The CIA triad and beyond
Confidentiality, integrity and availability: what they mean, how they trade off, and the extra properties exam answers often need.
~4 min read
The three pillars
Almost every security decision can be framed as protecting one or more of three properties. Get comfortable naming which property an attack or control relates to, because that framing is asked for constantly, both in exams and in real risk assessments.
Confidentiality means information is only readable by people and systems authorised to read it. Lost when data is disclosed: a database dump posted online, an unencrypted laptop stolen, a misdirected email. Protected by encryption, access control, and data classification.
Integrity means information is accurate, complete, and only modified by authorised parties. Lost when data is tampered with: an attacker changing a payee account number, malware modifying a system binary, a corrupted backup. Protected by hashing, digital signatures, version control, and input validation.
Availability means information and services are accessible when needed. Lost when systems go down: a DDoS attack, ransomware encrypting file servers, or simply a power cut with no failover. Protected by redundancy, backups, rate limiting, and disaster recovery planning.
A useful habit: when you read about any incident, ask which of the three was hit? Ransomware is mainly an availability attack (and increasingly a confidentiality one, since modern crews steal data before encrypting). A defaced website is an integrity attack. A breach is a confidentiality attack.
The properties trade off
You cannot maximise all three at once, and exam questions like asking about this tension.
- Requiring three forms of MFA and a manager's approval to open a file protects confidentiality but wrecks availability for legitimate users.
- Keeping six replicated copies of a database improves availability but multiplies the places confidentiality can fail.
- Air-gapping a system is excellent for confidentiality and integrity, terrible for availability and usability.
Security is risk management, not maximisation. The right balance depends on what the system is for. A hospital records system weighs availability far more heavily than an archive of declassified documents.
Beyond CIA
Three properties are not always enough. Know these extensions:
Authenticity means you can verify that data or a message genuinely came from who it claims to. Closely tied to integrity but distinct: a message can be unmodified yet still forged.
Non-repudiation means the sender cannot later deny having sent something. Digital signatures provide this; a shared symmetric key cannot (either party could have produced the MAC, so neither can prove who did).
AAA is the access-control trio you'll meet again in identity:
| Step | Question it answers | Example |
|---|---|---|
| Authentication | Who are you? | Password + TOTP code |
| Authorisation | What are you allowed to do? | Role grants read access to /finance |
| Accounting | What did you do? | Audit log of every file opened |
A fourth step, identification (claiming an identity, e.g. typing a username), is sometimes listed before authentication: the claim, then the proof.
Vulnerabilities, threats and risk
These three words are not interchangeable, and using them precisely is an easy way to sound like you know what you're talking about.
- A vulnerability is a weakness: an unpatched server, a guessable password, a door propped open.
- A threat is anything that could exploit a weakness: a ransomware crew, a careless employee, a flood.
- Risk is the combination of the two: the likelihood that a threat exploits a vulnerability, multiplied by the impact if it does.
Exam habit: "risk = likelihood × impact" is the standard formulation. No vulnerability, no risk (nothing to exploit). No threat, no risk (nobody to exploit it). A server vulnerable to an attack that no actor on Earth cares about carries little risk; the same flaw on an internet-facing payment system is critical.
An exploit is the concrete mechanism (code or a technique) that takes advantage of a vulnerability. A zero-day is a vulnerability unknown to the vendor, so no patch exists; defenders are "zero days" into knowing about it.
Quick recall
- CIA = confidentiality (no unauthorised reading), integrity (no unauthorised changing), availability (usable when needed).
- Every control strengthens at least one property and often costs another.
- Authenticity and non-repudiation extend CIA; digital signatures give you both.
- AAA = authentication, authorisation, accounting; in that order.
- Vulnerability (weakness) + threat (actor/event) → risk (likelihood × impact).