A humble proposal: The InfoSec CIA triad should be expanded

The inconsistent and incomplete definitions of essential properties in information security create confusion within the InfoSec community, gaps in security controls, and may elevate the costs of incidents.

In this article, I will analyze the CIA triad, point out its deficiencies, and propose to standardize the terminology involved and expand it by introducing two additional elements.

Context

Any business function should have its purpose. The best definition of an objective for information security I have found in my 20+ years in the field is by Rick Howard. In his book, The First Principles, he defines the first principle of information security as:

“Reduce the probability of a material impact to an organization due to a cyber event over the next 3 years (adjust ‘3 years’ to your organizational risk management)”.

Let’s concentrate, for a moment, on the “materiality” of the impact. How would an organization know if a cyber event constituted a material impact? One could use a definition by the U.S. Securities and Exchange Commission, which is a time-tested and familiar materiality standard used for any other event:

“… an event is considered material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision …”.

How do we assess the type of the impact on a cyber event on a company? The so-called “CIA triad” and similar concepts play a key role in this. In his book, Rick summarizes the inception and evolution of the CIA triad that we, security professionals, use to describe the requirements/properties of computer systems, data, or processes. However, have you asked yourselves: “Is this it? Are there no other information elements and information systems’ attributes that need protecting from harm?”

In this short article, I want to dig deeper and explore the confusing terminology defined by various standards organizations and governments.

The CIA triad explained

Let’s look at what the CIA triad means and how it might be used. As an example, I use a financial system in a fictitious international retailer:

Context: The retailer’s accounts payable system receives invoices from suppliers, checks them against a set of criteria and schedules payments through the automated banking integrations. The system needs to operate 24/7 and must settle the payments before invoices are due; the due date could be as short as two days after the invoice is received.

The total transaction values going through the system on average per day is £10,000,000. The contractual penalties for late payments are 0.5% of the invoice value per day, meaning the value at risk if the system was not operating correctly could reach £50,000 per day. An incident causing a four-weeks delay would, therefore, equal to £1,000,000 in contractual penalties. In low-margin, height turnover business, this is likely material.

Scenario 1: Ransomware attack

The retailer’s network succumbed to a ransomware attack making the financial system inoperable. This has resulted in the loss of AVAILABILITY of the financial system and substantial financial cost.

Additionally, before wiping the system, the ransomware criminals stole and sold the whole financial system database on the black market. With the contractual and regulatory implications, this resulted in the loss of CONFIDENTIALITY. As this retailer operates in the EU, and given their annual international revenue, the maximum penalty is 4% of their yearly revenue £3.65 billion, which would make the penalty exposure £142,000,000, which would likely be considered a material impact.

Finally, the criminals had made changes to the IT infrastructure so that the whole network had to be rebuilt from a “known good” state. This represented the impact of INTEGRITY. All systems were wiped and restored from backups, costing the retailer millions in professional services and paid overtime.

An argument for expanding the CIA triad

Scenario 1 shows a typical example where the CIA triad can be used. But what if there are other threat scenarios where the CIA on its own is not enough?

Scenario 2: Payment to a wrong account

An employee with access to the system had changed the supplier’s bank details. As a result, the payment was sent to the wrong bank account. The supplier complained and received the correct payment; however, the retailer is now out of pocket. The incident was caused by a lack of AUTHENTICITY, which affected the INTEGRITY of the information. The employee mentioned above denies he has made any changes and blames the system. The IT team, together with the external forensic team, are unable to prove otherwise. This represents the lack of NON-REPUDIATION – the organization could not prove that the employee did the incorrect/malicious action. Think of NON-REPUDIATION as having evidence of an action.

The CIANA (pronounced SEE-anna) pentad

Using the above example, I have seeded the idea that the CIA triad alone may not be sufficient to model all threats, system vulnerabilities, and impacts. The two missing elements that should always be considered together with the CIA triad are.

• Non-repudiation – A requirement to prove beyond reasonable doubt that an actor did an action in the system or data. The actor may be human or machine code.
• Authenticity – A requirement to assure that the communication, data or documents are genuine and originate from a verified source.

As such, I propose that use term “the CIANA pentad”, covering: “Confidentiality”, “Integrity”, “Availability”, “Non-repudiation”, and “Authenticity”.

