Nathan Guman
CYSE200T_32776 Cybersecurity, Technology & Society
Professor Duvall
April 22, 2025
CIA triad: Reinforcing the Foundations of our Cyber World
BLUF: The CIA Triad – Confidentiality, Integrity, and Availability – represents the core principles and foundation of information security in our modern age. By examining the social, ethical and business implications these principles have had in building our world, we find these principles must be adapted and expanded to meet new challenges posed by advancing technologies such as the internet of things (IoT), AI, and quantum computing. The potential impact these technologies have on our increasingly interconnected world require new digital infrastructure and policies.
The CIA Triad
Information security has long relied upon and was built by the triad, although it is sometimes called other things. “The model is also sometimes referred to as the AIC triad (availability, integrity and confidentiality) to avoid confusion with the Central Intelligence Agency.” (Chai, 2022) For this paper, it will continue to be known as the CIA triad. Looking at the three parts of the triad we can see why it is so long lasting and effective as guiding principles.
Confidentiality:
The first piece of the triad is confidentiality. Confidentiality refers to the practice of ensuring sensitive information is only accessible to those who are authorized to view it. This principal safeguard personal data, trade secrets, intellectual property, and other private information from unauthorized access. Failure to ensure confidentiality can lead to data breaches, unauthorized disclosures, and exposure of sensitive information.
Integrity:
The second piece of the triad is integrity. Integrity ensures data remains accurate, consistent, and unaltered during storage, processing, or transmission, except by authorized entities. This principle is about maintaining trustworthiness in data. Techniques like hashing, checksums, and digital signatures are commonly employed to validate data has not been tampered with or corrupted.
Availability:
The last portion of the triad is availability. Availability ensures information is accessible to authorized users whenever it is needed. This principle emphasizes maintaining the functionality and reliability of systems and infrastructure ensuring users can access data. It involves implementing measures to ensure system uptime, including redundant systems, load balancing, and regular backups.
Triads Past Success
The triad has served as the guiding principles of information security for decades, building public trust and confidence in digital infrastructure. It has served as the bedrock for understanding what constitutes secure. Additionally, it has served as the objective point of policy documents. The triad has been referenced in several global policies and standards including ISO 12007, the European Union’s General Data Protection Regulation (GDPR), The Payment Card Industry Data Security Standard (PCI DSS), and NIST SP 800-53 (Security and Privacy Controls for Information Systems and Organizations) (SailPoint, 2023).
[1]Furthermore, the triads simplicity and cross-disciplinary applicability has made it easy to communicate and easy to understand. This has allowed for easy uptake and adoption, making it so any initiative can have clear objectives even for people who did not know or understand cyber issues. This simplicity has also had significant social impact. Public perceptions on trust and security have led to a massive uptake in a digital lifestyle. There is almost nothing people do not trust to do online including shopping, banking, government forms and processes, and even healthcare. There is an expectation and understanding of security which was built by the CIA triad.
Shortcomings
For all of the CIA Triad’s success, I would suggest three areas where the Triad fall short of current cyber needs: the universality of cyber, the binary nature of the triad, and it being too simplistic for current technological trends and realities.
Firstly, the CIA triad was developed at a time when cyber technology was in its infancy with minimal impact to the economy, people’s daily lives, and policy discussions. This is simply not true anymore. Technology is integrated into every aspect of our lives and most of the world’s population and especially the younger population, interacts with the digital world. Estimates for current worldwide internet use sit around 5.56 billion people, accounting for almost 68% of the human population with the percentage of people aged 15-24 at 79% (Petrosyan, 2025). The technology is no longer in need of being easily understood for rapid uptake or development, as these objectives have been met. Perhaps more than almost any other tool in history, cyber is nearly universally understood to be a powerful and useful tool for the advancement of society.
