loading...

Cyber 101 - The CIA triad

huddlespith profile image Amy Hudspith Updated on ・2 min read

The first thing I think anyone interested in Cyber Security should learn is the CIA triad.

What is the CIA triad?

Glad you asked (I mean, it's kind of the point of the post).

The CIA triad describes three key properties we often want to systems to have; Confidentiality, Integrity and Authentication.


Confidentiality

Confidentiality means ensuring that only the users you want to be able to access data, can access that data.

Most people think of encryption at first, which is a valid way of providing confidentiality, but there are other ways to achieve the same goal.


Integrity

Integrity means ensuring your data is correct and hasn't been changed due to accidental or intentional causes.

An accidental cause could be; your system crashes while writing data, and your data is now only half overwritten.
An intentional cause could be; a hacker has access to your communication channels and edits a message in transit to/from you.


Availability

Availability means having access to all hardware and software that you need access to, when you need to access it.

Again, availability could be impacted by accidental or intentional causes.


So, surely I want all three all the time?

Probably not ...

First of all, things aren't always better just because it's "secure". For example, I made this game (I use the word game very loosely 😆) for a hackathon. My aim was to create a fun, little, Women in Tech based game while working on my p5.js skills. I intend to continue developing it at some point, and when I do I won't be adding features to ensure CIA.

Sure, I could make the game require a login that I only give to certain people (confidentiality). I could make sure I have system redundancy to make sure the game never goes down (availability). But the site doesn't need confidentiality as there is no sensitive information on the site. With regards to availability, it would be lovely to have great availability, but at the end of the day it's a little browser based game I created as part of a hackathon - if it goes down it won't be disastrous.

Another thing to consider is if you will actually be harming usability by adding security features. Forcing users to use 2FA to access my little game is just going to frustrate users unnecessarily.

Also it may be that you need one of the three properties, but not the other. For example if you are downloading a piece of software, you want to make sure what you are downloading is the software you want. This is why organisations often provide hash codes that you can use to verify the download. You don't, however, need to provide an encrypted version of the file for confidentiality when downloading Notepad++.


In summary

The CIA triad is useful when looking at security, but isn't necessary for every single project. Think carefully about when and what needs confidential, integrity and availability.

Posted on by:

huddlespith profile

Amy Hudspith

@huddlespith

CompSci Student, particularly interested in Cyber

Discussion

markdown guide