ChatGPT agrees

In the age of generative AI and LLMs, it is worth asking the current best model to give its “opinion” about my proposal. These are the questions I have asked the ChatGPT o1-preview model on October 29, 2024. (The answers were trimmed to fit this article into the required length.)

Question 1: In information security, the CIA triad is used. Are there some other elements missing that international standards mention?

Answer 1: Yes, while the CIA triad—which stands for Confidentiality, Integrity, and Availability—is fundamental in information security, international standards recognize additional elements that are crucial for a comprehensive security framework. These elements address aspects that the CIA triad does not fully encompass. Here are some of the key additional elements mentioned in international standards…

Question 2: In information security, are terms integrity and authenticity and non-repudiation overlapping and interchangeable?

Answer 2: No, the terms integrity, authenticity, and non-repudiation are not interchangeable in information security, although they are related concepts that sometimes overlap in their applications. Each term represents a distinct aspect of securing information and communication systems.

Although integrity, authenticity, and non-repudiation are interconnected and may employ similar technologies, they address different security goals:

• Integrity focuses on data accuracy and consistency.
• Authenticity ensures genuine identities and sources.
• Non-repudiation provides evidence preventing denial of actions.

Understanding the distinctions between these terms is essential for designing robust security systems that comprehensively protect information and communications.

Definitions used in InfoSec standards and regulations

I have also reviewed existing standards for gaps related to the CIANA pentad. The image below lists the main information security standards and regulations and whether they cover the full CIANA pentad.

EU DORA

The EU DORA mentions Confidentiality, Authenticity, Integrity, and Availability. In the Article 3, Definitions:

“…ICT-related incident’ …event that compromises … the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data…”

As DORA is a high-level EU-wide legislation and not concerned with the details, it requires the EU Cybersecurity Agency (ENISA) to expand to create technical requirements.

EU NIS2

One would expect information security regulations from the same institution to consistently align with each other. Sadly, that is not the case, and the definition is different. The definitions in the Chapter 1, Article 6, (2) states:

“…‘security of network and information systems’ means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems…”

UK Cyber Essentials

UK Cyber Essentials does not explicitly mention either Authenticity or Non-Repudiation. While access control in Cyber Essentials involves verifying user identities to some extent (e.g., through passwords or multi-factor authentication), the scheme does not delve into comprehensive authenticity measures like digital signatures or certificates that verify the origin of data or communications. Cyber Essentials does not address non-repudiation requirements in the scope of the basic controls outlined.

ISO 27001

As I am not allowed to share the content of the standard, I have asked ChatGPT what it thinks.

Question: Does ISO/IEC 27000 series mention authenticity and non-repudiation?

Answer: Yes, the ISO/IEC 27000 series explicitly mentions both authenticity and non-repudiation as fundamental components of information security. These concepts are integrated into the standards to guide organizations in establishing robust information security management systems (ISMS).

Authenticity in the ISO/IEC 27000 Series

Relevant Standards and Sections:

• ISO/IEC 27000:2018 (Overview and Vocabulary):
• Section 2.3 (Fundamental Concepts): Defines authenticity as a key property of information security, alongside confidentiality, integrity, and availability.
• ISO/IEC 27001:2013 (Requirements for ISMS):
• Clause 7.5 (Documented Information): Emphasizes control over documented information to ensure authenticity.
• ISO/IEC 27002:2022 (Code of Practice for Information Security Controls):
• Control A.9 (Access Control): Addresses the need for verifying user identities before granting access.
• Control A.13 (Communications Security): Recommends measures to ensure the authenticity of communication sessions.

Non-repudiation in the ISO/IEC 27000 Series

Relevant Standards and Sections:

• ISO/IEC 27002:2022:
• Control A.10 (Cryptography): Advises on using cryptographic techniques to achieve non-repudiation.
• Control A.12 (Operations Security): Suggests keeping logs and records to support non-repudiation.
• ISO/IEC 27001:2013:
• Annex A.16 (Information Security Incident Management): Highlights the importance of recording events for accountability and non-repudiation.

