Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.
C. Warren Axelrod

Integrity First … Then Availability … Then Confidentiality

“Whatever happens, the system’s integrity must be restored.” This quotation appeared in an August 10, 2012 article “Knight Capital trading disaster portends frightening future for markets” by Diane Francis available at  http://opinion.financialpost.com/2012/08/10/knight-capital-trading-disaster-portends-frightening-future-for-stocks/ Of course, Francis was referring to the more general securities market system, rather than specifically to the Knight Capital system that went haywire. But still, her emphasis is on the lack of integrity, which may have been behind the loss of availability… and confidentiality was not even mentioned.

Taking a perverse view … it is not completely infeasible for the Knight Capital computer system meltdown to have been due to a security breach … we will likely never know if it was … whereby a malicious attacker could have infiltrated into the IT departments of Knight Capital or its outsourcers or software vendors and purposely created the disastrous situation that occurred on the morning of August 1, 2012. Well, it is highly unlikely that sabotage was the cause … this time. But the incident certainly provides valuable insight for anyone bent on harming the securities marketplace intentionally.

Notwithstanding the stir caused by my statement in my July 23, 2012 column “It’s About Availability and Integrity (not so much Confidentiality)” that availability is more important than confidentiality, particularly in the case of the Ulster Bank debacle. and Ken Belva’s excellent analysis of the importance of context, in his July 26, 2012 blog “The CIA Triad: Theory and Practice,” I maintain that, when it comes to highly visible, dramatic events, those related to confidentiality, including privacy, trail far behind those incidents that result from loss of availability and integrity.

One Comment

  1. Bill Frank Oct 29, 2012 at 11:32 am | Permalink

    I am not quite sure what you are trying to say. Enterprises and IT organizations have always put Integrity and Availability ahead of Confidentiality. Various regulatory regimes like PCI were created to force organizations to pay more attention to Confidentiality.

    Second, from a risk management perspective, the severity of each risk must be analyzed from all three perspectives.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*