Confidentiality, integrity and availability (CIA) are invariably mentioned as cornerstones of information security.
Realising the limitations of these three concepts, many professionals and standards add to these with some of the following: non-repudiation, authentication, audit, authorisation, privacy, possession, utility, risk, accountability and identity. Donn B. Parker suggested the Parkerian Hexad as an improvement over CIA, to little avail.
CIA suffers from the following ailments. Firstly, there is not a wide agreement on what they mean; different people have a different understanding of their meaning and different standards define them in slightly different ways.
Secondly, they are incomplete. How do you explain the companion constellation of concepts? Worst of all, they are a barrier for communication with the business and add no value to actual information security work.
Picture a simple situation when a new database needs to be protected. You try to find out the integrity of the database. You interview the development team or the business owner of the database and ask ‘what is the integrity of the database'?
You will find yourself explaining what you mean, providing examples to extract an answer. You get the answer (medium, type 2) and you feel you did your job.
When it comes to actually protecting the database however, do you know if it is acceptable to lose days, hours or minutes of work? Do you know if the information in the database is legally required to be readable ten years down the line? Do you know if the transactions are extremely time sensitive, like in a fast trading system?
This is the part of the information you actually need in business terms to design and protect the database, making it more likely that the business needs will be met. If you don't know, then after finding the integrity, someone goes back and asks questions. Or worse still, asks nothing because they already know the integrity.
So why do professionals still use CIA? Tradition for one, the fact that you study and go through exams in order to achieve a certification, is another one.
There is also resistance to change, similar to the resistance in the medical professional when the germ theory arose. More importantly, changing and giving up CIA would imply acknowledgement that we had wasted some of our time, and the time and money of many people for a very long time.
I am not saying that confidentiality, integrity and availability are incorrect. They are not. What I am saying is that confidentiality, integrity and availability are not useful.
You may ask what the alternative is. Simple - realise once and for all that information security is about guaranteeing that the security objectives of the business are met.
Forget confidentiality. Who should use the system? Who should not? Is there private information? Are there any secrets, intellectual property?
Forget integrity. Is there a need for attributing every change to a specific user?
Forget availability. What are the business hours for this system? What is the longest acceptable interruption? Wake up and move on. It is high time.
Vicente Aceituno is the leader of the ISMS standard O-ISM3, a member of The Open Group's Security Forum and president of the ISSA Spanish Chapter