Foundations of the Triad

Every security decision answers the same question. What property of this asset are we trying to preserve, and against whom?

A locked filing cabinet, a TLS handshake, and an offsite backup tape have nothing in common at the implementation level. They share a purpose. Each one defends some property of information that, if lost, would harm the owner. The CIA Triad names the three properties worth defending in nearly every context, so that engineers, auditors, lawyers, and executives can talk about security using the same vocabulary.

The model does not tell you how to defend anything. It tells you what you are defending. That distinction is why the triad keeps reappearing in NIST standards, ISO 27000, HIPAA, PCI DSS, and every introductory cybersecurity textbook for the last forty years.

The triad consists of three properties of information and the systems that handle it. Each has its own page in this subsection. The short definitions below are the working vocabulary you will use for the rest of the course.

Confidentiality is the property that information is disclosed only to parties authorized to see it. The opposite of confidentiality is disclosure. The classic mechanisms are encryption, access controls, and classification.

Integrity is the property that information has not been modified except by parties authorized to modify it, and that any unauthorized modification can be detected. The opposite of integrity is unauthorized alteration. The classic mechanisms are hashing, digital signatures, and message authentication codes.

Availability is the property that information and the systems that handle it are accessible to authorized parties when they need them. The opposite of availability is denial. The classic mechanisms are redundancy, capacity planning, backups, and failover.

The triad did not spring into existence in 1977 fully formed. The three properties were named separately in different contexts before being combined into a single model.

• Confidentiality as a security goal traces to military and intelligence work going back to ancient cryptography, formalized in the Cold War-era U.S. classification system.
• Integrity entered the computer security vocabulary in the late 1970s, formalized in the 1987 Clark-Wilson model, which focused on commercial systems where data accuracy mattered more than secrecy.
• Availability became a first-class concern as organizations grew dependent on continuous computer operation, especially after the 1988 Morris Worm shut down roughly ten percent of the internet and made denial of service a household phrase.

The three were grouped together in early NIST publications and reached canonical form in NIST SP 800-12 and FIPS 199, both of which define information security in terms of the triad. John McCumber's 1991 information security cube placed the triad on one of its three axes, cementing its place in security education.

The choice to draw the model as a triangle rather than three bullet points was not arbitrary. A triangle is a geometry of interdependence. You cannot pull on one vertex without affecting the other two. That visual claim is also a technical claim: real security controls usually trade one pillar against another.

Consider an obvious example. Encrypting every file on a server with a key only the CEO knows maximizes confidentiality. It also destroys availability for everyone who is not the CEO, including the CEO once they lose the key. Pushing one corner pulls the others.

The full treatment of this idea is on the Tensions Between Pillars page. For now, hold onto the shape. When you encounter a security control later in this course, ask yourself which corner it strengthens and which it weakens. Almost every control does both.

The CIA Triad is forty-eight years old, and the world it was built for is not the world we live in. Several real security concerns sit uncomfortably inside the model:

• Possession versus disclosure. A thief who copies your encrypted backup tape has not violated confidentiality (they cannot read it) but has taken something that belongs to you.
• Authenticity versus integrity. A message that arrives unchanged from a forged sender has integrity in the strict sense, but its provenance is a lie.
• Utility versus availability. Data that is technically accessible but in a format nobody can use (an encrypted file whose key was lost, a database in a deprecated schema) fails the practical goal of availability without violating its strict definition.

These edge cases motivated Donn Parker's 1998 Parkerian Hexad, which extends the triad with three additional properties. The hexad is covered in detail on its own page later in this subsection. For now, recognize that the triad is a starting point, not the whole map.

You will see the following terms repeatedly throughout Rolling Thunder Security. They are introduced briefly here so that the next pages can use them without stopping to define them.

From the next page onward, each pillar gets a deep dive. We will define it precisely, examine its mechanisms, look at how it fails, and walk through a real-world breach that demonstrates the failure.