In a previous blog post I explained how I thought that “Privacy” was a better term than “Confidentiality” when we are communicating with non-specialists. Everyday users must play their role in protecting information. This is part of my heretical suggestion that we would should replace “CIA” with “PAR”, as in Privacy, Accuracy, and Reliability.
For most people, integrity describes a person of good character. It has to do with ethics and moral behavior. Someone with integrity is honest. We expect them to tell the truth and behave appropriately.
Captain America. Superman. We trust them.
OK, integrity has some aspect of not changing. A person with integrity isn’t honest with some people but not with others. Being honest just some of the time gets you labeled as dishonest. But “integrity” for people is about trust, not consistency.
Another possible confusion is that “integrity” suggests “integral”, meaning that the thing or person plays a central and crucial role.
Remember that we want to enlist the assistance of the users. This involves everyone, including the little people, not just those at the core of the operation.
“Integrity” is an entirely different concept when we apply it to data. The ideal would be completely immutable information. A set of data that we cannot change. Nor could we delete, move, or hide it. “Carved in stone” but even more so. Even things carved into stone for all time can be wiped out.
It makes little sense to attribute data-style integrity to people. Or, its lack.
“Remember that manager who lacked integrity?”
“Yeah, her glass eye would fall out and roll across the conference table during important meetings. That was very distracting.”
In Learning Tree’s CompTIA Security+ test-prep course we are careful to use CompTIA’s terminology. One concept is the distinction between the data owner and the data custodian. The data owner is responsible for creating accurate data. Then, as time passes, the data owner verifies that the stored data continues to be accurate.
If the facts haven’t changed, the description should not change. When the situation changes in some way, then it may be appropriate to change the description. The stored data either doesn’t change at all, or it changes only in carefully limited ways.
Let’s think about downloading a software update. The latest Linux kernel source code archive, or Oracle patch, or Juniper router operating system update.
Did I get the real software from the real provider?
The real provider — We must authenticate the source. It’s an organization in each of these examples.
The real software — A precise copy, identical down to every single bit of what that organization meant to provide. No bit changed, deleted, or added.
I won’t sell many encyclopedias if I can only say that it’s mostly right. Would-be customers will insist on being confident in its accuracy. Some articles may describe fictional characters or things (Atticus Finch, Narnia), but they will be clearly described as being fictional, and the article will accurately describe the fiction.
Completeness is also an issue. Imagine an article that described Atticus Finch’s appearance and the house he lived in, but neglected to mention what he did for a living. That wouldn’t be very useful! You wouldn’t pay very much for that reference source.
Many things can never be complete. Medical records are partial snapshots of noisy biological functions, but they need to be complete enough to serve their purpose.
So, accuracy means “complete”, possibly with an asterix leading to a footnote: “Complete enough to do the job.” Confidence in data accuracy leads to confidence we’ll do the whole job correctly.
We need confidence that the job will succeed. That gets into reliability. Check back next time for why I think “Reliability” is a much better term than “Availability”.