What is the CIA Triad?
The CIA Triad is the traditional model to define the purpose of cybersecurity:
- Confidentiality
- Integrity
- Availability
In cybersecurity, CIA stands for the Confidentiality, Integrity and Availability Triad, forming the foundational principles for securing information. The CIA Triad concept is meant to balance these principles as a “three-legged stool” where all three legs are needed, or the stool topples over. Misalignment often leads to weaknesses. For example, prioritizing confidentiality (e.g., encryption) while neglecting integrity can allow unnoticed manipulation of data.
In 2017, ComplianceForge published the Confidentiality, Integrity, Availability & Safety (CIAS) replacement for the traditional Confidentiality, Integrity & Availability "CIA Triad" that served as the traditional function of cybersecurity. With embedded technologies (e.g., Internet of Things (IoT) and Operational Technology (OT)) and the rise of Artificial Intelligence (AI) and autonomous technologies (AAT), the lack of a safety component makes the CIA Triad insufficient to define the concept of what cybersecurity is meant to perform.
The security of systems, applications and services must include controls and safeguards to offset possible threats, as well as controls to ensure confidentiality, integrity, availability and safety:
- CONFIDENTIALITY – This addresses preserving authorized restrictions on access and disclosure to authorized users and services, including means for protecting personal privacy and proprietary information.
- INTEGRITY – This addresses protecting against improper modification or destruction, including ensuring non-repudiation and authenticity.
- AVAILABILITY – This addresses timely, reliable access to data, systems and services for authorized users, services and processes.
- SAFETY – This addresses reducing risk associated with technologies that could fail or be manipulated by nefarious actors to cause death, injury, illness, damage to or loss of equipment.