C.I.A. Triad of Information Security

As you work to understand the impact of a risk, you should look to the C.I.A. Triad of Information Security and its foundational principles for guidance. This takes into consideration how an attack may impact information systems your business relies on or the data that you protect and manage.

The C.I.A. Triad gives you a structure to look at how your business may be impacted by a breach in Confidentiality, Integrity, and Availability.

The C.I.A. Triad

Confidentiality

Does the system in question have information that needs to stay confidential? If compromised, what impact will the exposure of this information mean to the business?

Integrity

Does the business use the information in this system to make important decisions? If the information cannot be reliable due to a compromise, how may it impact the business while the attack is underway?

Availability

If systems or data are rendered inaccessible, the business may be unable to complete certain functions or processes. It may be difficult to access critical information needed for decisions or to support client needs.

Other Impacts

Financial impacts beyond the C.I.A. Triad can be harder to measure and anticipate but are important to note. Some examples include:

  • Cost of investigation and recovery efforts
  • Loss of customer trust and business
  • Increased cost for new business
  • Increased cost to rebuild your brand and reputation
  • Regulatory fines or penalties

Breaking Down the C.I.A. Triad

One of the best ways to understand this concept is to look at a common Business Email Compromise (BEC).
(Read more about BEC’s here)

Confidentiality

In an email compromise, information that was exchanged between the user and clients or other members of the business may be now accessible to the attacker that has access to this account. This could include sent, received, or deleted emails that contained sensitive information, non-public information, intellectual property, financial information, etc.

Often, an attacker may use access to the email account to send a malicious link or file to other people. However, if this individual has copied over the contents of this email account or reads non-public information, it is a breach of confidentiality. There may be steps that need to be taken to notify people that are impacted by this breach, potential fines, or other challenges you need to think ahead about as you assess how the business may be impacted.

Integrity

In an email compromise, when an attacker misleads others through spoofing or impersonating another user or trusted contact, this is a breach of Integrity. This loss in trust can result in financial fraud (funds transferred to the wrong account). You can no longer trust the information you may be depending on to run the business.

Availability

Email service availability may become compromised if an attacker can do something as simple as changing the user’s password to lock them out of their account. In Ransomware attacks, availability is compromised because files may be encrypted until a ransom is paid.

Not having access to a business-critical system like email may mean that important information or certain communication channels are down. Depending on how long availability is compromised and the way the system is used, this could lead to major impacts on the business.

Learn More about Possible Impacts to Your Business

Now that you’ve read a bit about how the C.I.A. Triad helps to break down the potential impacts related to a cybersecurity incident, continue learning by reading about how this way of thinking may be evolving: Challenging the C.I.A. Triad

If you’d like to learn more about what to prepare for in an attack or how to reduce your risks, reach out to us for a free cybersecurity risk consultation.

About The Author
Rigid Bits

Rigid Bits

Rigid Bits is a cybersecurity firm that helps businesses identify and reduce their cybersecurity risks through consulting, professional services, and technology. They work closely with leadership and IT teams to help them test and reinforce the security of their environment while meeting compliance requirements and best practices. Rigid Bits also helps businesses become more prepared to stop cyber-attacks and supports breach investigation efforts with their digital forensics and incident response services.

Let’s Discuss Your Needs

Our experience with hundreds of businesses across diverse industries provides us with the expertise to understand your unique challenges.