The CIA Triad
Every security decision — whether it's choosing an encryption algorithm, setting access controls, or planning a backup strategy — can be evaluated against three fundamental principles. Together they form the CIA Triad: Confidentiality, Integrity, and Availability.
What is the CIA Triad?
The CIA Triad is the foundational model for thinking about information security. It's not an organization — it stands for three properties that every secure system must provide:
Confidentiality
Only authorized people can read the data.
Integrity
The data hasn't been tampered with.
Availability
The data is accessible when you need it.
Confidentiality: Keeping Secrets Secret
Confidentiality means that information is only accessible to those who are authorized to see it. Think of it as privacy at a systems level.
What threatens confidentiality?
- Data breaches where stolen credentials let attackers read private records
- Man-in-the-middle attacks where communications are intercepted
- Misconfigured cloud storage buckets left open to the public
- Shoulder surfing — someone literally reading your screen
How we protect confidentiality:
- Encryption — scramble data so only someone with the key can read it (the main topic of this roadmap)
- Access controls — only give access to those who need it (principle of least privilege)
- Authentication — verify identity before granting access
- Data classification — label data by sensitivity and apply appropriate protections
Real-world example
When you submit your credit card number online, the browser encrypts it using TLS before sending. This ensures only you and the merchant's server can read it — even if an attacker intercepts the network traffic, they see only scrambled noise. That's confidentiality in action.
Integrity: Ensuring Data Isn't Tampered With
Integrity means that data is accurate, complete, and hasn't been modified without authorization. It's the assurance that what you receive is what was actually sent.
What threatens integrity?
- Man-in-the-middle attacks that modify data in transit
- Malware that corrupts or alters files
- Unauthorized database modifications
- Software supply chain attacks (malicious code injected into legitimate software)
How we protect integrity:
- Cryptographic hash functions — a unique "fingerprint" of data that changes if a single byte is modified
- Digital signatures — prove that data came from who it claims to and wasn't changed
- Checksums — lightweight verification that a file transferred correctly
- Audit logs — immutable records of who changed what and when
Availability: Keeping Systems Up and Running
Availability means that systems and data are accessible to authorized users when they need them. A system that's completely secure but never works is useless.
What threatens availability?
- DDoS attacks — flooding a server with traffic until it crashes
- Ransomware — encrypting files and demanding payment to restore access
- Hardware failures — drives crashing, power outages
- Natural disasters — data centers affected by floods, fires, or earthquakes
How we protect availability:
- Redundancy — multiple copies, multiple servers, multiple regions
- Backups — regular, tested, and stored separately from the primary system
- DDoS mitigation — traffic filtering and content delivery networks (CDNs)
- Disaster recovery plans — documented procedures for restoring service
The Triad Creates Tradeoffs
Here's the nuance that makes security hard: the three properties often pull against each other.
Confidentiality vs. Availability
The more strictly you control access (confidentiality), the harder it can be for legitimate users to get in quickly (availability). Two-factor authentication improves security but adds friction.
Integrity vs. Availability
Requiring cryptographic verification of every piece of data adds latency. High-integrity systems are sometimes slower or less available during verification failures.
Confidentiality vs. Integrity
Encrypting everything is great for confidentiality, but can make it harder to verify integrity without decrypting first — creating performance tradeoffs.
Frequently Asked Questions
What is the CIA Triad?
The CIA Triad is a model describing the three core goals of information security: Confidentiality (keeping data secret), Integrity (keeping data accurate and untampered), and Availability (keeping systems and data accessible when needed). Almost every security control exists to protect one of these three properties.
What does CIA stand for in cybersecurity?
In cybersecurity, CIA stands for Confidentiality, Integrity, and Availability. It has nothing to do with the intelligence agency — it is the foundational framework used to evaluate how well data and systems are protected.
Why is the CIA Triad important?
The CIA Triad gives security teams a simple checklist to reason about risk. Any threat, control, or design decision can be measured by asking: does it affect confidentiality, integrity, or availability? This makes it the starting point for security policies, risk assessments, and incident response.
Can you give an example of the CIA Triad?
Consider online banking. Confidentiality keeps your balance hidden from others. Integrity ensures a $100 transfer is not altered to $1,000. Availability keeps the banking site online so you can access your money.
Which of the three principles is most important?
It depends entirely on the context. For a password database, confidentiality is paramount. For a financial transaction log, integrity is critical. For an emergency services dispatch system, availability is the priority. Good security applies all three and understands the tradeoffs for the specific use case.
Is there a fourth principle beyond CIA?
Yes — some models add Non-repudiation: the guarantee that someone cannot deny having sent or received a message, provided by digital signatures. Extended models also include Authenticity and Accountability. But the core CIA Triad covers the large majority of security reasoning.