Availability in information security means that systems, data and services are accessible to authorized users when they're needed. It's the most operationally visible of the three core security properties, such as when it fails, everyone notices immediately.
The threats to availability are broader than most people expect. Ransomware that encrypts production data is an availability attack, not just a confidentiality one. A misconfigured firewall rule that blocks legitimate traffic is an availability failure. Hardware failures, power outages, network congestion and failed software deployments all cause availability impacts. DDoS attacks target availability directly. Even aggressive vulnerability remediation (e.g., patching without adequate testing) can take systems down.
Measuring availability requires specific metrics. Mean Time Between Failures (MTBF) tracks how often systems fail. Mean Time To Recover (MTTR) measures how quickly you restore service after failure. Recovery Time Objective (RTO) is the maximum acceptable outage duration for a given system. Recovery Point Objective (RPO) is the maximum acceptable data loss. Together, these four numbers define what availability commitments actually mean in operational terms and they appear directly in business continuity and disaster recovery documentation.
Protecting availability starts with redundancy: redundant power, network paths, clustered systems, geographic failover and backup systems tested regularly enough that you know they actually restore. Beyond hardware, availability depends on access controls that prevent accidental changes, change management that limits unplanned downtime from failed updates and incident response processes that compress recovery time when failures occur.
Availability is also a compliance requirement, not just an operational preference. NIST SP 800-53 CP (Contingency Planning) controls and NIST 800-171 3.6.x incident response controls both address availability directly. CMMC requires tested continuity plans as part of Level 2 compliance. ISO 27001's Annex A.17 covers business continuity management. Auditors reviewing availability controls will want to see tested backup restoration, documented RTOs and RPOs and evidence of tabletop or full exercises against your continuity plans.
