Information Security: The Importance of the CIA Triad

Information Security and the CIA Triad: Picking a lock

As many of us in IT have come to know, technology is vital to running a successful business. No need to take my word for it, however, as researchers have been positing for decades that while technology can improve a business’s outlook, ignoring its criticality can by devastating (Levine & Yalowitz, 1983).   Likewise, research has shown that by choosing the information systems that best fit company innovation goals and departmental strategy, management can improve the organization as a whole (Papoutsakis, 2007).  Central to a company’s ability to successfully leverage technology and new information systems is its capacity for identifying, managing, and mitigating risk. Risk, which can be defined as anything that can negatively impact a business, organization, or project (Stoneburner, Goguen, & Feringa, 2002), is generally mitigated through a strategic use of information security plans, controls, and systems.  A poorly implemented information security system can in and of itself become a source of risk, however, so organizations must ensure that their information security systems address the CIA triad: Confidentiality, Integrity, and Availability. 

Defining the CIA Triad

Confidentiality, Integrity, and Availability comprise the core purpose of computer, data, and information security (Stallings & Brown, 2012).  While these terms may seem familiar, it is nonetheless helpful to define them as they pertain to information security:

1)      Confidentiality:  Access by authorized parties

2)       Integrity:  Modifications made by authorized parties in authorized ways

3)      Availability:   Access to authorized parties at the appropriate time

Example: Automated Teller Machine

Together, the above concepts ensure that an information system will perform its task in an acceptable and appropriate manner.  Consider the role of an Automated Teller Machine (ATM), for example. 

Confidentiality is addressed by the unique account number, physical access card, secure PIN code, and security measures such as magnetic stripe or secure chip assigned to each individual ATM user.  Integrity is ensured by the secret PIN each user must enter before they can access or change data associated with their account, as well as by transaction records that can be reviewed for accuracy. Availability is shown by the convenience of ATMs accessible 24 hours a day, 7 days a week by authorized users who possess the card associated with the account as well as the secure PIN code.

In terms of relative importance, it is difficult to authoritatively say which of the three components is most important in this example.  Arguments can be made for each, although in my opinion, integrity holds the most weight.  While it is certainly critical to keep bank data confidential, and of course we all need access to our funds, I think the most important aspect is to keep the integrity of the account data accurate.  For example, if someone were to change the account balance by making an unauthorized withdrawal or transfer, the impact would be greater than if they were to simply view the balance.

Let me know in the comments how you are currently addressing the CIA Triad for your organization!

References and Sources

Levine, S. J., & Yalowitz, M. S. (1983). Managing technology: The key to successful business growth. Management Review, 72(9), 44.

Papoutsakis, H. (2007). Sharing Knowledge in the Organisation: a Retrospective Analysis and an Empirical Study. Electronic Journal Of Knowledge Management, 5(2), 231-243.

Stoneburner, G., Goguen, A., & Feringa, A. (2002). NIST risk management guide for information technology systems.  Special Publication 800-30.