HolyGhost logoHolyGhost
← cd ..
Learn

The CIA Triad: The Three Words Behind Every Security Decision

Confidentiality, integrity, availability. A beginner friendly guide to the model that quietly sits behind almost every security control, attack, and trade off.

HolyGhost··9 min read

Picture your phone for a moment. There is a photo on it you would not want a stranger to see. There is a bank balance you need to be exactly right, down to the cent. And there is a maps app you rely on to actually load when you are lost in an unfamiliar suburb. Without naming it, you already care about three completely different things: keeping something private, keeping something correct, and keeping something working. That is not a coincidence. Those three cares are the whole of what security tries to protect.

Ask what security is actually protecting and the answer, nearly always, is one of three things: confidentiality, integrity, or availability. Together they are called the CIA triad, and it has nothing to do with the agency of the same initials. It is the simple model sitting underneath almost every control and every attack, and it is worth knowing cold. Once it clicks, a huge amount of security stops feeling like a jumble of jargon and starts feeling like common sense.

The three properties

Let us take them one at a time. For each, we will say what it means in plain words, how defenders protect it, and how attackers go after it.

Confidentiality: keeping data private

Confidentiality means only the people who should see information can see it. That is it. Your medical history should be visible to you and your doctor, not to your employer or a random person on the internet.

When you hear about a "data breach" in the news, that is almost always a confidentiality failure: information reached someone who should not have it. The data itself was not necessarily changed or destroyed. It just leaked out to the wrong eyes.

A few terms worth unpacking, since they come up constantly:

  • Encryption is scrambling data with a secret key so that anyone without the key just sees gibberish. Think of it as writing your diary in a code only you can read.
  • Access controls are the rules that decide who is allowed to open what. A login screen is an access control. So is the setting that stops a junior employee from viewing payroll files.
  • Authentication is the process of proving you are who you claim to be, usually with a password, a code from your phone, or a fingerprint.

Here is how confidentiality plays out in practice:

  • Protected by: encryption, access controls, and strong authentication.
  • Attacked by: stolen credentials (an attacker logs in as you), eavesdropping (someone listens in on data as it travels), and leaks like Heartbleed, where a flaw let attackers quietly read memory they should never have touched.

Integrity: keeping data correct

Integrity means information is accurate, has not been tampered with, and that changes come only from authorised sources. The word "tamper" just means to change something in a sneaky or unauthorised way.

A bank balance being silently altered is an integrity failure, and it is often more dangerous than a leak. If someone reads your bank balance, that is bad. If someone changes it, or changes where your salary gets paid, the damage is immediate and concrete. Integrity is also why you can trust that the software update you downloaded is the real thing and not a poisoned copy.

The main defenders of integrity are worth knowing by name:

  • Hashing turns a piece of data into a short fixed length fingerprint. Change even one character of the original and the fingerprint changes completely, so a mismatch tells you something was altered. A checksum is the same idea used to catch accidental corruption.
  • Digital signatures combine hashing with encryption to prove both that data has not changed and that it genuinely came from a specific sender.
  • Audit logs are tamper resistant records of who did what and when, so you can spot and prove unauthorised changes after the fact.

In practice:

  • Protected by: hashing and checksums, digital signatures, access controls, and audit logs.
  • Attacked by: tampering, unauthorised changes, and injection flaws that let attackers modify data, such as SQL injection.

Availability: keeping it accessible

Availability means the system and its data are there when legitimate users need them. A shop with the best lock in the world is useless to its customers if the front door is welded shut. Security that makes something so safe nobody can use it has failed at availability, which is a real property, not an afterthought.

A website knocked offline is an availability failure, even though nothing was stolen and nothing was changed. The information is still private and still correct. It is just unreachable, and for a business that can mean losing customers by the minute.

Some terms that come up here:

  • Redundancy means having spare copies or backup systems, so if one fails another takes over. Two power supplies instead of one, two servers instead of one.
  • Backups are saved copies of your data you can restore from if the live version is lost or corrupted.
  • A denial of service attack, often shortened to DoS, is a deliberate attempt to overwhelm a system with junk traffic so real users cannot get through. When many machines do this at once, it is a distributed denial of service, or DDoS.

