Kevin Henry: Why do We Use the CIA-Information Security Triad?

Many people struggle to define the word "security". It is an abstract term that has different meanings and significance to each individual. It is often defined as "safety" (and in some languages, it is the same word), or as assurance, protection, or physical control.

As information security professionals we also struggle to describe what security is, what it does, and why it is important. Even for us that work in the field, security can be an abstract term that is hard to define in a meaningful way.

Even more so for the managers and the users, we are there to support them. They often perceive information security as a futile and expensive endeavour that gets in the way - when they are just trying to do their jobs.
For this reason, it is good that we have a way to define information security in a way that even non-security people can understand. The Confidentiality, Integrity and Availability model reflects a method of describing information security that is much more than just privacy.

It is important that we understand the value of the CIA triad and how it can help us to communicate the value and benefits of security to everyone in our organisation. Confidentiality is based on confidence and the ability to generate trust amongst our customers, employees and shareholders. You can trust us with your information. It is safe with us. We are aware of the risk of improper disclosure and the need to protect privacy and secrecy.

Integrity is important in more than one way. The most common understanding is to protect the accuracy or precision of data – is the data right, correct, precise? But we also know the importance of protecting the processes that affect our data. To ensure that the ‘right amount is credited to the right account!’

The term "sensitivity" is often used in relation to confidentiality and integrity – would a person or an organisation be harmed if the data or process was disclosed or modified incorrectly? If so, what would the level of impact be? Low, Moderate or High?

Too little attention is often given to the concept of availability – is that really the job of information security? I believe that it is – we must work with the managers of networks, applications, databases, and other supporting systems to ensure that the business has the data and processes it needs to operate. We need to seek out single points of failure. Including the problem today of many systems that are supported by one individual – and no one else knows how to maintain or operate those systems. We need to work with project teams to ensure that the risk of unavailability is identified early in the process of designing a new system or process so that redundancy and resilience can be built into systems. Availability is often associated with criticality.

So from this, we see that the CIA triad is not just a saying or ancient ideology – it is a way for us to communicate the needs of information security to the managers and users we interact with – and create a greater understanding of how we can all work towards the protection of information and business processes.