The CIA Triad: Confidentiality, Integrity, Availability

The CIA triad is the foundational framework of cybersecurity. The three letters stand for Confidentiality, Integrity, and Availability, and they describe the three properties every security program is trying to maintain. Almost any security control, policy, or decision can be evaluated through the lens of which of the three it’s protecting. The framework is decades old, deliberately simple, and remarkably durable: even as the technology and the threat landscape have evolved beyond recognition since the original framing, the three properties still capture what security is fundamentally about. Understanding them gives any operator a useful mental model for thinking about security decisions.

This post walks through what each leg of the triad actually means, why all three matter rather than just one, the trade-offs that arise when the three pull against each other, common extensions and criticisms of the framework, and how to use the triad in practical security decisions.

Confidentiality: keeping information from people who shouldn’t see it

Confidentiality is the property that information is accessible only to those authorized to have access. The classic mental model: a sealed envelope. The contents are visible to the sender and recipient; everyone else along the way sees only the envelope, not what’s inside.

In modern systems, confidentiality is maintained through several specific controls:

• Access controls: authentication (verifying who someone is) and authorization (determining what they’re allowed to access). The combination keeps the wrong people out and routes the right people to what they should see.
• Encryption: encoding data so that even someone who obtains it can’t read it without the decryption key. Encryption at rest protects data sitting in storage; encryption in transit protects data moving between systems.
• Data classification: knowing what data is sensitive and applying appropriate controls. Treating every piece of data with maximum protection is expensive; treating sensitive data with minimum protection is dangerous. Classification matches the protection to the value.
• Need-to-know access: limiting access to those who actually need it for their work, rather than granting broad access by default. The principle of least privilege is the operational version of this.
• Physical security: protecting devices and media from physical access by unauthorized people. Encryption helps if devices are lost; physical security prevents the loss in the first place.

When confidentiality fails, the result is a data breach: personal information exposed, financial records leaked, trade secrets stolen, internal communications published. The cost can be measured in regulatory penalties, customer trust loss, competitive damage, and the operational expense of incident response and notification.

Integrity: making sure data hasn’t been changed inappropriately

Integrity is the property that information is accurate, complete, and hasn’t been modified by anyone who shouldn’t be modifying it. Confidentiality is about who can see the data; integrity is about who can change it (and whether unauthorized changes get detected).

Integrity controls include:

• Access controls on modifications: separating the right to read from the right to write. Many users may need to view a record; far fewer need the right to modify it.
• Audit logging: recording who changed what and when, so that inappropriate changes can be detected and investigated after the fact.
• Cryptographic hashing and signing: producing fingerprints of data that change if the data changes, making tampering detectable. Software distribution typically uses cryptographic signatures so users can verify the code hasn’t been modified by a third party.
• Version control and backups: preserving prior states so that inappropriate changes can be reverted. Backups serve integrity (reverting bad changes) as well as availability (restoring after outages).
• Validation and integrity checks: at the application level, verifying that data conforms to expected formats and constraints. Defense against accidental corruption as well as deliberate manipulation.
• Separation of duties: requiring multiple people for high-impact changes. One person creates the change; another approves it. Prevents either insider threat or single-point-of-failure mistakes from causing damage.

When integrity fails, the result is data that can’t be trusted: financial records that don’t match reality, customer data that’s been altered, software that’s been tampered with, decisions made on the basis of false information. Integrity failures are often more costly than confidentiality failures because they undermine the foundation of business decision-making.

Availability: making sure systems and data are accessible when needed

Availability is the property that authorized users can access information and systems when they need them. Confidentiality and integrity are about keeping the wrong things from happening; availability is about ensuring the right things continue to happen.

Availability controls include:

• Redundancy: backup systems, redundant hardware, multiple network paths. When a single component fails, others continue providing the service.
• Capacity planning: provisioning systems with enough capacity to handle peak demand. Insufficient capacity is an availability failure even when nothing else has gone wrong.
• Disaster recovery: the discipline of restoring systems after major incidents (covered in our disaster recovery planning piece).
• DDoS protection: defending against denial-of-service attacks that try to make systems unavailable by overwhelming them with malicious traffic.
• Patching and maintenance discipline: keeping systems healthy so they don’t fail at inopportune moments. Unpatched systems are availability risks as well as security risks.
• Monitoring and alerting: detecting availability issues fast enough to respond before users notice. Mean time to detect and mean time to recover are availability metrics.

When availability fails, the result is downtime: systems users can’t reach, data they can’t access, business functions that can’t operate. The cost is measured in lost revenue during the outage, productivity loss across the affected users, customer trust damage if outages are visible or frequent, and the operational expense of response and recovery.

