiality, or utility from availability.

The next page applies both models. Every attack category we will study in Rolling Thunder Security is mapped to the pillars it violates, with hexad extensions called out where the triad alone is insufficient.