[2]Secondly, the triad itself is binary in nature. “The aspects are binary measures; at a given time, they are either true or false. This sense of measurement gives a false sense of accomplishment, as the current status gives no guarantees about the future (or even the past).” (Van der Ham, 2021). This false sense of security leads to a reactive approach to threats. If a system or file loses one of triad pieces, it is usually too late and the damage can only be minimized, not prevented. As we have discussed in class, security is a much more fluid process with no system ever completely secure. A digital foundation to security needs to provide language and processes to adapt to and manage risk, not speak in definitive yes or no terms.
[3]Lastly, advances in technology such as AI, quantum computing, and IoT represent a shift in the speed and complexity of cybersecurity. Attacks can be conducted at speeds which are astronomically faster than current systems are designed for. AI can make automated decisions faster than humanly possible with the potential for human like adaptability, reasoning, and insight at super-computer speeds. The IoT is notorious for poor security practices and interoperability. This can provide a volume of attack vectors which was previously cost prohibitive allowing for data overload and an increased attack surface against systems. Quantum computing allows for the breaking of most, if not all, current encryption algorithms in a matter of seconds rending even the strongest authentication and confidentiality measures irrelevant.
Recommended changes
These weaknesses have led to several efforts to overhaul or update the triad. The most applicable is the Parkerian hexad. “Proposed in 1998, the Parkerian hexad is designed to complement the CIA triad with three additional pillars, possession/control, authenticity, and utility.” (Pender-Bey, 2019). The inclusion of three additional pillars is helpful although this is much more confusing of a standard. Differentiation between authenticity and integrity as well as the lack of specific methodology has prevented the hexad from being widely adopted. Indeed, almost all efforts to overhaul the triad have been confronted with this issue. The simplicity of the triad makes it difficult to dethrone as the core of information security. Nevertheless, the digital world is becoming more complicated everyday and our defense of it must adapt to meet this complexity.
[4] This complexity should be met with changes in cyber policy rules and regulations. I would suggest the information security space should instead focus on a risk management approach to the problem. Indeed, many such modifications and policy initiatives have done this. The NIST, a five-element framework consisting of Identify, Protect, Detect, Respond, and Recover, added the sixth core element of Govern, in 2024 to emphasize risk management, continual review, and ownership of information. Resilience, adaptability and privacy concerns should be paramount in information security.
Lastly, policy changes should be implemented for organizations and governing bodies to focus on response management. One of the things about the class which will stick with me is the idea of their only being two types of systems; systems which have been compromised, and those which will be compromised. Therefore, organizations need clear policies and procedures for incident response outlining roles, responsibilities, and communication protocols to ensure swift action during security breaches. These changes should focus on continuous assessment and adaptation to emerging threats in an effort to be predictive, not reactive.
Conclusion
The CIA triad has served as the cornerstone of information security, guiding how digital infrastructure is structed and how organizations protect their digital assets, systems, and data. Yet it is outdated, and a new methodology is required to meet the challenges of todays interconnected and vulnerable world. AI, IoT, and quantum computing represent a leap in technology which requires a shift in how cybersecurity is thought of, away from a binary checklist and towards a more holistic, risk management approach. The difficulty in this cannot be understated as many have tried and failed to make a compelling alternative, however it is a worthwhile endeavor to reform digital policy toward a more secure and just space.
References:
Chai, Wesley. “What is the CIA Triad? Definition, Explanation, Examples.” 28 Jun 2022 https://www.techtarget.com/whatis/definition/Confidentiality-integrity-and-availability-CIA?jr=on
SailPoint. (2023, December 13). CIA triad: Confidentiality, integrity, and availability. Sailpoint.com. https://www.sailpoint.com/identity-library/cia-triad
Van der Ham, J. (2021). Towards a better understanding of “Cybersecurity.” Digital Threats: Research and Practice, 2(3). https://doi.org/10.1145/3442445
Petrosyan, A. (2025, April 1). Worldwide Digital Population 2025. Statista. https://www.statista.com/statistics/617136/digital-population-worldwide/
Pender-Bey, G. (2019). THE PARKERIAN HEXAD. https://cs.lewisu.edu/mathcs/msisprojects/papers/georgiependerbey.pdf