Google Ads
The CIA triad is a high level security framework based around the concept of Confidentiality, Integrity and Availability.
Understanding these can help with developing your security policy and processes to protect your data and computer systems.
This video provides a short introduction into the CIA Triad. The three things that matter the most in cyber security.
This video provides a more indepth look at the CIA triad, with real world examples of where security has been compromised.
Transcript: CISSP Domain 1 - CIA Triad - Video Transcript
Confidentiality ensures that sensitive information is accessible only to those with appropriate permissions. It involves restricting access to data objects and resources while maintaining authorized access.
Breaches: These aren't always malicious; they can result from human error, lack of oversight, or incompetence.
Real-World Examples: The T-Mobile data breaches and the 2014 Sony attack, where terabytes of unreleased films and personal data were stolen.
Key Aspects:
Sensitivity & Discretion: Managing information that could cause harm if disclosed.
Concealment: Actively hiding information so unauthorized parties aren't even aware of its existence.
Seclusion & Isolation: Storing critical data (like credit card info) in separate, strictly controlled systems.
Integrity is about the trustworthiness of your data. It prevents unauthorized alterations—whether they are malicious (like a student changing their grades) or accidental (system errors).
Real-World Example: The Stuxnet worm. This cyber weapon targeted the integrity of code in programmable logic controllers (PLCs), causing physical damage to centrifuges in Iran’s nuclear program.
Key Aspects:
Accuracy & Truthfulness: Data must be a true reflection of reality.
Accountability: Operators must be responsible for their actions and the results of those actions.
Completeness: Ensuring no part of the data (like personal details) is missing.
Security is only effective if authorized users can access the systems they need. This means maintaining sufficient processing power, bandwidth, and timeliness.
Threats: Denial of Service (DoS) attacks and ransomware.
Real-World Example: The WannaCry Ransomware attack of 2017, which paralyzed the UK National Health Service (NHS) by encrypting unpatched Windows 7 systems.
Key Aspects:
Usability & Accessibility: Systems must be easy for authorized subjects to interact with.
Timeliness: Providing on-demand access with low latency and reasonable response times.
While the CIA Triad focuses on desired outcomes, the DAD Triad looks at the threats we want to avoid:
Disclosure (Opposite of Confidentiality)
Alteration (Opposite of Integrity)
Destruction (Opposite of Availability)
What’s Next? Security isn't just about the Triad. See the following guide for Security Threat Modelling / Analysis using STRIDE and the Microsoft Threat Analysis Tool.
