CIA triad

CIA-triad-information-securityI am going to talk, actually write, about the CIA triad. I am not going to discuss about some Chinese underground society in a joint venture with a three letter agency (secret service). CIA triad refers to an information security model made up of three principles: confidentiality, integrity, and availability.


Information needs to be secret to a non-intended and non-authorised party. It is perhaps the most common view towards information security. We usually refer to this aspect when we talk about security. You have to agree that having  confidential health records is absolutely taken for granted. Or your credit card details. Both have to be private to avoid unpleasant situations. Below, I managed to find (and it was really easy) some real examples.

Confidentiality breach – reported examples:

It looks like EA Sports suffered a confidentiality issue, details here.

Apple had the same problem, but in this case the intruder got away with an email list.


From this point of view, we refer to completeness and the fact the information has not been altered by a non-authorised party. This aspect is crucial for example for an online retailer. It is not desirable that the clients should be in a position to change the price. The same applies to a written (on paper) contract. You wouldn’t want your already signed job contract to be altered by reducing your pay, would you?

Integrity breach – reported examples:

In this case a PowerPoint presentation was altered; if your medical records were targeted then the consequences would be really life threating!


Availability is often neglected.  Just because is the last letter in the CIA triad it doesn’t mean it is the least important. There is no use of the data if it is not accessible. Just think about, what use is there if your data it’s secret and unaltered by a non-authorised party if you can’t access it?  A common mistake is to have a backup procedure in place (fully working), but with a slower than acceptable recovery timeframe. In that case, even if you can recover the data you still have unacceptable downtime, so lack of availability. Redundant systems are often deployed to ensure a higher availability. This is extremely important for websites like Amazon. Each minute they are offline they lose potential business leads. The effect can be more complex than that, as they will probably suffer other negative effects as well (e.g. loss of reputation).

Availability breach – reported examples:

A classic example can be found here.

DDoS attack is really very common, it shouldn’t make the news anymore, not a new thing at all. Another example is here.

The CIA triad should not be neglected as it is the basis for any robust information security management system such of an ISO 27001 approach.

Stay safe!

About the author

Florin Florin Bejgu is a part-time blogger, full-time passionate about information security [more...].

Leave a Reply

Your email address will not be published. Required fields are marked *