Fatskills
Practice. Master. Repeat.
Study Guide: Principles of Information Security: CIA Triad (Confidentiality, Integrity, Availability)
Source: https://www.fatskills.com/first-aid/chapter/information-security-cia-triad-confidentiality-integrity-availability

Principles of Information Security: CIA Triad (Confidentiality, Integrity, Availability)

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~6 min read

CIA Triad (Confidentiality, Integrity, Availability)


CIA Triad (Confidentiality, Integrity, Availability) – Exam-Ready Study Guide



What This Is

The CIA Triad is the foundational model for information security, defining the three core objectives every security program must address: Confidentiality (keeping data private), Integrity (ensuring data is accurate and unaltered), and Availability (ensuring data is accessible when needed). Without balancing these three, systems are vulnerable to breaches, fraud, or downtime.

Real-world example:
In 2023, a misconfigured AWS S3 bucket (a cloud storage service) exposed 10 million customer records (including PII like SSNs) because access controls were not properly set. This violated Confidentiality. Later, attackers encrypted the data (ransomware), violating Availability. Had the company enforced least privilege access (Confidentiality) and immutable backups (Availability), the breach could have been prevented.


Key Terms & Concepts

  • CIA Triad: Confidentiality, Integrity, Availability – The three core security objectives. All security controls map back to one (or more) of these.
  • Example: Encryption (Confidentiality), hashing (Integrity), redundancy (Availability).

  • Confidentiality: Ensuring data is only accessible to authorized users/systems. Prevents unauthorized disclosure.

  • Tools/Standards: Encryption (AES, RSA), Access Controls (RBAC, ABAC), NIST SP 800-53 (AC-1 to AC-25).
  • Attack Example: Phishing (stealing credentials), Man-in-the-Middle (MITM) (eavesdropping on unencrypted traffic).

  • Integrity: Ensuring data is accurate, complete, and unaltered unless modified by authorized parties.

  • Tools/Standards: Hashing (SHA-256, MD5), Digital Signatures, NIST SP 800-160 (System Security Engineering), OWASP Top 10 (A08:2021 – Software and Data Integrity Failures).
  • Attack Example: SQL Injection (modifying database records), DNS Spoofing (redirecting traffic to malicious sites).

  • Availability: Ensuring systems and data are accessible to authorized users when needed.

  • Tools/Standards: Redundancy (RAID, failover clusters), DDoS Protection (Cloudflare, Akamai), ISO 22301 (Business Continuity).
  • Attack Example: DDoS (Distributed Denial of Service) (overwhelming a server with traffic), Ransomware (encrypting data until a ransom is paid).

  • Non-Repudiation: Ensuring a party cannot deny performing an action (e.g., sending a message, approving a transaction).

  • Tools: Digital Signatures, Audit Logs, MITRE ATT&CK (T1552 – Unsecured Credentials).

  • Least Privilege: Users/systems get only the minimum access needed to perform their function.

  • Standard: NIST SP 800-53 (AC-6).

  • Defense in Depth: Using multiple layers of security controls (e.g., firewall + IDS + encryption) to protect against threats.

  • Example: A bank uses MFA (Multi-Factor Authentication) (Confidentiality), file integrity monitoring (Integrity), and offsite backups (Availability).

  • Risk = Threat × Vulnerability × Impact: A formula to quantify risk. If any factor is zero, risk is zero.

  • Example: A threat (hacker) exploits a vulnerability (unpatched software) to cause impact (data breach).

  • Single Loss Expectancy (SLE): SLE = Asset Value × Exposure Factor (e.g., $1M server with 50% loss = $500K SLE).

  • Annualized Loss Expectancy (ALE): ALE = SLE × Annualized Rate of Occurrence (ARO) (e.g., $500K SLE × 0.1 ARO = $50K ALE).

  • Business Impact Analysis (BIA): Identifies critical systems and the impact of their unavailability (used for disaster recovery planning).

  • Standard: ISO 22301, NIST SP 800-34.

  • Recovery Time Objective (RTO): Maximum acceptable downtime before a system must be restored.

  • Recovery Point Objective (RPO): Maximum acceptable data loss (e.g., 1 hour of data loss = RPO of 1 hour).


Step-by-Step / Process Flow


How to Apply the CIA Triad in Real-World Security

  1. Identify Critical Assets & Data
  2. Use asset inventory tools (e.g., Nessus, Qualys) to list systems, data, and their classification levels (Public, Internal, Confidential, Restricted).
  3. Example: A hospital identifies patient health records (PII/PHI) as Restricted (high Confidentiality + Integrity).

  4. Assess Risks to CIA

  5. Perform a risk assessment (NIST SP 800-30) to identify threats, vulnerabilities, and impacts to Confidentiality, Integrity, and Availability.
  6. Example:


    • Confidentiality Risk: Unencrypted patient records stored in a cloud bucket (vulnerability) → data breach (threat).
    • Integrity Risk: A hacker modifies lab results (threat) via SQL injection (vulnerability).
    • Availability Risk: A ransomware attack (threat) encrypts EHR systems (vulnerability).
  7. Select & Implement Controls

  8. Map risks to security controls (NIST SP 800-53, ISO 27001) to mitigate CIA violations.
  9. Example Controls:
    | CIA Objective | Control | Tool/Standard |
    |-------------------|------------|-------------------|
    | Confidentiality | Encryption | AES-256, TLS 1.3 |
    | Confidentiality | Access Control | RBAC, MFA (NIST AC-6) |
    | Integrity | Hashing | SHA-256, HMAC |
    | Integrity | Digital Signatures | PGP, X.509 Certs |
    | Availability | Redundancy | RAID, Failover Clusters |
    | Availability | DDoS Protection | Cloudflare, Akamai |

