Information Security

Contextual Model
AN INTEGRATIVE PERSPECTIVE

There is a profusion of models that aim to describe the characteristics, properties

and objectives of Information Security. However, all of them all offer incomplete
outlooks which fail to consider the context in which information is utilized.

By PROTEUS YOUNG

BEYOND THE TRIAD

There is nothing fundamentally wrong with the CIA Triad

(confidentiality, integrity, availability), on the contrary: it
is a concise group of objectives that is both useful and
easy to remember. Consecrated in ISO/IEC 27000, it is
present in numerous information security models and
even in information threat models like STRIDE i, whose
name is formed not by the initials of the pursued
properties of the information, but of the threats
corresponding to their subversion.

The deficiency of the CIA Triad and other existing security

models is to ignore the context in which data is created,
recovered and transformed. The Triad make us believe
that all properties relate inherently do Data: the
Contextual Model, on the other hand, takes into account
the existence of other elements besides Data – namely,
User and Access – and introduces the concept of
property levels in which the inherent properties lay on
the first level and while properties of second and third
level arises from the relationship between and among
the elements. Additionally, it demonstrates that those
properties are expressions of underlying principles that,
when broken, compromise not only their respective
properties but their adjacent ones, thus rendering any
security expectation unfeasible.
The Contextual Model represents three fundamental
Elements of Information Security – Data, User and Access
– and the relationships between and among them. Each
one of them has an inherent property (i.e. which relates
exclusively to it). Other properties arise from the
relationship between the Elements, pairwise or all
together: these are their relational properties. The
purpose of Information Security is to preserve all
Elements’ properties. Elements and its properties are
graphically represented in Figure 1.
Figure 1 – Elements and Properties of the Information Security
Contextual Model
The three elements have a great deal of overlapping:
their intersections represent the relationships between
two of them or among them all. From their intersections
arise properties that, while belonging to one of the
elements (e.g. the one with written in the same color),
only exists in the context of the relation.
As seen in the diagram, there are nine properties
arranged in three triads:
1) The outer triad of properties inherent to the
Elements;
2) The medium triad of properties arisen from a pair-
wise relation;
3) The inner triad of properties arisen from the three
Elements.
Those are also called properties of first, second and third
levels.

