The CIA triad: why every security decision comes back to these three letters
The CIA triad stands for Confidentiality, Integrity, and Availability. It is the foundation of CompTIA Security+ (SY0-701) and the lens every working security analyst uses to evaluate a control, a breach, or a design decision. Almost fifty years after it was first written down, every Security+ exam question in Domain 1 still maps back to one of those three letters.
What the CIA triad is
The CIA triad is three short words: Confidentiality, Integrity, Availability. Every security control protects at least one of them. Every successful attack breaks at least one of them. That's the whole model, and it's why Security+ leans on it so hard.
The concept was formalized in the late 1970s. NIST publications and academic security papers around 1977 codified the three properties as the working definition of "information security," and the model has stuck for nearly fifty years because it survives the test of being useful. New technology, new threats, new compliance regimes, and the question stays the same: which leg of the triad are we protecting, and which leg is at risk?
That is why Domain 1 of SY0-701 spends so much time on it. If you can tag a control or a scenario with the correct letter, you can usually reason your way to the right answer even on a question type you haven't seen before.
Confidentiality: keep it secret
Confidentiality means only the right people can read the data. The classic example is HIPAA-protected medical records: a patient's chart should be readable by their care team and nobody else, including other patients in the same waiting room.
The controls that protect confidentiality cluster into three groups. Encryption at rest (full-disk encryption on a laptop, AES-256 on a database column) means the data is unreadable when it sits on storage. Encryption in transit (TLS on a web request, a VPN tunnel between two offices) means the data is unreadable when it moves. Access control (file permissions, role-based access, MFA on the login) means only authenticated and authorized identities can request the data in the first place.
Confidentiality breaks when any of those layers fail. Shoulder surfing in a coffee shop, a lost laptop with an unencrypted drive, a misconfigured S3 bucket that lists publicly: all three are confidentiality incidents even though the underlying technical failure is different in each case.
Integrity: keep it true
Integrity means the data has not been changed in an unauthorized way. The leg gets less attention than confidentiality because data theft makes the news, but a tampered dataset is often more dangerous than a leaked one.
Hashing is the workhorse here. SHA-256 produces a fixed-length fingerprint of a file or message. Change a single bit in the input, and the hash changes completely, which lets you detect tampering. Digital signatures wrap that hash in a cryptographic envelope that proves who produced it. Version control systems like git use both, which is why a tampered commit is detectable.
The textbook example is a software update signed by the vendor. Your machine verifies the signature against the vendor's public key before installing, which protects you against a man-in-the-middle attacker substituting a malicious package. Integrity breaks when a config file is tampered with on disk, when an attacker injects JavaScript into a page mid-transit, or when an insider quietly edits a number in a financial report. The data still looks fine, which is what makes integrity failures so easy to miss.
Availability: keep it up
Availability means the data and systems are reachable when needed. If the payroll app is encrypted at rest and signed cryptographically but down on payday, the security model failed.
The controls here are operational more than cryptographic. Redundancy (a second server, a second power supply, a second internet circuit) keeps things running when one component fails. Failover (a hot standby, a geographically distributed cluster) automates the cutover. DDoS protection (Cloudflare, AWS Shield) absorbs flood traffic before it reaches the origin. Backups (immutable, offsite, tested) let you restore after data loss.
Availability is the leg most people only think about after they lose it. An e-commerce site that goes down for two hours on Black Friday loses real revenue. A hospital that loses access to its EHR during a ransomware incident faces a patient-safety event, not just an IT outage. Availability breaks when ransomware encrypts production servers, when an ISP outage takes the office offline, or when a DDoS floods the front end faster than autoscaling can keep up.
Authenticity and non-repudiation: the two extensions
The triad sometimes gets extended to five letters. CIANA adds Authenticity and Non-repudiation. Authenticity is proving who you are. Non-repudiation is the property that you can't credibly deny you did something.
Digital signatures cover both at once. When you sign a message with your private key, the recipient can verify the signature with your public key, which proves the message came from you (authenticity) and you can't later claim somebody else sent it (non-repudiation). That's why digital signatures show up across Domain 1 questions and again in SP-1.4 Cryptographic Solutions.
Real breach scenarios mapped to which leg failed
Tagging which leg failed turns every breach into a study aid. A few illustrative scenarios:
- Pinehurst Legal gets hit with ransomware. Files are encrypted, the document management system is unreachable, and the firm can't open client matters. The lost leg is availability. Eradication and recovery focus on restoring access from clean backups.
- Lakeside Health has a patient records leak after a billing clerk falls for a phishing email and the attacker exfiltrates a chart export. The lost leg is confidentiality. Incident response includes breach notification under HIPAA.
- Riverside Bank discovers that an attacker modified transaction logs to hide a series of unauthorized transfers. The lost leg is integrity. Forensic recovery requires log replication from a system the attacker didn't reach.
- Summit Manufacturing wires $180,000 to a fake vendor after an attacker spoofs the CFO's email and replies inside a real invoice thread. Authenticity failed. The control gap is email authentication (SPF, DKIM, DMARC) and an out-of-band verification step on wire changes.
How Security+ tests the triad
Almost every Domain 1 question maps to one or more legs, even when the question doesn't name the triad directly. A multiple-choice item about full-disk encryption is testing confidentiality. A question about file integrity monitoring is testing integrity. A scenario about a hot standby data center is testing availability. The wrong distractors are almost always controls that protect a different leg than the one the question is asking about.
PBQs (performance-based questions) lean on this hard. You'll see scenarios where you have to match a list of controls to the leg they primarily protect, or identify which leg is at risk given an incident description. The fastest learners aren't memorizing controls in isolation. They're tagging every control with a leg as they learn it. That tag is what survives exam stress.
The full breakdown for SY0-701 lives in SP-1.2 Security Concepts, with the CIA mapping table, the AAA framework, and the common gotchas the exam likes to set traps with. If you want to feel the question types under timer, the Practice Exam mode pulls from the same item bank.
Where to go next
If you're tracking toward Security+, the Security+ track page has the full objective map across all five domains. If you're already in the platform, head to the dashboard and start the SP-1.2 lesson if you haven't yet. The CIA triad is the cheapest knowledge to lock in early because it pays back across the entire exam.
Questions about your path to SY0-701? Email the team. We reply personally, usually within a day.
Sources
- NIST Computer Security Resource Center. Confidentiality, integrity, and availability (CIA) glossary entry. Canonical federal definition of the three properties referenced throughout the post.
- International Organization for Standardization. ISO/IEC 27000:2018 Information security management systems. The international standard that names CIA as the core properties of information security and grounds most modern compliance regimes.
- CompTIA. CompTIA Security+ certification overview (SY0-701). Domain 1 objective list (Security Concepts) and the official exam blueprint for the CIA triad coverage referenced in the post.
About the authors

IT Service Center Manager and former CTE / IT teacher. Owner of Revtek in Chicago's south suburbs. Writes everything that ships under his name and reviews every line of Revy-assisted drafting before publish.
LinkedIn ↗Revy helps draft and structure these posts. Every piece is reviewed, edited, and fact-checked by Nick before publish. We disclose this here because it is the right thing to do. See the AI Policy for the full stance.