  10. Monitor & Detect Violations

  11. Deploy SIEM (Security Information and Event Management) (e.g., Splunk, IBM QRadar) to detect:


    • Confidentiality Breaches: Unusual access patterns (e.g., a nurse accessing 100 records in 5 minutes).
    • Integrity Violations: File changes without authorization (e.g., Tripwire, OSSEC).
    • Availability Issues: Server downtime, DDoS attacks (e.g., Nagios, Zabbix).
  12. Respond & Recover

  13. Follow incident response steps (NIST SP 800-61):


    1. Preparation (e.g., backup policies, RTO/RPO).
    2. Detection & Analysis (e.g., SIEM alerts).
    3. Containment (e.g., isolate infected systems).
    4. Eradication (e.g., patch vulnerabilities).
    5. Recovery (e.g., restore from backups).
    6. Lessons Learned (e.g., update policies).
  14. Continuous Improvement

  15. Conduct penetration testing (e.g., Metasploit, Burp Suite) and red team exercises to test CIA defenses.
  16. Update risk assessments annually or after major changes (e.g., new cloud migration).

Common Mistakes

Mistake Correction
Assuming encryption = security. Encryption protects Confidentiality, but not Integrity (data can still be altered) or Availability (ransomware can still encrypt files). Use hashing + encryption + backups for full CIA protection.
Ignoring Integrity in favor of Confidentiality. Many focus only on encryption (Confidentiality) but forget file integrity monitoring (FIM). A hacker could modify encrypted files if Integrity isn’t checked.
Overlooking Availability in cloud environments. Cloud providers (AWS, Azure) have shared responsibility models—they ensure physical Availability, but you must configure redundancy, backups, and DDoS protection.
Confusing RTO and RPO. RTO = "How fast must we recover?" (e.g., 4 hours). RPO = "How much data can we lose?" (e.g., 1 hour). Mixing them up leads to poor disaster recovery planning.
Assuming backups = Availability. Backups protect data Availability, but system Availability requires failover clusters, load balancers, and DDoS protection.


Certification Exam Tips


CISSP

  • Management vs. Technical Perspective: CISSP focuses on governance, risk, and compliance (GRC). Expect questions like:
  • "Which CIA objective is most impacted by a DDoS attack?"Availability (but know why Confidentiality/Integrity might also be affected).
  • "What is the primary purpose of a BIA?"Identify critical systems and their RTO/RPO (Availability).
  • Tricky Distinctions:
  • Non-repudiation is not the same as Integrity (non-repudiation = "you can’t deny it," Integrity = "data wasn’t altered").
  • Least privilege is a Confidentiality control, but it also helps Integrity (fewer people can modify data).

Security+

  • Memorize Attack Examples:
  • Confidentiality: Phishing, MITM, shoulder surfing.
  • Integrity: SQLi, DNS spoofing, malware.
  • Availability: DDoS, ransomware, hardware failure.
  • Control Matching: Know which controls map to which CIA objective (e.g., encryption = Confidentiality, hashing = Integrity, RAID = Availability).

CEH

  • Hands-On Focus: CEH tests how attacks violate CIA. Expect:
  • "Which attack violates Integrity?"SQL Injection, ARP Poisoning.
  • "Which tool tests Availability?"LOIC (DDoS), Metasploit (DoS modules).
  • Defense Strategies: Know how to mitigate each attack (e.g., WAF for SQLi, IDS for DDoS).


Quick Check Questions


Question 1

A company’s database is encrypted at rest, but an attacker modifies the database records without detection. Which CIA objective was violated, and what control could have prevented this?

Answer: Integrity was violated. File Integrity Monitoring (FIM) (e.g., Tripwire) or digital signatures could have detected unauthorized changes.


Question 2

During a Business Impact Analysis (BIA), a security team determines that a critical payroll system must be restored within 2 hours and can tolerate no more than 30 minutes of data loss. What are the RTO and RPO?

Answer:
- RTO = 2 hours (maximum acceptable downtime).
- RPO = 30 minutes (maximum acceptable data loss).


Question 3

A hospital implements MFA (Multi-Factor Authentication) for all EHR (Electronic Health Record) systems. Which CIA objective does this primarily address, and what is a secondary benefit?

Answer:
- Primary: Confidentiality (prevents unauthorized access).
- Secondary: Integrity (reduces risk of unauthorized modifications).


Last-Minute Cram Sheet

  1. CIA Triad = Confidentiality, Integrity, Availability – The three pillars of security.
  2. Confidentiality = Encryption, Access Controls, Least Privilege (NIST AC-6).
  3. Integrity = Hashing (SHA-256), Digital Signatures, FIM (Tripwire).
  4. Availability = Redundancy (RAID, failover), Backups, DDoS Protection (Cloudflare).
  5. Non-repudiation = Digital Signatures, Audit Logs (you can’t deny it).
  6. RTO = Recovery Time Objective (how fast to restore).
  7. RPO = Recovery Point Objective (how much data loss is acceptable).
  8. ALE = SLE × ARO (Annualized Loss Expectancy = Single Loss Expectancy × Annualized Rate of Occurrence).
  9. ⚠️ Encryption ≠ Integrity – Use hashing + encryption for full protection.
  10. ⚠️ Backups ≠ Availability – Need failover systems + DDoS protection.


ADVERTISEMENT