What is the CIA Triad? No, it is not the spy agency….

Written By Todd Mitchell

These three letters stand for confidentiality, integrity, and availability, otherwise known as the CIA triad. Together, these three principles form the cornerstone of any organization's cybersecurity infrastructure; in fact, they should function as goals and objectives for every security program.

Confidentiality refers to an organization’s efforts to keep their data private or secret. In practice, it’s about controlling access to data to prevent unauthorized disclosure. Typically, this involves ensuring that only those who are authorized have access to specific assets and that those who are unauthorized are actively prevented from obtaining access.

Integrity makes sure that the information is not tampered whenever it travels from source to destination or even stored at rest. Therefore, can be trusted. It is correct, authentic, and reliable.

Availability means that networks, systems, and applications are up and running. It ensures that authorized users have timely, reliable access to resources when they are needed. Systems, applications, and data are of little value to an organization and its customers if they are not accessible when authorized users need them.

In addition to traditional confidentiality, integrity, availability (CIA) models a new framework has been proposed that adds an additional three essential aspects. The three aspects are utility, authenticity and possession (Bosworth, Kabay, & Whyne, 2014).

Lack of Utility is when valuable information is stored in a manner that later becomes useless to the user. For example, if a folder or file on a hard drive is encrypted, but the decryption key is somehow lost or erased thus rendering the data useless (Bosworth, Kabay, & Whyne, 2014). The information is very confidential but unable to be used by the owner. I have experienced this at work when the external drives held by employees were encrypted and during the migration from Windows XP to Windows 7 the keys were lost. All data on the external drive was unreadable. Hackers often try to render data useless as a form of vandalism (Erickson, 2008).

Lack of Authenticity is when the data is not what it appears. For example, a file is renamed to make it look like it came from another author or published to give it credibility. However, the file is actually a counterfeit (Bosworth, Kabay, & Whyne, 2014). Software containing the logo of Symantec to prove it is safe, when in fact it was never checked by Symantec is an example of lack of authenticity.

Lack of Possession is when master files are stolen. For example, a military command post is overrun by enemies and the enemies gain possession of all hard drives in the network storage. This will result in the total loss of all data if backup copies were not kept in a separate location (Bosworth, Kabay, & Whyne, 2014). Hackers may try to take possession of data for personal or financial gain (Erickson, 2008).

Current security policies do not address all areas of information loss and the addition of these three in the new framework will allow for better protections against data loss moving into the future with emerging threats. Organizations must create a standardized list of procedures and automate where possible to be the most successful. This equates to only 6.4% of revenue loss due to data breach vice 9.6% in companies with no standardized procedures and policies (Symantec, 2010).

Bosworth, S., Kabay, M., & Whyne, E. (2014). Computer Security Handbook (6th ed., Vol 2, pp.3.1-3.8). Hoboken: John Wiley & Sons.

Erickson, J. (2008). Hacking: The Art of Exploitation (2nd ed. pp.2). San Francisco, CA: No Starch Press.

Symantec. (2010). Protect the data: Best practices for security policies. Retrieved from https://learn.umuc.edu/d2l/le/content/111763/viewContent/3861729/View

Todd Mitchell
Previous

Don’t be the victim of your own business

Next

Do you have a Cybersecurity Policy or Plan?