The CIA triad is a guide for measures in information security. Information security influences how information technology is used. Information technologies are already widely used in organizations and homes. This condition means that organizations and homes are subject to information security issues. Thus, it is necessary for such organizations and households to apply information security measures. These measures should protect valuable information, such as proprietary information of businesses and personal or financial information of individual users. Information security teams use the CIA triad to develop security measures. The CIA triad shows the fundamental goals that must be included in information security measures. The CIA triad serves as a tool or guide for securing information systems and networks and related technological assets.
This article discusses the CIA triad and its goals or components, i.e. confidentiality, integrity, and availability. Some case examples are given and the implications of the CIA triad are explored.
What is the CIA Triad?
The CIA triad is a model that shows the three main goals needed to achieve information security. While a wide variety of factors determine the security situation of information systems and networks, some factors stand out as the most significant. The assumption is that there are some factors that will always be important in information security. These factors are the goals of the CIA triad, as follows:
Confidentiality, integrity and availability are the concepts most basic to information security. These concepts in the CIA triad must always be part of the core objectives of information security efforts.
Confidentiality is the protection of information from unauthorized access. This goal of the CIA triad emphasizes the need for information protection. Confidentiality requires measures to ensure that only authorized people are allowed to access the information. For example, confidentiality is maintained for a computer file if authorized users are able to access it, while unauthorized persons are blocked from accessing it. Confidentiality in the CIA triad relates to information security because information security requires control on access to the protected information.
The CIA triad goal of integrity is the condition where information is kept accurate and consistent unless authorized changes are made. It is possible for information to change because of careless access and use, errors in the information system, or unauthorized access and use. In the CIA triad, integrity is maintained when the information remains unchanged during storage, transmission, and usage not involving modification to the information. Integrity relates to information security because accurate and consistent information is a result of proper protection. The CIA triad requires information security measures to monitor and control authorized access, use, and transmission of information.
The CIA triad goal of availability is the situation where information is available when and where it is rightly needed. The main concern in the CIA triad is that the information should be available when authorized users need to access it. Availability is maintained when all components of the information system are working properly. Problems in the information system could make it impossible to access information, thereby making the information unavailable. In the CIA triad, availability is linked to information security because effective security measures protect system components and ensuring that information is available.
Examples of CIA Triad Applications
In the CIA triad, confidentiality, integrity and availability are basic goals of information security. However, there are instances when one goal is more important than the others. The following are examples of situations or cases where one goal of the CIA triad is highly important, while the other goals are less important.
Confidentiality. The CIA triad goal of confidentiality is more important than the other goals when the value of the information depends on limiting access to it. For example, information confidentiality is more important than integrity or availability in the case of proprietary information of a company. Also, confidentiality is the most important when the information is a record of people’s personal activities. To guarantee confidentiality under the CIA triad, communications channels must be properly monitored and controlled to prevent unauthorized access.
Integrity. The CIA triad goal of integrity is more important than the other goals in some cases of financial information. Any change in financial records leads to issues in the accuracy, consistency, and value of the information. For example, banks are more concerned about the integrity of financial records, with confidentiality having only second priority. Some bank account holders or depositors leave ATM receipts unchecked and hanging around after withdrawing cash. This shows that confidentiality does not have the highest priority. Instead, the goal of integrity is the most important in information security in the banking system. To guarantee integrity under the CIA triad, information must be protected from unauthorized modification.
Availability. The CIA triad goal of availability is more important than the other goals when government-generated online press releases are involved. Press releases are generally for public consumption. For them to be effective, the information they contain should be available to the public. Thus, confidentiality is not of concern. Integrity has only second priority. In the CIA triad, to guarantee availability of information in press releases, governments ensure that their websites and systems have minimal or insignificant downtime. Backups are also used to ensure availability of public information.
Implications of the CIA Triad
The CIA triad has the goals of confidentiality, integrity and availability, which are basic factors in information security. Information security protects valuable information from unauthorized access, modification and distribution. The CIA triad guides information security efforts to ensure success. There are instances when one of the goals of the CIA triad is more important than the others. It is up to the IT team, the information security personnel, or the individual user to decide on which goal should be prioritized based on actual needs. Thus, the CIA triad requires that organizations and individual users must always take caution in maintaining confidentiality, integrity and availability of information.
- Andress, J. (2014). The basics of information security: understanding the fundamentals of InfoSec in theory and practice. Syngress.
- Evans, D., Bond, P., & Bement, A. (2004). Standards for Security Categorization of Federal Information and Information Systems. National Institute of Standards and Technology, Computer Security Resource Center.
- Shabtai, A., Elovici, Y., & Rokach, L. (2012). Introduction to Information Security. In A Survey of Data Leakage Detection and Prevention Solutions (pp. 1-4). Springer US.
- Singer, P. (2014). What Do We Mean By Security Anyway? Brookings Institution.
- Taherdoost, H., Chaeikar, S. S., Jafari, M., & Shojae Chaei Kar, N. (2013). Definitions and Criteria of CIA Security Triangle in Electronic Voting System. International Journal of Advanced Computer Science and Information Technology (IJACSIT) Vol, 1, 14-24.
- Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber security. computers & security, 38, 97-102.
- Yale University (2015). Computer Security.