CIA: Confidentiality, Integrity, and Availability

CIA: Confidentiality, Integrity, and Availability 

Decorative image: CIA: Confidentiality, Integrity, and Availability [lecture]

Principles of information security

So, now you know what assets to protect, what are some of the most basic controls that organisations should use to protect their assets?

Well, you may already have heard of the following three principles of information security:

  1. Confidentiality
  2. Integrity
  3. Availability

They are commonly shortened to CIA.

These are the three primary considerations of information security objectives. Nearly all controls provided by information assurance will provide some support for these objectives.


What does this really mean?

Confidentiality ensures that information is not disclosed to unauthorised persons or processes. Confidentiality refers to requirements that information is protected to prevent unauthorised disclosure, both intentionally and accidentally. Loss of confidentiality can occur in many ways, such as through the intentional release of private company information by a disgruntled employee, or an email carelessly sent to the wrong recipient. Restricting access to information to those who have a need to know is good practice and is based on this principle of confidentiality. Controls to uphold confidentiality form a major part of the wider aspect of information assurance.

Two examples you might consider, where a breach of confidentiality might cause an issue are:

  1. Your medical records are obtained by a potential employer without your permission, and they are used when considering you for a role where it is irrelevant to the position.
  2. A competitor steals your secret formula for your world-famous ice cream and sells it at half the price.

Confidentiality refers to limits on who can get access to what information. For example, executives concerned about protecting their enterprise’s strategic plans from competitors, or individuals concerned about unauthorised access to their personal financial records.


To understand the principle of integrity, be aware that some information is only useful if it is complete and accurate. Maintaining the integrity (completeness and accurateness) of information is critical to any system.

Integrity ensures the following:

  • Uncontrolled modifications are not made to data by staff or processes
  • The data is internally and externally consistent
  • The data is sufficiently accurate for its intended purpose

Examples might be where:

  • A student modifies their exam grade to get a better mark
  • An online payment system alters an electronic cheque to read £10,000 instead of £100.00
  • Location data for trains on a train network must be reliable, accurate and up to date


This principle ensures reliable and timely access to data or computing resources by appropriate personnel. In other words, availability guarantees that systems are up and running when they are needed. Availability is closely associated with redundancy, fail-over and duplication of resources.

Examples to consider are:

  • A wireless access point is accidentally damaged, and staff can’t connect to the network
  • An attack is launched against a website so that it becomes unreachable
  • A critical sensor in a power station fails and causes a shutdown

A distributed denial-of-service (DDoS) attack is a malicious attempt to block the normal traffic of a targeted server, service or network by flooding the target with Internet traffic, so real users cannot access the site. For example, Amazon Web Services suffered a huge (DDoS) attack in 2020.


This principle is all about holding individuals to account by knowing who did what, and when they did it.

ISO/IEC 27000 defines non-repudiation as:

‘[The] ability to prove the occurrence of a claimed event or action and its originating entities.’

From this, you can see that non-repudiation refers to the presentation of evidence that cannot be forged, whereby the message can be proven as being sent or received. If messages or transactions can be disputed, then important identity actions can be challenged and jeopardised. Normally, proof is determined by a third-party where neither the sender nor receiver can dispute the action.

Some examples to consider might be:

  • Proving that a person sent an email to their manager
  • Proving that an individual performed a transaction, such as ordering goods from the Internet
  • Being able to tie an action to a particular user beyond reasonable doubt

What’s next?

Now, with a clearer definition of information security and having encountered CIA, which is one of the cornerstones of security, you will now take a closer look at defence and accountability.

1h 4m

In this course, you’ll be looking at numerous aspects of the risk matrix including the risk and threats involved in big data, the Internet of Things (IoT), the dark web and social media. You'll also be exploring threat intelligence, unified threat management (UTM), and security risk. You'll also see how you can use open-source intelligence (OSINT) and Dark Web Threat Intelligence to help you establish, improve and refine your risk treatment. All of this ensures that your organisation is protected from and alert to the constantly evolving series of information security threats. 

However, before you go on to threat management, let's first review risk and see how it relates to cyber security. 

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.