Tag Archives: CIA Triad

The CIA Triad is Dead

For decades, those in cybersecurity were fed the doctrine of CIA: Confidentiality, Integrity, and Availability – the pillars or foundational principles of information security. Advances and changes in information technology have rendered the CIA triad obsolete.

For many years, information technology has been used in numerous applications where life safety is a major concern. Examples include:

  • Patient health monitoring
  • Patient medication delivery (e.g., IV pumps)
  • Robotic surgery
  • Autonomous vehicles
  • Autopilots
  • Domestic robots

You can probably add more examples to the above list.

The former CIA Triad should give way to the CIAS pyramid: confidentiality, integrity, availability, and life safety. I first argued for this in my book, CISSP For Dummies, 5th edition (2016), on page 37, as well as in CISM Certified Information Security Manager All-In-One Exam Guide (2018) on page 382, where I called argued for confidentiality, integrity, availability, and life safety.

As a simple model and a reminder of foundational principles, the CIA triad has served us well. However, as a foundational principle, the CIA triad now falls short, as arguably the most critical aspect, when applicable, is safety and life safety.

CIA Triad also the basis for our ethical behavior

Bookmark This (opens in new window)

TheCIA Triad CIA Triad forms the core principles of information security: confidentiality, integrity, and availability. These principles govern how information and systems should be designed and managed.

The CIA Triad also applies to our professional behavior as information security professionals.

Confidentiality

We are obligated to keep many secrets – corporate secrets, staff secrets, and personal secrets. We must keep this confidential information under wraps and earn the trust of employers, colleagues, and regulators every day.

Integrity

We must act with integrity. We must develop sound policies and uphold them without bias. We must point out errors and misdeeds, dispassionately and objectively, in order to uphold the common good. We must seek out and defend the truth in all situations we find ourselves in.

Availability

Even when we may feel too weary to do so, we should be available for consultation to our employers and our colleagues. There are too few data security professional, and our counsel is needed often, especially when the advice that is sought has high-value outcomes.

Being available means we must manage our time well, to ensure that we are working on the truly important tasks and not merely the urgent ones. Risk professionals are influencers, and we must be sure to influence outcomes in situations that really matter.