The CIA Triad
Confidentiality, integrity and availability in practical cybersecurity
Confidentiality, integrity and availability in practical cybersecurity
Cybersecurity Foundations Training Series
Learning objectives
Explain confidentiality, integrity and availability in clear business terms.
Recognise common events that affect each security objective.
Select suitable controls for data at rest, in transit and in use.
Classify realistic scenarios according to the affected CIA objective.
| Security events often affect more than one part of the CIA Triad. Classify the immediate impact first, then assess secondary risks and business consequences. |
|---|
Why the CIA Triad matters
The CIA Triad is a simple model for assessing what information security must protect. It applies to systems, applications, networks, cloud services, operational technology and business processes. Most security incidents affect one or more of its three objectives: confidentiality, integrity and availability.
The model also helps teams make balanced decisions. A control that improves confidentiality might reduce availability if it blocks legitimate users. A resilience measure might improve availability while introducing additional systems that need secure configuration. Effective security considers all three objectives and the business impact of losing each one.
Confidentiality
Confidentiality means preventing unauthorised access to, or disclosure of, information. It protects personal data, commercial information, credentials, intellectual property and any other information whose exposure would cause harm.
Confidentiality must cover the full data lifecycle. Data at rest includes files, databases and backups. Data in transit includes email, web sessions, APIs and network traffic. Data in use includes information being processed in memory, displayed to users or handled by applications.
Encryption is an important confidentiality control, but it is one part of a wider control set. Organisations also need identity verification, access control, data classification, secure key management, physical protection, monitoring and staff awareness.
Figure 1. Security controls must protect data while stored, transmitted and processed.
Common confidentiality failures
An attacker captures unencrypted network traffic through packet sniffing.
A user sends a confidential email to the wrong external recipient.
A cloud storage location is configured for public access.
An employee receives access to data that is unrelated to their role.
Encryption keys are exposed, weakly protected or available to unauthorised users.
Integrity
Integrity means maintaining the accuracy, completeness, authenticity and trustworthiness of information and systems. Information has lost integrity when it is altered without approval, corrupted, deleted improperly or replaced with false data.
A man-in-the-middle attack is one example. An attacker intercepts a message, changes its contents and forwards the altered version. Database tampering, unauthorised configuration changes, malware modification and accidental data-entry errors also affect integrity.
Hash functions help detect change by producing a fixed-length digest from input data. A trusted digest can be compared with a newly calculated digest. Matching values support the conclusion that the data has not changed. Where an attacker might replace both the data and the digest, stronger protection such as a keyed message authentication code or a digital signature is required.
Availability
Availability means ensuring authorised users receive reliable and timely access to systems, services and information. A service does not need to stop completely for availability to be affected. Severe delay, repeated failure or inadequate capacity may prevent the business from completing its work.
Threats include denial-of-service attacks, damaged communication links, hardware failure, ransomware, power loss, poor capacity planning, expired certificates, failed software changes and accidental deletion.
Redundancy supports availability, but resilience requires more than duplicate equipment. Organisations also need tested backups, disaster recovery, capacity management, monitoring, incident response, maintenance, supplier planning and protection against distributed denial-of-service attacks.
Applying the model to real situations
Scenario 1: A cloud engineer finds the account locked after repeated failed sign-in attempts. The immediate effect is loss of availability because the engineer cannot reach required data. The event also warrants investigation because the failed attempts might signal an attempted confidentiality breach.
Scenario 2: An employee accidentally includes an external recipient in an email containing proprietary information. Confidentiality is affected because an unauthorised person received the information, even when there is no evidence of misuse.
Scenario 3: An attacker gains write access to a database and inserts false records but cannot read existing records. Integrity is affected because the organisation can no longer trust the data. Confidentiality might remain intact, and availability might remain unaffected, depending on the wider incident.
Practical control mapping
| Objective | Primary question | Example threats | Typical controls |
|---|---|---|---|
| Confidentiality | Who is allowed to see or receive this information? | Data leakage, eavesdropping, excessive access, exposed storage | Encryption, access control, classification, DLP, secure key management |
| Integrity | Has the information or system changed without authority? | Tampering, malicious records, corruption, unauthorised changes | Hashes, HMACs, digital signatures, validation, change control, audit logs |
| Availability | Is the service accessible and responsive when required? | DDoS, failure, ransomware, power loss, capacity shortage | Redundancy, backups, load balancing, DR, monitoring, capacity planning |
Standards and framework alignment
This lesson uses the following frameworks as complementary references. NIST provides risk and control guidance, ISO/IEC 27001 defines requirements for an information security management system, ISO 22301 addresses business continuity, and SOC 2 evaluates service-organisation controls against the AICPA Trust Services Criteria.
| Reference framework | How it supports this lesson |
|---|---|
| NIST CSF 2.0 | The Protect, Detect, Respond and Recover outcomes help organisations balance confidentiality, integrity and availability across prevention, monitoring and recovery. |
| ISO/IEC 27001:2022 | The ISMS uses risk assessment and selected controls to preserve confidentiality, integrity and availability in line with business and stakeholder requirements. |
| ISO 22301:2019 | The BCMS focuses on maintaining priority activities and recovering products and services within agreed timeframes, directly supporting availability and resilience. |
| SOC 2 Trust Services Criteria | Security is the common category. Availability, Confidentiality and Processing Integrity map closely to the CIA objectives and service commitments. |
References and further reading
1. NIST Cybersecurity Framework (CSF) 2.0, NIST CSWP 29, 2024. https://doi.org/10.6028/NIST.CSWP.29
2. ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements. https://www.iso.org/standard/27001
3. ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements. https://www.iso.org/standard/75106.html
4. AICPA, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy, Revised Points of Focus 2022. https://www.aicpa-cima.com/resources/download/2017-trust-services-criteria-with-revised-points-of-focus-2022
5. NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations. https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final
6. NIST FIPS 180-4, Secure Hash Standard. https://csrc.nist.gov/pubs/fips/180-4/upd1/final