CIA vs. DID Triads in Information Security
Confidentiality
Definition: Ensures information/data are accessible only to authorized individuals, applications, or systems; prevents unauthorized access or disclosure of sensitive data.
Focus = “keeping secrets secret.”
Technical controls mentioned
Encryption (data-at-rest & data-in-transit)
Access controls, specifically Role-Based Access Control (RBAC)
Multi-Factor Authentication (MFA)
Illustrative scenario
Company holding sensitive customer records stores them in a database.
Data are encrypted on disk.
RBAC restricts which job roles can query tables.
Employees must pass MFA before gaining entry.
Outcome: outsiders and unauthorized insiders are blocked; only vetted users decrypt and view data.
Integrity
Definition: Guarantees that data remain accurate, complete, consistent, and unaltered except by authorized change.
Protects against unauthorized modification or corruption.
Technical controls highlighted
Hashing (e.g., SHA-256) to create tamper-evident fingerprints
Digital signatures to tie data to a trusted signer and detect alteration
Version control systems for files, code, and documents
Illustrative scenario
Files uploaded from a workstation to cloud storage pass through the Internet.
Sender computes a cryptographic hash &/or applies a digital signature.
Receiver verifies the hash/signature on arrival.
Any bit-level alteration en route is immediately flagged.
Availability
Definition: Ensures information, data, and IT services are reachable when needed by authorized users; resists outages and disruptions.
Technical / contractual measures
Redundancy (multiple servers, power supplies, network paths)
Regular, tested backups and disaster-recovery plans
Service-Level Agreements (SLAs) with uptime guarantees such as ("five nines")
Denial-of-Service (DoS / DDoS) mitigation services & controls
Illustrative scenario
Organization hosts critical workloads on a cloud provider.
SLA stipulates uptime.
Provider supplies redundant data centers; organization layers DoS protection.
Interrelationship & Balancing Act ("CIA Scale")
CIA properties are equally important and intertwined; removing any one weakens security posture.
Conceptual scale
Left pan: Confidentiality & Integrity (favored by IT-Security teams)
Right pan: Availability (favored by Business Operations: sales, marketing, finance, accounting)
Practical reality: Perfect C & I can crush usability, while extreme availability may erode C & I.
Management performs risk-based decisions to find an acceptable equilibrium through dialogue and compromise between executives.
DID Triad (Threat Side): Disclosure · Alteration · Destruction/Denial
Represents what happens when CIA is removed.
CIA protects against DID.
Disclosure (loss of Confidentiality)
Unauthorized access/exposure of sensitive data.
Causes: data breaches, man-in-the-middle (MitM) attacks, weak or bypassed access controls.
Alteration (loss of Integrity)
Unauthorized modification or tampering.
Causes: insider threats, malware, SQL injection, user error, mis-configurations.
Destruction/Denial (loss of Availability)
Disruption, deletion, or blocking of data/systems.
Causes: natural disasters (fire, flood), DoS/DDoS attacks, ransomware, wiper malware.
Intent vs. Accident
All three failures can be malicious (intentional) or accidental (unintentional)—e.g., careless employee deleting a database table.
CIA vs. DID: Preventive Relationship
CIA triad = defensive goals.
DID triad = adverse outcomes when CIA controls are absent or fail.
Implementing strong C, I, & A directly mitigates the risks of disclosure, alteration, and destruction/denial.
Key Numerical / Statistical References
"Five nines" availability: uptime ≈ 5.26 minutes of downtime per year.
Example SLA in transcript: uptime.
Practical Implications & Takeaways
Every security architecture, policy, or control set should map to at least one component of CIA.
Organizations must continuously evaluate trade-offs; no static "perfect" point exists—context and risk appetite drive decisions.
Failing to address any leg of CIA exposes the environment to its corresponding DID threat.
Understanding both triads provides a conceptual framework for designing, auditing, and improving information-security programs.