The CIA triad of confidentiality, integrity, and availability is at the heart of information security. (The members of the classic InfoSec triad – confidentiality, integrity and availability – are interchangeably referred to in the literature as security attributes, properties, security goals, fundamental aspects, information criteria, critical information characteristics and basic building blocks.)
However, debate continues about whether or not this CIA triad is sufficient to address rapidly changing technology and business requirements, with recommendations to consider expanding on the intersections between availability and confidentiality, as well as the relationship between security and privacy.
Other principles such as “accountability” have sometimes been proposed; it has been pointed out that issues such as non-repudiation do not fit well within the three core concepts.
The triad seems to have first been mentioned in a NIST publication in 1977.
In 1992 and revised in 2002, the OECD’s Guidelines for the Security of Information Systems and Networks proposed the nine generally accepted principles: awareness, responsibility, response, ethics, democracy, risk assessment, security design and implementation, security management, and reassessment.
Building upon those, in 2004 the NIST’s Engineering Principles for Information Technology Security proposed 33 principles. From each of these derived guidelines and practices.
In 1998, Donn Parker proposed an alternative model for the classic CIA triad that he called the six atomic elements of information. The elements are confidentiality, possession, integrity, authenticity, availability, and utility. The merits of the Parkerian Hexad are a subject of debate amongst security professionals.
In 2011, The Open Group published the information security management standard O-ISM3. This standard proposed an operational definition of the key concepts of security, with elements called “security objectives”, related to access control (9), availability (3), data quality (1), compliance and technical (4).
In 2009, DoD Software Protection Initiative released the Three Tenets of Cybersecurity which are System Susceptibility, Access to the Flaw, and Capability to Exploit the Flaw. Neither of these models are widely adopted.
