Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
Entry № 188

CIA Triad

Reviewed byCybersecurity entrepreneur & security researcher

What is CIA Triad?

CIA TriadFoundational information-security model that groups objectives into Confidentiality, Integrity, and Availability.


The CIA triad expresses the three core goals every security program must balance. Confidentiality limits access to authorized parties through encryption, access control, and data classification. Integrity ensures data and systems are not modified without authorization, supported by hashing, digital signatures, version control, and write-protected storage. Availability ensures authorized users can reach services and data when needed, supported by redundancy, capacity planning, DDoS protection, and disaster recovery.

The properties pull against each other

The value of the triad is that it forces explicit trade-offs. Encrypting and air-gapping a database maximises confidentiality but can hurt availability; aggressive multi-region replication boosts availability but widens the surface where confidentiality could leak. Most security decisions are really a negotiation among the three, weighted by the asset's risk.

Seen through real incidents

  • Ransomware is primarily an availability and integrity attack — encrypting files in place — which is why offline, immutable backups are the canonical control.
  • A data breach (e.g. the 2017 Equifax exposure of ~147 million records) is a pure confidentiality failure.
  • A supply-chain tampering event like SolarWinds SUNBURST (2020) is an integrity failure: signed, trusted software carried malicious code, which is why provenance attestation and reproducible builds now reinforce integrity.

Extensions

The model is intentionally incomplete. Donn Parker's Parkerian Hexad (1998) adds Possession/Control, Authenticity, and Utility, and frameworks such as ISO/IEC 27001 and the NIST CSF layer on Authentication, Authorization, Non-repudiation, and Privacy.

flowchart TD
  A[Information asset] --> C[Confidentiality<br/>encryption, access control]
  A --> I[Integrity<br/>hashing, signatures]
  A --> V[Availability<br/>redundancy, backups, DDoS defence]
  C --- I
  I --- V
  V --- C
  C -.->|trade-off| V

Examples

  1. 01

    Encrypting customer PII (confidentiality), signing software releases (integrity), and running multi-region failover (availability).

  2. 02

    Mapping CIS Controls to CIA categories during a gap assessment.

Frequently asked questions

What is CIA Triad?

Foundational information-security model that groups objectives into Confidentiality, Integrity, and Availability. It belongs to the Compliance & Frameworks category of cybersecurity.

What does CIA Triad mean?

Foundational information-security model that groups objectives into Confidentiality, Integrity, and Availability.

How do you defend against CIA Triad?

Defences for CIA Triad typically combine technical controls and operational practices, as detailed in the full definition above.

What are other names for CIA Triad?

Common alternative names include: Confidentiality, Integrity, Availability.

Related terms

See also