Timeline of the History of Information Security

To begin, review this timeline on the history and development of information security. What was the role of the US Department of Defense (DoD) in the evolution of information security? Who or what were the influencers in the development of the confidentiality, availability, and integrity (CIA) triad?



Information Security or InfoSec doesn't exist in the 1950s or even in the 1960s. Security is all about physically securing access to expensive machines. Reliability of computers is the main concern. As hardware and software becomes standardized and cheaper, it's only in the 1970s that there's a shift from computer security towards information security.


In the early years of the ARPANET, the US Department of Defense commissions a study that's published by the Rand Corporation as Security Controls for Computer Systems. It identifies many potential threats and possible security measures. The task force was chaired by Willis H. Ware. In time, this report becomes influential and is known as the Ware Report.


James P. Anderson authors Computer Security Technology Planning Study for the USAF. This is published in two volumes. In time, this comes to be called the Anderson Report.


Multics was a timesharing operating system that started in 1965 as a MIT research project. In the summer of 1973, researchers at MIT look at the security aspects of Multics running on a Honeywell 6180 computer system. They come up with broad security design principles. They categorize these into three categories with due credit to J. Anderson: unauthorized release, unauthorized modification, unauthorized denial.


Prior to the 1980s, security was influenced by the defence sector. In the 1980s focus shifts from Confidentiality to commercial concerns such as costs and business risks. Among these is the idea of Integritysince it's important for banks and businesses that data is not modified by unauthorized entities.


Morris Worm becomes the first DoS attack on the Internet. Thus, Availability is recognized as an essential aspect of information security.


In the JSC – NASA Information Security Plan document we find the use of the term CIA Triad. However, the term could have been coined as early as 1986.


To complement InfoSec, Information Assurance (IA) emerges as a discipline. This is more about securing information systems rather than information alone. With the growth of networks and Internet, Non – Repudiation and Authentication become important concerns. Non – repudiation means that parties can't deny having sent or received a piece of information.


NIST publishes Underlying Technical Models for Information Technology Security. It identifies five security objectives: Availability, Integrity, Confidentiality, Accountability and Assurance. It points out that these are interdependent. For example, if confidentiality is compromised (eg. superuser password), then integrity is likely to be lost as well.


Donn B. Parker expands on the CIA Triad by adding three more items: authenticity, possession or control, and utility. Parker also states that it's best to understand these six principles in pairs: confidentiality and possession, integrity and authenticity, and availability and utility. In time, these six principles have come to be called Parkerian Hexad.