There are many different recommendations, frameworks, and cyber hygiene checklists that can all provide great levels of cybersecurity. Some of these go extremely in depth, covering how to specifically configure security devices- such as firewalls– while others can provide general tips and advice on a particular facet of cybersecurity, such as how to create a strong password. After all, “strong cybersecurity helps safeguard your data and your networks from theft, fraud and unauthorized access” (Kidd). There is, however, one particular framework that is often cited as a crucial backbone for any good cybersecurity plan: the CIA Triad.

Fortinet states that the CIA Triad “provides a simple yet comprehensive high-level checklist for the evaluation of your security procedures and tools”, and Kidd notes that the CIA Triad “guides information security strategies to inform areas like security framework implementation and cyber threat intelligence” (Kidd). But what exactly is the CIA Triad?

The CIA Triad is, as the name implies, a collection of three fundamental rules for cybersecurity. These are Confidentiality, Integrity, and Availability. The National Cybersecurity Center of Excellence, which is a part of the National Institute for Standards and Technology, identifies these three aspects of the CIA triad as follows:

Confidentiality – preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information

Integrity — guarding against improper information modification or destruction and ensuring information non-repudiation and authenticity

Availability – ensuring timely and reliable access to and use of information

Cawthra et. al

Note: Non-repudiation means that someone cannot deny editing, modifying, or deleting data. For example, if I were to edit a document, non-repudiation means that my name is recorded as having edited this document.

The CIA Triad should be utilized “in the majority of security situations, particularly because each component is critical. However, it is particularly helpful when developing systems around data classification and managing permissions and access privileges” (Fortinet). Beyond creating good cybersecurity policies, procedures, and techniques, the CIA Triad is also “valuable in assessing what went wrong—and what worked—after a negative incident” (Fortinet). For example, if a hacker broke into a database that contained the records of the patients of a doctor’s office, then one can use the CIA Triad to determine what general aspect of cybersecurity failed. In this example, Confidentiality was not kept, as private patient data was stolen.

Confidentiality

When it comes to cybersecurity, it is crucial to recognize that “access to information must be controlled to prevent the unauthorized sharing of data—whether intentional or accidental” (Fortinet). Overall, confidentiality is ensuring that private data is kept private. One of the best ways to maintain confidentiality is by “making sure that people without proper authorization are prevented from accessing assets important to your business. Conversely, an effective system also ensures that those who need to have access have the necessary privileges” (Fortinet). For example, if a patient of a doctor’s office were able to view and access the records of other patients, that would be a clear breach of confidentiality as a patient should not have this level of access (often referred to as authority). However, it is also important that the doctors can access data about their patients. Through having a structured plan of who can access what, confidentiality can be maintained.

Generally, confidentiality is breached “when unauthorized entities have access to your confidential data. This can happen in various ways, including data breaches, insider threats, social engineering attacks and even brute force attacks” (Kidd). Beyond this, it is important to note that “not all violations of confidentiality are intentional. Human error or insufficient security controls may be to blame as well. For example, someone may fail to protect their password—either to a workstation or to log in to a restricted area” (Fortinet). If a doctor logs into a computer to view patient data and then leaves the room while still logged in, this is technically a breach of confidentiality.

Splunk identifies four ways in which confidentiality can be maintained: “

Encrypt sensitive data, such as credit card numbers or personal information, when you transmit it over networks or store it on computers.

Use access controls, such as user authentication and authorization, to limit who can access sensitive data and what they can do with it.

Use physical controls, such as locks and security cameras, to prevent unauthorized access to sensitive data in physical locations, such as data centers or office buildings.

Maintain a clear data protection policy and regularly train employees on security best practices to teach them how to handle sensitive information properly.

Kidd

In addition, one “can classify and label restricted data, enable access control policies, encrypt data, and use multi-factor authentication (MFA) systems” in order to help increase confidentiality (Fortinet). A combination of all of the above strategies is a great choice when determining ways in which the confidentiality of data is to be maintained. If you fail to uphold good confidentiality practices, “unauthorized individuals can access [confidential data] and potentially use it in harmful ways. Even if [this unauthorized access is] not harmful, it’s a vulnerability you must consider”; breaches of confidentiality can cause a company to lose trust from its customers, which would harm business (Kidd).

Integrity

Beyond keeping confidential data safe, secure, and secret, it is also important that data is kept at its initial quality and is not tampered with. Integrity specifically “involves making sure your data is trustworthy and free from tampering. The integrity of your data is maintained only if the data is authentic, accurate, and reliable” (Fortinet). In more general terms, integrity is “the property that data has not been altered in an unauthorized manner” and applies to data “in storage, during processing, and while in transit” (Cawthra et. al). Data integrity is not the only kind of integrity, either. System integrity is also crucial. Generally, “for systems, integrity means that systems are free from corruption, tampering or unauthorized modification” (Kidd).

Say one of the nurses at a doctor’s office goes onto the computer and changes the home addresses of all of the patients to the local shopping center. This is a breach of integrity because the data is no longer accurate; it was tampered with. In most cases, “compromising integrity is often done intentionally” (Fortinet). While it is possible for an accidental loss of integrity to occur (for example, if water was spilled on a computer, it may harm the computer and cause some of the data to be lost), it is much more likely that a loss of integrity results from someone tampering with the data.

