The CIA Triangle in Information Security

In 2018, 72% of large businesses and 31% of small businesses identified breaches or attacks. The average cost of these attacks has risen an enormous 27% from the previous year. Though it is perhaps difficult to admit, the weak link that facilitates these attacks is more often than not – the human users.

As a part of an information security training, and any attempt to minimise potential risks, there are three principles upon which professionals typically focus: Confidentiality, Integrity and Availability. This is known as the CIA Triad.

• Confidentiality: secure information is only accessible to authorised individuals.
• Integrity: secure information, or systems are always accurate and complete.
• Availability: secure information is always accessible to those who need it.

Confidentiality

The confidentiality of information is often the first aspect of cybersecurity considered, certainly when it comes to many high-profile ‘hacks’ that are reported in the headlines. When a nefarious actor gains unauthorised access to an organisation’s user data, such as emails or payment information, this is a compromise of confidentiality.

When protecting the confidentiality of information, how the data is stored plays a large role. In the case of a data breach, organisations should only store sensitive information in protected formats. The difference between encrypted data, and plain-text data being stolen, can have a significant impact upon the result of a data confidentiality breach.

In 2018, the Information Commissioner’s Office fined Heathrow Airport £120,000 for the loss of an unencrypted and non-password protected memory stick. The USB device contained a variety of sensitive information, including the personal data of security staff, as well as information regarding security protocols that could have aided malicious actors.

Though hashed or encrypted files are significantly more difficult for a bad actor to exploit, organisations cannot simply rely on these methods to protect the confidentiality of their information.

Integrity

Both the accuracy and completeness of information are integral to an organisations ability to function. Integrity focuses on ensuring that data has not been tampered with and that it can be trusted as authentic and reliable.

It should be noted that integrity isn’t just about protecting data whilst being stored, but also whilst it is being used, and whilst in transit. As with the confidentiality of information, integrity relies on both encryption and hashing, as well as employing other processes such as digital signatures, intrusion detection systems and stringent organisational procedures.

A specially designed piece of malicious software named Stuxnet infected an Iranian nuclear enrichment facility. Though the facility’s systems were air-gapped (i.e. not connected to systems outside the facility), outside actors engineered a situation in which an employee unwittingly compromised the facility by plugging in an infected USB stick. By compromising the accuracy and integrity of these systems, the creators of Stuxnet were able to significantly affect the facility’s ability to function.

Availability

As you can assume, the value of information reduces dramatically if users or an organisation cannot access it. Put simply, availability is that the networks and systems are functioning properly, and authorised parties can access resources, data and information, as and when they are needed.

Whilst a great deal of availability is reliant on the maintenance of digital systems, those digital systems are also reliant upon physical preconditions, and thus availability is dependant upon consistent power, a lack of human errors and the functionality of hardware.

Perhaps one of the most memorable recent failures of availability was the 2017 NHS WannaCry ransomware crisis. Thanks to the NHS’ outdated systems, critical information was rendered inaccessible because of a computer worm, with staff having to resort to pen and paper records in lieu of their electronic documents. Costing the NHS an estimated £92 million, WannaCry seriously endangered the lives of UK citizens, as well as infecting over 300,000 computers worldwide.

Applying the CIA Triad

For each principle that makes up the CIA triad, we have a prime example of its importance in relation to reliable information security. Depending on your organisation, industry and general requirements, there are many ways in which the CIA triad's principles can be applied.

Part of any organisation’s implementation of these principles, is the prioritisation of needs and requirements. For example, as the confidentiality of data is increased, this can negatively impact upon the availability, and likewise, as availability may increase, this could degrade the integrity of the data.

As with many aspects of life, information security can frequently involve trade-offs, though ensuring that your organisation’s data is adequately confidential, accurate, complete and accessible is no longer optional. Likewise, ensuring that staff are adequately trained in these principles, and other foundations of information security, is now an essential for any organisation.