CIA vs. DID Triads in Information Security

Confidentiality

  • Definition: Ensures information/data are accessible only to authorized individuals, applications, or systems; prevents unauthorized access or disclosure of sensitive data.

    • Focus = “keeping secrets secret.”

  • Technical controls mentioned

    • Encryption (data-at-rest & data-in-transit)

    • Access controls, specifically Role-Based Access Control (RBAC)

    • Multi-Factor Authentication (MFA)

  • Illustrative scenario

    • Company holding sensitive customer records stores them in a database.

    • Data are encrypted on disk.

    • RBAC restricts which job roles can query tables.

    • Employees must pass MFA before gaining entry.

    • Outcome: outsiders and unauthorized insiders are blocked; only vetted users decrypt and view data.

Integrity

  • Definition: Guarantees that data remain accurate, complete, consistent, and unaltered except by authorized change.

    • Protects against unauthorized modification or corruption.

  • Technical controls highlighted

    • Hashing (e.g., SHA-256) to create tamper-evident fingerprints

    • Digital signatures to tie data to a trusted signer and detect alteration

    • Version control systems for files, code, and documents

  • Illustrative scenario

    • Files uploaded from a workstation to cloud storage pass through the Internet.

    • Sender computes a cryptographic hash &/or applies a digital signature.

    • Receiver verifies the hash/signature on arrival.

    • Any bit-level alteration en route is immediately flagged.

Availability

  • Definition: Ensures information, data, and IT services are reachable when needed by authorized users; resists outages and disruptions.

  • Technical / contractual measures

    • Redundancy (multiple servers, power supplies, network paths)

    • Regular, tested backups and disaster-recovery plans

    • Service-Level Agreements (SLAs) with uptime guarantees such as 99.999%99.999\% ("five nines")

    • Denial-of-Service (DoS / DDoS) mitigation services & controls

  • Illustrative scenario

    • Organization hosts critical workloads on a cloud provider.

    • SLA stipulates 99.99%99.99\% uptime.

    • Provider supplies redundant data centers; organization layers DoS protection.

Interrelationship & Balancing Act ("CIA Scale")

  • CIA properties are equally important and intertwined; removing any one weakens security posture.

  • Conceptual scale

    • Left pan: Confidentiality & Integrity (favored by IT-Security teams)

    • Right pan: Availability (favored by Business Operations: sales, marketing, finance, accounting)

  • Practical reality: Perfect C & I can crush usability, while extreme availability may erode C & I.

    • Management performs risk-based decisions to find an acceptable equilibrium through dialogue and compromise between executives.

DID Triad (Threat Side): Disclosure · Alteration · Destruction/Denial

  • Represents what happens when CIA is removed.

    • CIA protects against DID.

  • Disclosure (loss of Confidentiality)

    • Unauthorized access/exposure of sensitive data.

    • Causes: data breaches, man-in-the-middle (MitM) attacks, weak or bypassed access controls.

  • Alteration (loss of Integrity)

    • Unauthorized modification or tampering.

    • Causes: insider threats, malware, SQL injection, user error, mis-configurations.

  • Destruction/Denial (loss of Availability)

    • Disruption, deletion, or blocking of data/systems.

    • Causes: natural disasters (fire, flood), DoS/DDoS attacks, ransomware, wiper malware.

  • Intent vs. Accident

    • All three failures can be malicious (intentional) or accidental (unintentional)—e.g., careless employee deleting a database table.

CIA vs. DID: Preventive Relationship

  • CIA triad = defensive goals.

  • DID triad = adverse outcomes when CIA controls are absent or fail.

  • Implementing strong C, I, & A directly mitigates the risks of disclosure, alteration, and destruction/denial.

Key Numerical / Statistical References

  • "Five nines" availability: 99.999%99.999\% uptime ≈ 5.26 minutes of downtime per year.

  • Example SLA in transcript: 99.99%99.99\% uptime.

Practical Implications & Takeaways

  • Every security architecture, policy, or control set should map to at least one component of CIA.

  • Organizations must continuously evaluate trade-offs; no static "perfect" point exists—context and risk appetite drive decisions.

  • Failing to address any leg of CIA exposes the environment to its corresponding DID threat.

  • Understanding both triads provides a conceptual framework for designing, auditing, and improving information-security programs.