The CIA triad, explained without jargon

Nearly every framework, standard, and textbook in information security begins with the same three words: confidentiality, integrity, availability. They are called the CIA triad. NIST uses them. ISO 27000 uses them. Every security course uses them. And most readers of security advice have never had them defined in a way that is actually useful.

That is a shame, because they are genuinely helpful. The triad is not a rule; it is a diagnostic. When you are trying to decide whether a document is “safe”, the right question is: safe against which of the three?

Confidentiality

Confidentiality is the one most people think of first: can the wrong people read this?

For documents, confidentiality failures look like:

• A stolen laptop being opened by a stranger and read.
• A misaddressed email going to the wrong recipient.
• A cloud provider being subpoenaed for files they can decrypt.
• A share link pasted into the wrong group chat.
• An infostealer grabbing documents off your desktop.

The tools that protect confidentiality are mostly the ones you have heard of: encryption at rest, end-to-end encryption, password-protected PDFs, access control lists, permission settings. The Encryption topic unpacks each of them.

Confidentiality is not the same as secrecy. Something can be confidential and still be shared; confidentiality just means you decide who sees it.

Integrity

Integrity is the one people forget, and it is often the one that matters most. Is the document actually what it claims to be, and has it been altered?

Integrity failures look like:

• A contract you signed being changed after the fact, without your signature reflecting the change.
• A bank statement edited to hide a transaction.
• A corrupted file that silently loses a page.
• A medical record modified by an unauthorized user.
• Your client’s invoice being redirected to an attacker’s bank details.

The tools for integrity are less glamorous than the ones for confidentiality: cryptographic signatures, hashes (MD5 is dead; use SHA-256 or better), digital signatures on PDFs, version histories, audit logs, and filesystems that can detect silent corruption (ZFS, Btrfs, modern cloud storage). Git — the version control system — is in many ways a huge integrity system for source code.

For most readers, the practical integrity controls are:

• Keeping version history enabled on your cloud storage, so you can see and revert changes.
• Using digital signatures for signed PDFs where the signature actually matters (real estate, legal, tax), not just a picture of a signature pasted into a page.
• Watching for file corruption by keeping backups in multiple places (the Backups topic covers this).

Availability

Availability is the one people discover by accident. Can I get to this document when I need it?

Availability failures look like:

• A ransomware payload encrypting every file on your laptop.
• A cloud account being suspended due to a mistaken abuse report.
• A hard drive failing on the day you need the document.
• A password manager lockout happening the night before a flight.
• A cloud provider having an outage during your deadline.
• Losing a passphrase to a file you encrypted yourself.

Availability is the failure mode of security that was applied incorrectly. The encrypted backup whose key you forgot. The two-factor authenticator on a phone you lost. The air-gapped USB drive that fell out of your pocket.

Availability controls are unglamorous and extremely important:

• Backups, the boring kind that run automatically and are verified occasionally (see the 3-2-1 backup rule).
• Account recovery plans for the services you depend on: recovery codes printed and stored safely, trusted contacts set, alternative emails verified.
• Key escrow, for the disk-encryption and backup passwords you cannot afford to lose. This can be as simple as a sealed envelope with a lawyer or a safe-deposit box.
• Redundancy across services — if a single Google account failure would lock you out of email, contacts, photos, and docs, that is an availability risk worth spreading.

Why the triad matters in practice

Security decisions look different depending on which letter you are optimizing for. Consider: “Should I password-protect this file?”

• For confidentiality, a password-protected PDF is useful.
• For integrity, it does almost nothing — the recipient can still modify the file after opening it.
• For availability, it is a risk. If you lose the password, you lose access to the file.

Or: “Should I use this brand new cloud service?”

• For confidentiality, you need to understand whether they use client-side encryption, whether they have been audited, and what their track record is.
• For integrity, you need to know whether they version files and detect silent corruption, and whether they log access.
• For availability, you need to know whether they have ever had a prolonged outage, how they handle account disputes, and what happens to your data if they go out of business.

Most security advice implicitly optimizes for confidentiality. Most real-world document disasters are actually availability problems.

How to use the triad when you read security advice

Next time you read a “how to secure your files” article, run a quick translation in your head:

• Which letter is the advice protecting?
• Does that match the threat you were actually worried about?
• Does following the advice accidentally degrade a different letter?

The advice “encrypt all your backups with a passphrase only you know” improves confidentiality, and reduces availability unless you also have a recovery plan. The advice “store everything in Google Drive for easy access” improves availability, and reduces confidentiality unless you add a client-side encryption layer. Neither is wrong; both need the tradeoff named.

Threat modeling (covered in Threat modeling for normal people) plus the CIA triad is almost all the conceptual equipment you need to think clearly about document security. Everything else is technique.