Why all three matter, not just one

A common misconception is that cybersecurity is primarily about confidentiality (keeping data secret). Confidentiality is important, but it’s one third of the picture. A security program that’s strong on confidentiality but weak on integrity or availability is incomplete.

Real-world incidents demonstrate all three failure modes:

• The Equifax breach (2017) was primarily a confidentiality failure: personal data on 147 million people was exposed.
• Ransomware attacks are primarily availability failures (the data is encrypted and inaccessible) and increasingly also confidentiality failures (the data is exfiltrated before encryption).
• Software supply chain attacks (SolarWinds, 3CX, others) are integrity failures: the software customers installed had been modified to include malicious code.
• Distributed denial-of-service attacks are pure availability failures: legitimate users can’t reach systems because attackers are overwhelming them with traffic.
• Database manipulation attacks (less publicized but common) are integrity failures: records are altered in ways that benefit the attacker or harm the victim.

A complete security program addresses all three. Programs that focus only on confidentiality often discover during incidents that they’ve under-invested in integrity and availability protection.

When the three pull against each other

The properties sometimes tension with each other, and the security discipline includes deciding how to balance them.

Confidentiality vs. availability. Locking down access protects confidentiality but can make systems harder to use. The extreme version: a system so locked down that nobody can use it has perfect confidentiality and zero availability. The healthy version balances both: appropriate access for those who need it, blocked access for those who don’t.

Integrity vs. availability. Validation and integrity checks add processing overhead and can sometimes block legitimate operations that look unusual. Strict change controls protect integrity but can slow down the rate at which legitimate changes ship. The healthy version uses risk-proportionate controls: more discipline for high-impact changes, less for low-impact ones.

Availability vs. confidentiality. Backups serve availability but create additional copies of sensitive data that need their own confidentiality protection. Logging and monitoring serve integrity and availability but generate data that itself needs protection.

The security discipline isn’t about maximizing one property; it’s about finding the right balance for the specific context and business. A hospital electronic health record system might prioritize availability (clinicians need access immediately for patient care) over confidentiality (which is also vital but addressed through audit and after-the-fact controls). A military intelligence system might prioritize confidentiality (compromise of certain information would be catastrophic) over availability (some users wait for access). Both choices are defensible; the right one depends on the use case.

Extensions and criticisms of the framework

The CIA triad is foundational but not the only model. Several extensions have been proposed.

The Parkerian Hexad (proposed by Donn Parker in 1998) extends the triad with three additional properties: Possession (control of the data, distinct from confidentiality), Authenticity (who or what the data represents being verifiable), and Utility (the data being in a useful form). The extension captures nuances the triad doesn’t, though the triad remains more widely used.

The AAA framework (Authentication, Authorization, Accounting) emphasizes the operational controls that maintain confidentiality and integrity. AAA complements CIA rather than replacing it.

Privacy as a fourth leg has been argued for, particularly as data-protection regulations have evolved. Privacy overlaps with confidentiality but has additional dimensions (purpose limitation, data minimization, user rights) that aren’t captured by confidentiality alone.

The criticism that the triad is too abstract is fair in some contexts. CIA doesn’t directly answer questions like "what controls should we implement first?" or "where should our budget go?" Those questions need risk assessment and threat modeling, not just the triad. The triad is a thinking tool, not a checklist.

For most practical purposes, the triad remains the most useful starting framework. Extensions are valuable in specific contexts but rarely change the basic logic of identifying which property is at risk and what controls address it.

How to use the CIA triad in practical decisions

A few specific ways the triad shows up in operational security work.

Risk assessment. For each significant business asset (a database, an application, a service), ask: what’s the impact of losing confidentiality, integrity, or availability? The answers shape what controls are warranted.

Incident response prioritization. During an active incident, the triad helps prioritize. If integrity is at risk (data being modified), containment may matter more than confidentiality. If availability is the active failure, restoration may matter more than forensics until the immediate damage is bounded.

Control selection. When evaluating a proposed security control, which property does it serve? Are there other properties at risk that this control doesn’t address? Where the protection has gaps that compound risk?

Compliance mapping. Most compliance frameworks (HIPAA, PCI-DSS, SOC 2, ISO 27001) can be mapped to the triad. The mapping helps clarify what each control is really protecting and where the framework’s controls leave gaps.

Communication with non-security stakeholders. "We need to invest in confidentiality controls" or "this is an availability risk" is more legible to non-technical leadership than the underlying technical detail. The triad makes security conversations cross-functional.

Frequently Asked Questions