1.1.1. The CIA Triad as a Decision Framework

💡 First Principle: The CIA Triad isn't just a definition to memorize — it's a diagnostic tool. When something goes wrong in security, it always maps to a failure of Confidentiality, Integrity, or Availability. When you're designing a control, it should protect at least one of these three properties.

Confidentiality ensures that information is accessible only to those authorized to see it. When a hacker steals customer credit card numbers, confidentiality has failed. When an employee accidentally emails a salary spreadsheet to the wrong distribution list, confidentiality has failed. The protection mechanism is always some form of access restriction — encryption, permissions, classification labels.

Integrity ensures that information hasn't been tampered with or altered without authorization. When a man-in-the-middle attacker changes a bank transfer amount from $100 to $10,000, integrity has failed. When a database corruption silently changes patient records, integrity has failed. The protection mechanism is always some form of verification — hashing, digital signatures, checksums, audit logs.

Availability ensures that systems and data are accessible when authorized users need them. When a DDoS attack takes down an e-commerce site during Black Friday, availability has failed. When a ransomware attack encrypts hospital records during a medical emergency, availability has failed. The protection mechanism is always some form of redundancy or resilience — backups, failover systems, load balancers, UPS units.

Here's the key insight for the exam: most real-world security decisions involve trade-offs between these three properties. A highly classified military network might sacrifice availability (air-gapped, difficult to access) to maximize confidentiality. A public-facing news website might sacrifice confidentiality (content is intentionally public) to maximize availability. The exam tests whether you can identify which CIA property is at stake in a given scenario and select the control that addresses it.

⚠️ Exam Trap: Don't confuse integrity with availability. If data is encrypted by ransomware, the primary impact is availability (you can't access it), not integrity (the data wasn't altered — it was encrypted). If an attacker modifies a configuration file, that's an integrity violation.

Reflection Question: A hospital's electronic health records system goes down for two hours during a network upgrade. Which CIA property was impacted, and would a different security control have prevented the issue?