The CIA Triad is Dead

For decades, those in cybersecurity were fed the doctrine of CIA: Confidentiality, Integrity, and Availability – the pillars or foundational principles of information security. Advances and changes in information technology have rendered the CIA triad obsolete.

For many years, information technology has been used in numerous applications where life safety is a major concern. Examples include:

  • Patient health monitoring
  • Patient medication delivery (e.g., IV pumps)
  • Robotic surgery
  • Autonomous vehicles
  • Autopilots
  • Domestic robots

You can probably add more examples to the above list.

The former CIA Triad should give way to the CIAS pyramid: confidentiality, integrity, availability, and life safety. I first argued for this in my book, CISSP For Dummies, 5th edition (2016), on page 37, as well as in CISM Certified Information Security Manager All-In-One Exam Guide (2018) on page 382, where I called argued for confidentiality, integrity, availability, and life safety.

As a simple model and a reminder of foundational principles, the CIA triad has served us well. However, as a foundational principle, the CIA triad now falls short, as arguably the most critical aspect, when applicable, is safety and life safety.

2 thoughts on “The CIA Triad is Dead

  1. Gary Hinson

    Just as the late lamented Donn Parker noted that factors such as ‘utility’ are also important, we could add ‘value’ and ‘dynamics’, ‘ownership’, ‘possession’, ‘governance’, ‘control’, ‘ethics’ and ‘compliance’ etc. to the mix … and not least ‘risk’ or better still ‘information risk’.

    Personally, I find the basic CIA quite useful as a prompt to consider information risks from various angles, rather than constraining or defining the things to be considered – particularly if you deliberately interpret those three little words very broadly (e.g. confidentiality hints at privacy, while integrity hints at trust and assurance) and consider the tensions between them (e.g. access controls that increase confidentiality and integrity also reduce the availability of information for legitimate purposes).

    While I agree that health and safety is both important and increasingly relevant with the rise of robotics and AI (that’s I for intelligence, not insemination!), I believe human beings qualify as information assets, hence the associated information risks can be identified, evaluated and treated in the same manner as others. Maintaining our integrity and availability as people makes sense, plus our confidentiality (privacy, personal space and more). Not having ‘safety’ or other concerns called out explicitly in the acronym doesn’t stop me considering those aspects … but maybe it would be a worthwhile reminder.

    Reply
  2. panzrwagn

    Your pyramid uses the points. It would be (IMHO) more effective if you used planes. I.E. the bottom plane, cybersecurity is defined by the adjoining CIAS planes. That provides a richer interface with the other components of the model. It further allows placing of various security models within the pyramid, visually showing their strengths and weaknesses – or balance. .

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.