The CIA triad

Key takeaways Security has three core goals: confidentiality (only the right people can see it), integrity (nobody changed it without permission, and you’d know if they did), and availability (it’s there when you need it). Together these three define what “secure” even means. Nearly every control you’ll ever meet exists to protect one or more of them — and, as cybersecurity teaches, the defender’s job is to keep all three standing at once.

When someone says a system is “secure,” they’re making a claim about three different things at the same time. Pull them apart and security stops being a vague feeling and becomes a checklist you can actually reason about. That’s the whole value of the CIA triad: three plain goals — confidentiality, integrity, availability — that give you the vocabulary to say exactly what you’re protecting and what an attacker is trying to take away.

Confidentiality

Confidentiality means only authorized people can see the information. Your medical records, a company’s plans, the password you typed this morning — all of it should be readable by the right people and no one else.

Two families of control enforce it. Encryption scrambles data so that anyone who intercepts it sees only noise without the key — the subject of what is cryptography?. Access control decides who is allowed to reach the data in the first place, so that even people on the system only see what their role permits — covered in authorization & access.

When confidentiality fails, secrets leak: someone reads what they shouldn’t.

Integrity

Integrity means the information isn’t altered without authorization — and if it is, you can tell. It’s not enough that data stays secret; you also need confidence that it’s the real data. A bank balance quietly changed, a software update swapped for a tampered one, a log edited to hide a break-in — those are all integrity failures.

The defenses here are about detection as much as prevention. Hashing produces a short fingerprint of a file that changes completely if even one byte changes, so tampering is obvious — see hashing & integrity. Digital signatures go further, proving both that the data wasn’t changed and who vouched for it, which is how your device trusts a software update or a website — see signatures & certificates.

When integrity fails, you can no longer trust that what you’re looking at is genuine.

Availability

Availability means the system and its data are there when legitimate users need them. A perfectly confidential, perfectly intact database is useless if nobody can reach it. Availability is the goal people forget until it’s gone.

It’s threatened by ordinary outages — a failed disk, a cut cable, a botched deploy — and by deliberate denial-of-service attacks that flood a system with traffic until it collapses, one of the patterns in network attacks. The defenses are about resilience: redundancy (spare capacity and backup paths so no single failure takes you down) and backups (so you can restore data that’s lost or held hostage). Spotting an availability problem early is a job for monitoring & incident response.

When availability fails, the right people can’t get to the thing they need.

They pull against each other

Here’s the part that makes security genuinely hard: the three goals trade against one another. Push one up and you often push another down.

Lock a document behind heavy encryption and a stack of approvals and you’ve strengthened confidentiality — but now a doctor in an emergency may struggle to open it in time, which is an availability cost. Add rigorous integrity checks to every transaction and the system gets slower. Move all your backups off-site for availability and you’ve created more copies to keep confidential.

There’s no setting where all three are maxed out for free. Every real security decision is a trade-off among confidentiality, integrity, and availability, and the right balance depends entirely on what you’re protecting and who you’re protecting it from. A public weather page cares most about availability; a password vault cares most about confidentiality; a financial ledger lives or dies by integrity.

Reading attacks through the triad

Once the three goals are in your head, they double as a quick way to classify what any attack is actually going after — which points you straight at the defenses that matter. Ask: which goal is under threat?

  • Eavesdropping — quietly reading traffic or data in transit — attacks confidentiality. The answer is encryption and tighter access.
  • Tampering — altering data, code, or messages — attacks integrity. The answer is hashing and signatures that make the change detectable.
  • Ransomware or a flood — locking up your files, or drowning a server in traffic — attacks availability. The answer is backups and redundancy.

You’ll meet each of these attacks in detail later in the path. For now, the habit is what counts: name the goal under attack first, and the shape of the defense follows.

Quick check: ransomware that encrypts your files and demands payment primarily attacks which goal?

Recap

  • The CIA triad — confidentiality, integrity, availability — is the set of three goals that together define what “secure” means.
  • Confidentiality: only authorized people can see it, enforced by encryption and access control.
  • Integrity: it isn’t altered without authorization and tampering is detectable, enforced by hashing and signatures.
  • Availability: it’s there when legitimate users need it, protected by redundancy and backups against outages and denial-of-service.
  • The three pull against each other — every security decision trades among them, and the right balance depends on what you’re protecting.
  • The triad is also a lens for attacks: eavesdropping → confidentiality, tampering → integrity, ransomware or a flood → availability.

Next up: threats, vulnerabilities & risk