1
Information Security Contextual Model
Also, it is important to notice that the diagram depicts
relationships, not the data flow.
INHERENT PROPERTIES
Data is the name of the set of recorded entities’
attributes representation in a given storage system. Its
inherent property is Integrity meaning that the recorded
representations must be preserved from undue changes
of both physical and logical nature.
User is the agent – not necessarily humanii – which
promotes the creation, recovery and transformation of
Data. Its inherent property is Identity, meaning that
agents’ identification must be unambiguous under the
penalty of ignorance of the access’ actor.
Access is the process that makes the User’s action on the
Data possible. Its inherent property is Inviolability,
meaning that the process must not be intercepted or
interrupted. Violations would respectively cause loss of
confidentiality and loss of availability.
RELATIONAL PROPERTIES
The relations between and among the elements Data,
User, and Access give rise to properties that do not make
sense when considered outside the context of the
relationship. In pairwise relationships, the missing
element does not affect the property and is not affected
by it, as follows.
The relationship between User and Data gives rise to the
property Authority, which reflects the rights of
individuals or groups over information. This property
originates in the real world and needs a corresponding
mapping to the security implementation. Authority is
independent of Access, because the right to access
certain pieces of information exists even when the user
does not exercise it.
The relationship between User and Access gives rise to
the property Authenticity, which is the guarantee that
the User is who he/she claims to be, that is, his/her
identity validation. Authenticity is independent of Data
since the User does not have to access it in order to have
his/her identity recognized.
The relationship between Data and Access gives rise to
the Availability property, which reflects the readiness of
the data to be accessed. This property is independent of
User since the readiness exists even if no access is made.
The relationship between Data, Access and User
comprises the Inner Triad of the third level properties.
2
© Proteus Young
They can only be understood in the context of the
complete process (e.g. data being accessed).
Confidentiality is the characteristic that ensures that
Data is being accessed by Users with the authority to do
so.
Non-repudiation is the characteristic that guarantees
that the Accesses to the Data were realized by the Users
to whom they are assigned the actions in the designated
times.
Traceability is the characteristic that allows the
reconstitution of the Accesses to which the Data was
submitted by the Users during a given period of time.
UNDERLYING PRINCIPLES
Data Integrity is connected to two principles:
• Preservation is the principle that data should be
protected against modifications that cause its
corruption, regardless of storage medium or form
of representation. While accidental corruption is
generally cause by physical issues, intentional
corruption stems from a security breach. As for the
breadth of damage, it can range from imperceptible
or irrelevant to total loss.
• Consistency is the principle that correlated data
should be consistent with each other. For example,
if not successfully completed, multiple updates of
related tables in a database may causes a relational
inconsistencyiii.
Loss of Integrity impacts the Availability and Authority
properties once these can only be verified if the
information is true and complete: there is no point in the
availability of false or incomplete information, as well as
there is no sense in Authority over corrupted data.
Likewise, the third level properties will be impaired. In
case of complete data destruction, this condition is more
evident.
Access Inviolability is connected to the principle of
Legitimacy: access to data must be by legitimate means.
Access violation can be either an interception or
interruption, making it an illegitimate action which
affects adjacent properties as follows:
• Authenticity is obviously violated as access is
performed by an agent not authorized to do so.
• Availability may be affected by illegitimate access
either by competing for processing resources in a
query that results in high data volume, or by a
Information Security Contextual Model
deliberate denial of service action (for example,
by running a resource-intensive query available.
• Confidentiality is compromised by improper
access.
• Non-repudiation and traceability lose meaning
when access is illegitimate as the logging
mechanism may incorrectly capture the
illegitimate action.
Integrity, which in non-adjacent property, may also be
affected if illegitimate access results in data
transformation.
User Identity is related to the principle of Agent
Unambiguity, that is, identification of the user should not
possess doubt or uncertainty. The user account must
designate a single agent so that their actions are
legitimized through authentication. Clear violations of
this principle occur when shared user accounts (“group
accounts”) are utilized, when a user shares his
credentials, when credentials are leaked, or when access
to data does not require authentication. Ambiguity
implies the impossibility of confirming or denying
authorship and leads to unintended anonymityiv. No
restrictions exist for multiple user accounts pointing to
the same individual, as it happens with the assignment of
privileged accounts that must be used occasionally.
Failure to identify the user - who is the agent of the
process - chain-compromises all other properties.
User Authenticity is related to Agent Trustworthiness in
the sense that evidence has been provided that the user
is who they claim to be. Violation of this principle
characterizes the imposture of the user.
User Authority is associated with the principle of
Sufficient Privilegev whereby the User must be given the
necessary authorization — no more, no less — to
perform his/her duties. Violating it causes insufficiency
or elevation of privilege. As much as Elevation,
Insufficiency of privileges can compromise
Confidentiality, Integrity, and Availability since: a) not
being able to read information you are entitled to is a
matter of Confidentiality; b) failure to perform common
technical routines or contingency functions may
compromise Integrity and Availability.
Data Availability relates to the Utility principle once not
being availablevi defeats both the purposes of Data's
existence and the purpose of Access. Failure to do so
characterizes a Denial of Service.
Data Confidentiality is directly associated with the Need
to Know principle, which holds that access to data is
limited by the User’s Authority. Failure to comply with
this principle results in improper disclosure (“leakage”) of
information.
3
© Proteus Young
Access Traceability relates to Accountability principle
whereby each User can only be held responsible for the
actions he/she performed (or failed to perform). Lack of
traceability prevents imputability and causes accidental
impunity. Data Integrity may be affected if it is impossible
to determine how a condition was achieved.
User Non-Repudiation is related to the principle of
Authorship Accreditation of certain actions. It assures the
user’s Authenticity in such a way that it’s impossible for
the author or any interested party to refute the action.
DISCUSSION
It is possible that the first contact with a new model may
raise questions about the new properties and principles,
and even about the need to consider them. The following
discussion recognizes such difficulties and provides some
reasoning.
• Just as Integrity, Confidentiality and Availability are
not properties of Data?
All of these properties are Data, but Integrity is its
only intrinsic property. Confidentiality and
Availability are relational properties of Data arising
from the intersection with, respectively, User and
Access.
• Are inviolability and Confidentiality not the same as
every Access violation implies a breach of
confidentiality?
No, because an access violation does not necessarily
retrieve information: there are attacks aimed solely
at the unavailability or corruption of the Data.
• Couldn't traceability and non-returnability be one
thing?
No, since Irresponsibility addresses the issue of
acceptance or repudiation in disputes, while
Traceability takes care of liability for actions taken.
Note also that non-returnability does not imply
irreversibility, which is a feature of certain
transactions to reflect business processes.
• Is the Identity property really necessary?
Yes, as the unambiguous identification of the agent
presupposes Authentication and Authorization,
without which Confidentiality, Traceability and Non-
Retractability cannot be guaranteed.
• How does the Contextual Model differ from other
existing models?
It depends on the model considered. In general, the
main differences are:
Information Security Contextual Model © Proteus Young

1) Integrative approach that puts into perspective CONCLUSION

not only Information, but its purpose: to serve
2) Users in their most varied business, scientific,
academic, social, cultural, recreational or
personal needs.
3) Introduction of new properties to consider:
Access Tampering, User Identity, Action
Traceability;
4) Explanation that the following violations should
be regarded as Information Security issues: Data
Inconsistency, Anonymity or User Ambiguity,
Insufficient Privileges and Impunity.
The job of Information Risk Analysis already naturally
considers the security aspects discussed here. The
purpose of the contextual model is to provide a
comprehensive perspective that reflects the usual
relationships between the elements involved in
information processes, facilitating the understanding of
their dynamics and the identification of vulnerability
points for the adoption of protection measures.
For the reader’s convenience, follows a synoptic chart of
the properties, principles and the consequences of not
observing them.

Information Security Contextual Model Level and Relations

Property Principles Violation Consequences Data Access User
Integrity Preservation, Consistency Corruption, Inconsistency 1
Inviolability Legitimacy Interception, Interruption 1
Identity Unambiguity Anonymity, Ambiguity 1
Availability Utility Denial of Service 2 R
Authority Sufficient Privilege, Segregation of Duties Insufficiency or Escalation of Privileges R 2
Authenticity Trustworthiness Imposture R 2
Confidentiality Need to Know Undue Disclosure (Leakage) 3 R R
Traceability Accountability Impunity R 3 R
Non-Repudiation Authorship Accreditation Repudiation R R 3
Figure 2 – Contextual Model Synoptic Chart.

NOTES
i STRIDE is the acronym for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privileges.
ii Automated actions always require the provision of credentials - typically service accounts - with sufficient rights.
iii Although major database management systems provide multiple-update transaction as consistency preservation mechanism, they

usually need to be encoded in the applications.

iv
Accidental Anonymity must not be confused with the Intentional Anonymity required by some systems.
v The Least Privilege Principle is probably called this way because privileges in excess are dangerous even though it declares that the

degree of privilege should be sufficient.

vi
Availability does not imply being always available as Service Level Agreements apply.