Security Foundations • 01 / 09

The CIA Triad

Three properties that define what it means for a system to be secure — and the balance every practitioner must strike between them.

C

Confidentiality

Only intended persons or recipients can access the data. Unauthorized disclosure is a failure of confidentiality.

Prevent Unauthorized Access
I

Integrity

Data cannot be altered without detection. If alteration occurs, we can identify it occurred and what changed.

Prevent Unauthorized Modification
A

Availability

Systems and services are accessible when needed by authorized users. Disruption of access is a failure.

Prevent Disruption of Access

The Tension: Pushing confidentiality and integrity to extremes restricts availability. Maximizing availability can erode confidentiality and integrity. Security design requires finding the right balance for the context — and the emphasis does not need to be equal. A public university announcement needs strong integrity but minimal confidentiality.

Real-World Applications

🛒 Online Shopping
C Credit card number disclosed only to the payment processor. A breach exposes this data to untrusted parties.
I If an attacker alters your shipping address, your order goes to the wrong recipient.
A If checkout is unavailable during your purchase, the transaction fails and you shop elsewhere.
🏥 Patient Records
C Healthcare providers are legally required to protect medical records. Illegal disclosure triggers legal liability.
I Altered records can lead to wrong treatment being administered — a life-threatening integrity failure.
A A paperless clinic with an unavailable EHR system cannot effectively deliver or document patient care.
cybergrind.org  •  Orange Book  •  Security Foundations Series