RE: New security Triad

["David Harley" <david.a.harley () gmail com>]

> I have always been under the impression that the security 
> triad was CIA (Confidentiality, Integrity and Availability) 
> until I came across the link 
> http://www.networkworld.com/columnists/2003/0106schwartau.html
> .  May be this is pretty late to discuss about this question 
> as this article was posted in 2003. Nevertheless, just wanted 
> to check with all the security folks out there if the new 
> security TRIAD is indeed CPP (Cyber, Physical and People).

It's not an either/or. It's a different model, better for some purposes, but
I don't think it was intended to replace the CIA/AIC model (if it was, it
isn't up to the job: it addresses quite a different context). Actually, the
CIA model has never been complete - where do you fit accountability into it,
for instance? - but it's convenient for educational puposes. There are other
models: Donn Parker's hexad, for instance, adds control/possession,
authenticity, and utility to the mix, though opinions vary on how discrete
they really are...

<heresy>Actually, it doesn't necessarily matter much which model you use:
it's the Way You Use It that makes it useful/less </heresy>

-- 
David Harley CISSP (or shouldn't I mention that? ;-))
Security Author/Editor/Consultant/Researcher
Small Blue-Green World
AVIEN Guide to Malware:
http://www.smallblue-greenworld.co.uk/pages/avienguide.html
Security Bibliography:
http://www.smallblue-greenworld.co.uk/pages/bibliography.html