In practice:

  • Protected by: redundancy, backups, capacity planning, and denial of service protection.
  • Attacked by: denial of service floods, ransomware that locks up data until you pay, and plain old outages and hardware failures.

Every control serves one or more of these

Encryption serves confidentiality. A signature serves integrity. A backup serves availability. When you meet a new security control, ask which of the three it protects, and it will slot straight into place. This one habit turns a scary list of tools into a tidy mental filing cabinet.

The three pull against each other

Here is the part that surprises beginners. The triad is not just a tidy list. It is a set of trade offs. Push hard on one property and you often strain another, because the same barrier that keeps attackers out can also slow down the people who belong.

More confidentiality  ->  heavy access checks can slow people down (availability)
More availability     ->  more copies and access can widen exposure (confidentiality)
More integrity checks ->  more friction before data can change (availability)

Think about a workplace that suddenly demands a fresh password and a phone code every single time you open any document. That is a big win for confidentiality. It is also a nightmare for availability, because people cannot get their work done, and some of them will quietly write passwords on sticky notes, which then hurts confidentiality anyway. Everything connects.

Good security is not maxing out all three at once. It is balancing them for what you are actually protecting. A public blog leans hard on availability and integrity, and barely needs confidentiality, because the whole point is that everyone can read it. A medical records system weights confidentiality far more heavily, and will happily accept a slower, more locked down experience to keep patient data private. The right balance depends entirely on the asset in front of you.

There is no perfect setting, only the right setting for the asset

Before you decide how tightly to lock something down, ask a simple question: what happens if this leaks, what happens if this is wrong, and what happens if this is unavailable? Whichever answer is scariest tells you which corner of the triad to weight. A password manager fears a leak most. A hospital heart monitor fears downtime most.

Why it is such a useful lens

Once the triad is in your head, security stops being a pile of disconnected facts and starts being a small set of questions you can ask about anything.

  • A new attack is much easier to reason about when you ask which property it breaks. Ransomware? That is mostly an availability attack, because it locks up your files, though modern ransomware often steals the data too, which drags in confidentiality. A defaced website? Integrity. A leaked customer database? Confidentiality.
  • A new control makes sense once you see which property it defends. You do not have to memorise a thousand tools. You just sort each one into the drawer it belongs in.
  • A risk is really the chance that a threat harms confidentiality, integrity, or availability. That ties straight back to the way security teams think about threat, vulnerability, and risk, where risk is the likelihood of harm multiplied by how bad the harm would be.

The triad also gives you a shared language. When two security people argue about a design, they are very often really arguing about which corner of the triad matters most for that particular system. Naming it out loud usually settles the argument faster.

Do not forget availability is a security property

Beginners often think of security as purely about secrets and locks, which is confidentiality thinking. But an attacker who cannot read your data can still hurt you badly by making it unavailable or subtly wrong. Ransomware crews learned this years ago. Availability and integrity failures can be just as damaging as a leak, sometimes more so.

A quick worked example

Imagine you run a small online shop. Walk it through the triad:

Confidentiality  ->  customer card details and addresses stay private
Integrity        ->  prices and order totals are correct, not altered by anyone
Availability     ->  the checkout page loads, especially during a big sale

Now every security decision has a home. Encrypting card data serves confidentiality. Signing your order records and logging every change serves integrity. Having a second server ready and protection against traffic floods serves availability. You did not need to be an expert to organise your priorities. You just needed three words.

The takeaway

The CIA triad is three properties every security effort protects: confidentiality (keep it private), integrity (keep it correct), and availability (keep it accessible). Every control defends one or more of them, every attack breaks one or more of them, and they trade off against each other, so the real skill is balancing them for the asset at hand. Learn to ask "which of the three does this touch" and a huge amount of security suddenly makes sense. It is the quiet backbone of how security people think, and now it is yours too.