Assessing IT Solutions Against Security Principles
Established security principles — the CIA triad, the Parkerian hexad, Kerckhoffs’s principles, and the Zero Trust directive — are rarely used to evaluate real IT solutions. Together with Péter Balsai, we have begun to apply them as analytical tools.
Introduction
In 2024–2025, joint work with Péter Balsai gave rise to two working premises:
- The extent to which IT solutions adhere to established, well-known information security principles should be subject to systematic examination.
- Disciplines outside information technology — including military thought (strategy and tactics) and other non-IT domains — should be examined for principles that may be transferable to, and applicable within, IT systems.
Current work
Following from these premises, we have begun to apply the following as analytical instruments within a preliminary framework that remains under active development:
- Kerckhoffs’s principles (design rules), one of which, in a reformulated form, corresponds to Shannon’s maxim;
- the CIA triad;
- the Parkerian hexad.
Tables for consideration and discussion
We intend to present at the NWS2026 conference on the password and on the prevailing assumption that it is obsolete and therefore dispensable. In support of that discussion, a selection of preliminary — and as yet unverified — results is presented below in tabular form. The tables are provided without commentary, with the sole intention of offering a basis for further consideration.
The CIA triad, the Parkerian hexad, Kerckhoffs’s principles, and the Zero Trust directive are not new; yet taking them into account and observing them is not common practice, and their use for the systematic examination of systems is seen only rarely.
In each table below, the columns are authentication methods (the password, a possession factor, biometrics, and OPAQUE), and the rows are security properties. Each cell states whether the method violates the property, may violate it, or does not (no).
The CIA triad and the Parkerian hexad
| Password | Possession | Biometrics | OPAQUE | |
|---|---|---|---|---|
| Confidentiality | violates | may violate | violates | no |
| Integrity | no | violates | violates | no |
| Availability | may violate | violates | violates | may violate |
| Authenticity | may violate | may violate | no | no |
| Possession and control | violates | violates | violates | no |
| Utility | no | no | no | no |
Kerckhoffs’s principles / methods
| Password | Possession | Biometrics | OPAQUE | |
|---|---|---|---|---|
| Indecipherability | may violate | may violate | may violate | no |
| Public specification | no | violates | violates | no |
| Memorability / replaceability | no | violates | violates | no |
| Telegraph (network) | no | no | no | no |
| Portability | no | may violate | violates | no |
| Simplicity | violates | violates | violates | no |
The Zero Trust directive
| Password | Possession | Biometrics | OPAQUE | |
|---|---|---|---|---|
| In transit | may violate | may violate | may violate | no |
| In use (processing) | no | violates | violates | no |
| At rest (storage) | no | violates | violates | may violate |
This page will be updated to reflect any changes arising from discussion or from our continued work.