Information Security Key Principles (CIA Triangle)

by Amir Sadeghian Posted on | Information Security

Information security has three main principles which are come in the form of the CIA model which is also known as CIA triad (Triangle). Each letter of the CIA represents one of the three principles of information security. These principles are:


In an easy definition it means “Keep the private information PRIVATE” and avoid disclosure of it to an unauthorized entity. For example: When nobody other than sender and receiver of an email can read it, this means that email transfer confidentially on the network and it remains confidential in the send box of the sender and in the inbox of the receiver. The attacker might intercept none encrypted data from the network.


This means protecting the data from any unauthorized changes and modifications. Integrity might be voided by any kind of modification such as adding, removing, and changing. For example: When an email send from the sender and before the receiver receives it, another third party removes some of the lines of the email. In this case, the integrity of the email is voided. An attacker might change the data stored in the database after accessing the database.


This means the authorized entity should be able to access the data needed time. There should not be any disruption in the availability of the data. For example, The student should be able to access to online subject selection system on a specific date. An attacker might interrupt the availability of this service by launching a Denial of Service (DoS) by sending to many requests at the same time. 

This triangle has there main cores. However, information security has three other main key concepts such as:

  • Accountability: This means each person should be responsible for the act that he/she did.
  • Authenticity: In authenticity the genuineness of the data is important. For checking the genuineness of data the authenticity of both parties should be validated against what they claimed to be. For example in emailing digital signatures used to claim the authenticity of the email and its owner.
  • Non-repudiation: This means nobody can NOT deny the act they did. If an email sent, the sender can not claim that I didn’t send this email or the recipient can not claim that I didn’t receive that email.

CIA triad applies to web applications as well. You can learn more about confidentiality, integrity, and availability in web applications by attending my online web application security online courses.