Implementation examples:

• Digital signatures: Utilizing cryptographic signatures to provide proof of origin and integrity for electronic documents.
• Audit trails: Maintaining comprehensive logs that record user activities and system events.
• Time stamping services: Using trusted time sources to timestamp transactions, enhancing the credibility of records.

US government

The US government has, in my humble opinion, developed and enforced the best quality information security standards, most of which are open to the public to see and use.

NIST Cyber Security Framework 2.0

The NIST Cybersecurity Framework (CSF) 2.0 addresses the concepts of authenticity and non-repudiation, though these terms may not always be explicitly labeled as such within the framework. Instead, they are integrated into various categories and subcategories that collectively contribute to these security objectives.

Authenticity in NIST CSF 2.0

Authenticity ensures that data, communications, and transactions are genuine and that the entities involved are who they claim to be. Within NIST CSF 2.0, authenticity is encompassed under several functions and categories:

1. Identify (ID) Function

• Asset Management (ID.AM)

2. Protect (PR) Function

• Access Control (PR.AC): PR.AC-1, PR.AC-3, PR.AC-7
• Data Security (PR.DS): PR.DS-2
• Protective Technology (PR.PT): PR.PT-4:

Non-repudiation in NIST CSF 2.0

1. Protect (PR) Function

• Awareness and Training (PR.AT): Educating users about their roles and responsibilities, which can include understanding the importance of actions that have legal or operational implications.

2. Detect (DE) Function

• Security Continuous Monitoring (DE.CM): DE.CM-1, DE.CM-3
• Detection Processes (DE.DP): DE.DP-4

3. Respond (RS) Function

• Analysis (RS.AN): RS.AN-2

NIST 800–53 revision 5

This standard is one of the most comprehensive control standards. It expands the NIS CSF 2.0 with the detailed controls and guidance. The standard explicitly mentions both authenticity and non-repudiation.

Authenticity

NIST SP 800–53 Rev. 5 defines authenticity as the property that an entity is what it claims to be. It addresses authenticity primarily through the Identification and Authentication (IA) control family.

Key controls related to authenticity:

1. IA-1: Policy and Procedures
2. IA-2: Identification and Authentication (Organizational Users)
3. IA-3: Device Identification and Authentication
4. IA-4: Identifier Management
5. IA-5: Authenticator Management
6. IA-8: Identification and Authentication (Non-Organizational Users)

Non-repudiation

The standard defines non-repudiation as the assurance that someone cannot deny the validity of their electronic actions or communications. It provides irrefutable evidence that a specific action occurred by a particular entity. It addresses non-repudiation in the Audit and Accountability (AU) control family, specifically under control AU-10: Non-repudiation.

PCI DSS v4.0

The Payment Card Industry Data Security Standard v4.0 is a standard that primarily focuses on protecting cardholder and sensitive authentication data after the payment is made. As such, it cares about protection of its confidentiality, not integrity nor availability.

PCI DSS does not explicitly mention the CIA triad. While this may be strange to security professionals, the reason stems from the history of the payment security. The fraudsters were stealing the payment data (loss of confidentiality), not deleting (loss of availability) or changing them (loss of integrity).

CSA STAR

The Cloud Security Alliance has been running an excellent initiative called The Security, Trust, Assurance, and Risk (STAR) Registry since 2011. The STAR program requires organizations to fill in the Cloud Controls Matrix and CAIQ v4. The CCM and CAIQ questions are a mix of high-level and low-level controls. However, the controls don’t mention authenticity or non-repudiation.

Proposal for standardization

While the CIA triad remains a fundamental concept in information security, integrating additional properties provides a more robust framework to security professionals and business leaders.

Today, the fragmentation and inconsistency in terminology across international standards and compliance frameworks pose significant challenges:

• Miscommunication: Inconsistent terms can lead to misunderstandings among security professionals, potentially causing gaps in security implementations.
• Complex compliance: Organizations operating in multiple jurisdictions may struggle to align their security measures with varying standards, leading to inefficiencies and increased risk.
• Training and education: Inconsistent terminology complicates the education of new professionals entering the field, as they must navigate and reconcile differing concepts and definitions.

To move forward, the various international standards and compliance frameworks should standardize the terminology. Such an initiative would enable organizations to better protect their information assets, ensure regulatory compliance, and maintain trust with stakeholders.