Data integrity attacks, while they can be varied in motive, usually “include unauthorized insertion, deletion, or modification of data to corporate information such as emails, employee records, financial records, and customer data” (Cawthra et. al). One of the most notable kinds of data integrity attack is ransomware, which “encrypts data, rendering it unusable. This type of impact to data affects business operations and often leads them to shut down” (Cawthra). When data is encrypted, it is, essentially, scrambled up. In order to use the data, it must be unscrambled using a key. Without the key, unscrambling the data can be as hard as separating all of the ingredients of a baked cake! Since the data is no longer in its original form, its integrity has been breached.

Fortunately, there are many ways to safeguard the integrity of data and computer systems. For example, “logical access controls like periodic access reviews and the principle of least privilege are great places to start. By authorizing only specific individual[s] in, these controls ensure the integrity of the information” (Kidd). The principle of least privilege is a framework for deciding who can access what data. This principle essentially states that everyone should have the least amount of privilege- or access- required for their responsibilities. For example, a patient at the doctor’s office might only be able to access their own health information, since that is the least amount of access they require to the system. Of course, exceptions can be made, or special permissions granted as needed.

Beyond these logical controls, one can employ “hashing, encryption, digital certificates, or digital signatures. For websites, you can employ trustworthy certificate authorities (CAs) that verify the authenticity of your website so visitors know they are getting the site they intended to visit” (Fortinet). Hashing is the process of taking a given document or piece of data and converting it to a unique string of numbers and/or letters. These strings of numbers and letters are unique to each file, and two files can only have the same hash if they are the same exact file. Thus, by checking the hash values of files, one can determine if the files were in any way modified. Even changing a single letter to a document will drastically change the hash of the file! Encryption, as mentioned previously, scrambles data. In order to actually access and use the data, it must first be unscrambled; without the key, this is extremely difficult, but with the key, it is straightforward and easy. Finally, certificates are, as mentioned, a way to show to website visitors that the website is legitimate.

Availability

Last, but certainly not least, is availability. Availability involves whether or not the data can be accessed when it is needed. For example, if the doctor tries to pull up a patient’s records on the computer but then the office has a power outage, the availability of this data has been breached. Breaches of availability are not always caused by hackers; “some common causes of availability breaches include hardware or software failures, network outages, power outages, [and] natural disasters … [in addition to] cyberattacks” (Kidd). Availability does not necessarily mean that the computers themselves are unusable. It could be the case that “a natural disaster like a flood or even a severe snowstorm may prevent users from getting to the office, which can interrupt the availability of their workstations and other devices that provide business-critical information or applications” (Fortinet). If the doctor and nurses cannot reach the office, then there is no data availability.

Splunk goes over some of the abovementioned availability breaches in more depth below:

A hardware failure might cause a server to crash, preventing users from accessing its data or services. Network outages might prevent users from accessing data or systems over the internet. Power outages might prevent users from accessing data or systems that rely on electrical power. A natural disaster, such as a flood or earthquake, might cause physical damage to data centers or other critical infrastructure, disrupting access to data and systems. A cyberattack, such as a denial-of-service attack, might overwhelm a system with traffic, preventing legitimate users from accessing it.

Kidd

Beyond denial-of-service attacks, there is another popular cyberattack that harms availability of data: ransomware. As mentioned before, ransomware harms the integrity of data since the data is encrypted, but this encryption also breaches the availability of the data. Since the data is scrambled up and the system is locked down, the data cannot be used at all. In some cases, ransomware may also breach the confidentiality of data by leaking it online, which is why ransomware is such a dangerous cyberattack to deal with.

Fortunately, as with confidentiality and integrity, there are many recommendations for maintaining availability:

Deploy redundant systems such as multiple servers or backup power sources or implement caching. This way, when one system fails, the others can continue to operate and provide the data you need.

Use load balancers, which distribute incoming requests across multiple systems so that no single system becomes overwhelmed and unavailable.

Regularly test and maintain your systems to help identify and address potential availability issues before they cause disruptions.

Kidd

In addition, it is important to consider environmental protections for data availability. Make sure that the room computer systems are kept in is not too hot and is not susceptible to flooding or water leakage. If you are a business, have a plan or policy in place for data recovery during natural disasters such as earthquakes or tornadoes. In some cases, data availability may be interrupted due to system or computer upgrades. If this is the case, inform anyone who may need or use this data so that they are aware of the temporary loss in availability.

Resources & Further Reading

Cawthra, Jennifer, et al. “Executive Summary — NIST SP 1800-25 Documentation.” Www.nccoe.nist.gov, The National Cybersecurity Center of Excellence, Dec. 2020, www.nccoe.nist.gov/publication/1800-25/VolA/index.html.

Fortinet. “What Is the CIA Triad and Why Is It Important?” Fortinet, Fortinet, Inc., 2024, www.fortinet.com/resources/cyberglossary/cia-triad.

Kidd, Chrissy. “CIA Triad: Confidentiality, Integrity & Availability.” Splunk-Blogs, Cisco, 11 Jan. 2023, www.splunk.com/en_us/blog/learn/cia-triad-confidentiality-integrity-availability.html.