Doing Away with CIA
The time-honored notion that the goal of information security is to protect confidentiality, integrity and availability (CIA) lives on. Confidentiality means keeping sensitive and/or valuable information from unauthorized disclosure. Integrity means guarding against unauthorized changes in information as well as system files and executables. Availability means assuring that information stored in computers as well as access to systems, applications, and services are available when needed.
Whereas CIA looks good on paper and makes a wonderful acronym for use in security education and awareness, like a growing number of information security professionals, I have for some time doubted that CIA truly captures the essence of the goal of information security. None of we skeptics deserve credit for wanting the goals of information security expanded beyond CIA–the now long retired Donn Parker does instead. Perhaps the CIA model was appropriate years ago when computing environments were simple and before major developments such as electronic business emerged. Saying that this model is appropriate in today’s computing world does not, however, make much sense.
One of the biggest limitations of thinking of information security goals only in terms of CIA is that non-repudiation and authenticity of electronic business transactions does not fit into the CIA model. Non-repudiation means that the originator of an electronic transaction cannot later plausibly later deny having originated the transaction. Without non-repudiation, ebusiness transactions as we know them would probably not exist; electronic merchants would not be able to do business profitably.
Another limitation of CIA is that it does not take into account the ever growing need for accountability on the part of system administrators, users, and even auditors when they access systems, databases, applications, and more. The usage pattern of every user who gains computer access must be subject to critical scrutiny, scrutiny that is made possible through the availability of system and application audit, intrusion detection, firewall and security event management output. Accountability is in fact one of the essential elements in a successful information security practice.
Another omission from the classic CIA model is privacy. Privacy might superficially seem like a sub-topic under confidentiality, but privacy goes way beyond confidentiality. True, users’ data must be protected, and data protection is part of privacy, but the fact that users have accessed certain Web sites (such as mental health hotlines) is well beyond the matter of data confidentiality. Much of the world, the US in particular, has been slow to pick up on the need for privacy in computing, but the awareness of this need is growing, as reflected by recent pending legislation in the US.
Finally, the CIA model does not take into account the need to be able to perform computing tasks without disruption, something that I would term productivity. IT resources are purchased, implemented and maintained with the goal of increasing productivity within an organization. Certain events such as receiving SPAM, unwanted IM messages, and others disrupt users’ productivity. The growth of SPAM over the last five years has been disheartening–certain studies show that as much as 80 to 90 percent of all Internet traffic consists of SPAM. The notion of SPAM was, however, virtually unknown when the CIA model was originally created.
So what started as CIA is now minimally CIANPP—not a very catchy acronym, to say the least. But it fits and it works considerably better in today’s computing world to the point that the now ancient CIA model needs to be abandoned.