What is a CIA triad?

CIA (confidentiality, integrity, and availability) triad is a model designed to handle policies for information security within an organization.

  • Confidentiality - A collection of rules that limits access to information.
  • Integrity - It assures the information is trustworthy and reliable.
  • Availability - It provides reliable access to data for authorized people.

These three letters stand for confidentiality, integrity, and availability, otherwise known as the CIA triad. Together, these three principles form the cornerstone of any organization’s security infrastructure; in fact, they (should) function as goals and objectives for every security program.
Together, these three principles form the cornerstone of any organization’s security infrastructure; in fact, they (should) function as goals and objectives for every security program. The CIA triad is so foundational to information security that anytime data is leaked, a system is attacked, a user takes a phishing bait, an account is hijacked, a website is maliciously taken down, or any number of other security incidents occur, you can be certain that one or more of these principles has been violated.

Security professionals evaluate threats and vulnerabilities based on the potential impact they have on the confidentiality, integrity, and availability of an organization’s assets—namely, its data, applications, and critical systems. Based on that evaluation, the security team implements a set of security controls to reduce risk within their environment. In the next section, we’ll provide precise and detailed explanations of these principles in the context of InfoSec, and then look at real-world applications of these principles.


Confidentiality refers to an organization’s efforts to keep their data private or secret. In practice, it’s about controlling access to data to prevent unauthorized disclosure. Typically, this involves ensuring that only those who are authorized have access to specific assets and that those who are unauthorized are actively prevented from obtaining access. As an example, only authorized Payroll employees should have access to the employee payroll database. Furthermore, within a group of authorized users, there may be additional, more stringent limitations on precisely which information those authorized users are allowed to access. Another example: it’s reasonable for ecommerce customers to expect that the personal information they provide to an organization (such as credit card, contact, shipping, or other personal information) will be protected in a way that prevents unauthorized access or exposure.

Confidentiality can be violated in many ways, for example, through direct attacks designed to gain unauthorized access to systems, applications, and databases in order to steal or tamper with data. Network reconnaissance and other types of scans, electronic eavesdropping (via a man-in-the-middle attack), and escalation of system privileges by an attacker are just a few examples. But confidentiality can also be violated unintentionally through human error, carelessness, or inadequate security controls. Examples include failure (by users or IT security) to adequately protect passwords; sharing of user accounts; physical eavesdropping (also known as shoulder surfing); failure to encrypt data (in process, in transit, and when stored); poor, weak, or nonexistent authentication systems; and theft of physical equipment and storage devices.

Countermeasures to protect confidentiality include data classification and labeling; strong access controls and authentication mechanisms; encryption of data in process, in transit, and in storage; steganography; remote wipe capabilities; and adequate education and training for all individuals with access to data.


In everyday usage, integrity refers to the quality of something being whole or complete. In InfoSec, integrity is about ensuring that data has not been tampered with and, therefore, can be trusted. It is correct, authentic, and reliable. Ecommerce customers, for example, expect product and pricing information to be accurate, and that quantity, pricing, availability, and other information will not be altered after they place an order. Banking customers need to be able to trust that their banking information and account balances have not been tampered with. Ensuring integrity involves protecting data in use, in transit (such as when sending an email or uploading or downloading a file), and when it is stored, whether on a laptop, a portable storage device, in the data center, or in the cloud.

As is the case with confidentiality, integrity can be compromised directly via an attack vector (such as tampering with intrusion detection systems, modifying configuration files, or changing system logs to evade detection) or unintentionally, through human error, lack of care, coding errors, or inadequate policies, procedures, and protection mechanisms.

Countermeasures that protect data integrity include encryption, hashing, digital signatures, digital certificatesTrusted certificate authorities (CAs) issue digital certificates to organizations to verify their identity to website users, similar to the way a passport or driver’s license can be used to verify an individual’s identity. , intrusion detection systems, auditing, version control, and strong authentication mechanisms and access controls.

Note that integrity goes hand in hand with the concept of non-repudiation: the inability to deny something. By using digital signatures in email, for example, a sender cannot deny having sent a message, and the recipient cannot claim the message received was different from the one sent. Non-repudiation assists in ensuring integrity.


Systems, applications, and data are of little value to an organization and its customers if they are not accessible when authorized users need them. Quite simply, availability means that networks, systems, and applications are up and running. It ensures that authorized users have timely, reliable access to resources when they are needed.

Many things can jeopardize availability, including hardware or software failure, power failure, natural disasters, and human error. Perhaps the most well-known attack that threatens availability is the denial-of-service attack, in which the performance of a system, website, web-based application, or web-based service is intentionally and maliciously degraded, or the system becomes completely unreachable.

Countermeasures to help ensure availability include redundancy (in servers, networks, applications, and services), hardware fault tolerance (for servers and storage), regular software patching and system upgrades, backups, comprehensive disaster recovery plans, and denial-of-service protection solutions.

• CIA is the acronym for Confidentiality, Integrity, and Availability.
• The CIA is a paradigm for guiding policies in the field of information security.

The following is a brief description of the CIA model:

  1. Confidentiality –
    • Only authorized personnel should have access to and read the material.
    • The data should be strongly encrypted in case someone employs hacking to gain access to it, such that it is not readable or understood even if it is accessed.
  2. Integrity –
    • Ascertaining that the data has not been tampered with by an unauthorized party.
    • Data integrity ensures that unauthorized personnel do not corrupt or modify data.
    • If an authorized individual or system attempts to edit data and is unsuccessful, the data should be reverted and not corrupted.
  3. Availability –
    • The user should have access to the data anytime they need it.
    • Hardware maintenance, regular upgrades, data backups and recovery, and network bottlenecks should all be addressed.