Can you explain the CIA triad and why it matters?
Short answer
The CIA triad is the three core goals of information security: confidentiality (only authorized parties can read data), integrity (data isn't altered without authorization), and availability (authorized users can access systems when needed). Almost every control maps to one or more of these.
The CIA triad is the mental model interviewers expect every candidate to reach for when describing why a control exists. It names three goals that, together, define what "secure" means for data and systems.
The three goals
- Confidentiality — only authorized parties can read the information. Encryption, access controls, and least privilege all serve this goal.
- Integrity — information is accurate and has not been modified without authorization. Hashing, digital signatures, checksums, and change logging serve integrity.
- Availability — the system and data are accessible to authorized users when they need them. Redundancy, backups, DDoS protection, and capacity planning serve availability.
Why it's useful
The triad turns vague worries into specific questions. When you evaluate a control or an incident, you can ask: which leg does this affect? A ransomware attack hits availability (files locked) and often confidentiality (data stolen). A defaced website is an integrity failure. Leaked credentials are a confidentiality failure.
The tradeoffs
The legs sometimes pull against each other, and naming that tradeoff is what separates a strong answer from a memorized one. Aggressive encryption and access controls improve confidentiality but can hurt availability if a key is lost. Strict integrity checks can slow a system down. Good security balances all three against the value of the asset and the threats it faces, rather than maximizing one blindly.
Why this matters
Interviewers use this question to check whether you can reason about goals rather than just list tools. A candidate who maps a real scenario to the triad — and acknowledges the tradeoffs — shows they understand the purpose behind security work, not just the vocabulary.
Likely follow-ups
- Give an example of a control that protects integrity but not confidentiality.
- Can improving one leg of the triad weaken another?
- Where do non-repudiation and authentication fit?