The world of information security revolves around three core pillars – Confidentiality, Integrity and Availability. This is known as the CIA triad. In simple words:
Confidentiality is – “Who should know what and when”
Integrity is – “Who can change what and when”, and
Availability is – “Who should get what and when”.
This is clear in the context of cybersecurity. Take the example of your personal social media account –
Confidentiality: Do you want all or just a few selected people to view your profile or content?
Integrity: Should anyone besides yourself be able to modify your content or profile?
Availability: What if your account is unavailable when you want to login or what happens when your followers are not able to view the content you created for them?
A hacker’s intent is to disrupt the CIA triad of their target:
Confidentiality: Getting credit card information, medical information, compromising photographs, obtaining passwords.
Integrity: Deface a website, post fake information, modify passwords, change access privileges.
Availability: Shutting down a server, making a website inaccessible, deleting accounts.
Hence all your efforts will be to strengthen your CIA using controls and the efforts of a hacker will be to bypass these controls. A strong CIA means a better cybersecurity or risk posture for your organization. Which is why risk management is an important component of any organization as it helps identify the areas which may be susceptible to the compromise of your CIA. Poorer the controls, the higher the risk of compromise.
Fortunately, Risk Management is something that comes naturally to all living beings. Let’s take a look at the natural world:
Confidentiality: Some animal mothers hide their babies in burrows or tree hollows from predators.
Integrity: Some animals have shells, horns or other strengths like speed to preserve themselves (the integrity of their body).
Availability: Some animals are nomadic in nature or migrate to ensure availability of food.
Human beings are the most capable beings in devising controls to protect themselves and their assets. Once an asset is identified as valuable, they will implement controls. Let’s take the scenario in a bride’s house:
Father: “Dear, I hope the ornaments are safe. The whole village knows that there is a marriage being conducted tomorrow and there may be attempts to steal them!”
Mother: “Of course! I have kept them safe in our locker. Only I know the combination to the locker.” (Confidentiality)
Father: “You mean the locker in our daughter’s cupboard? Isn’t that a bit too flimsy?” (risk assessment – checking if the existing controls are strong enough)
Mother: “Hmm. You may be right. Her room overlooks a balcony where someone can jump up from the boundary wall and climb into her room. Even the door latch is easy to reach from the window!” (risk of integrity of the locker, risk of unavailability of the ornaments when needed by a potential thief who can hack into the room)
Father: “In that case, why don’t you put it in our room? I’ll purchase a steel safe with an electronic lock right away. I’ll set a combination and not write it anywhere or tell anyone!” (implementation of new controls – the electronic lock ensures Confidentiality, the sturdy steel casing of the safe ensures Integrity of the ornaments inside and thereby ensuring availability of the ornaments when needed)
The scenario above is typical human behavior. This is the mindset of a risk manager where there is a constant assessment of controls that keep the CIA of an organization’s assets sacrosanct.
Nithin Joy
Explained well in simple language 👍