In early August I made the heretical suggestion of replacing “CIA” with “PAR”, as in Privacy, Accuracy, and Reliability. Grim talk about “The CIA Triad” suggests to many users that it is nothing for them. But we can’t have information security without user understanding and involvement!
We talk about CIA in Learning Tree’s System and Network Security Introduction course. Let’s take a critical look at it.
I think the word Confidential leads to confusion. It’s an official classification level for many governments. However, users need confidentiality for data that isn’t formally classified.
There was Graham Greene’s book The Confidential Agent, made into a movie starring Charles Boyer, Lauren Bacall, and Peter Lorre. In that sense, it’s about a person who tries to avoid being noticed, and if noticed, to be misunderstood. However, we aren’t trying for either steganography or misdirection here.
A magazine named Confidential was published from 1952 to 1978. It reported Hollywood scandals and gossip, so it embodied the opposite of what we want. (It seems to have been the model for the fictional magazine Hush-Hush in the novel and movie L.A. Confidential).
Worse yet, confidential might get confused with confidence man, another term for a con artist.
Secrets are for governments, large companies, and other organizations. Secrets get locked up in warehouses like at the end of Raiders of the Lost Ark. They’re put away with little intent of ever revisiting them. See the CIA’s recently released Electronic Reading Room archive, much of it illegible.
Privacy is the term that most people will associate with what we need. Privacy is important for some personal information. We don’t need privacy for everything. A favorite baseball team, favorite ice cream flavor, we want others to know those.
But we do want to limit distribution of some personal information. Medical information. Financial details. We want our specific professionals in those fields — our doctors and nursing staff — to have full access to the relevant pieces. But just the relevant pieces. My doctor doesn’t need to know about my investments. My financial advisor doesn’t need to know my blood chemistry.
Secrets, for people, are entirely different and much less common. They’re the unopened crate in the personal warehouse that no one gets to see. My religious beliefs might be private, shared only with family and friends. If they involve an elaborate shrine to Mithra in my basement, that would more likely be a secret.
If we say “privacy”, people will associate it with private matters in real life. Privacy is for people. Medicine. Finance. It isn’t thrown away or locked away forever. We need accurate and reliable sharing with the appropriate professionals and institutions only.
Secrets are for organizations. The CIA, NSA, and other government agencies. Large corporations with secret recipes, like Coca-Cola and KFC. The Illuminati. Wait, that last one doesn’t exist!
See what I did there? When we say “secrets” we quickly go to the extremes.
“Privacy” is the best term for us normal people. If we apply that term to organizational data, our staff will have a better idea of why and how to protect it.
My carefully protected private information must be useful. I want to be confident that my doctor has access to my medical information, an accurate and complete record accessed whenever it’s needed. Accuracy and Reliability are the rest of my suggested terminology.
Check back later for my explanation of how I think that “Accuracy” would be a more meaningful, and thus more useful, replacement for “Integrity”.