The CIA Triad and Fundamental Security Concepts
What the Exam Is Really Testing
Every security professional knows the letters C, I, and A. CompTIA knows you know them too.
So the exam does not ask you to define confidentiality. It asks this:
Given a scenario where multiple security principles are at stake, which one is the PRIMARY concern?
You need to read a situation and determine whether the core issue is about unauthorized disclosure (confidentiality), unauthorized modification (integrity), or system unavailability (availability). Then you need to pick the control that addresses that specific principle — not just any security control.
Confidentiality
Confidentiality ensures that information is accessible only to authorized individuals. When confidentiality fails, data is exposed to people who should not have it.
Controls that protect confidentiality:
- Encryption (data at rest, data in transit)
- Access control lists and permissions
- Data classification and handling procedures
- Multi-factor authentication
- Data masking and tokenization
Threats to confidentiality:
- Data breaches and exfiltration
- Eavesdropping and sniffing
- Social engineering
- Improper access controls
- Shoulder surfing
If the scenario describes data being seen by the wrong people, confidentiality is compromised.
Integrity
Integrity ensures that data has not been altered in an unauthorized or undetected way. When integrity fails, you cannot trust that the data is accurate.
Controls that protect integrity:
- Hashing (SHA-256, MD5 for checksums)
- Digital signatures
- Version control systems
- Input validation
- Change detection mechanisms
Threats to integrity:
- Man-in-the-middle attacks modifying data in transit
- Malware altering system files
- Unauthorized database modifications
- Bit rot and data corruption
- SQL injection changing stored data
There is an important distinction between integrity verification and integrity protection. Hashing verifies integrity — it tells you whether data changed. Encryption and access controls protect integrity — they prevent unauthorized changes.
Availability
Availability ensures that systems and data are accessible when authorized users need them. When availability fails, legitimate users cannot do their work.
Controls that protect availability:
- Redundancy (RAID, clustering, failover)
- Backups and disaster recovery
- Load balancing
- Uninterruptible power supplies (UPS)
- DDoS protection
Threats to availability:
- Denial-of-service attacks
- Hardware failures
- Natural disasters
- Ransomware (encrypts data, making it unavailable)
- Misconfiguration causing outages
Ransomware is a powerful exam topic because it attacks both confidentiality (data may be exfiltrated) and availability (data is encrypted and inaccessible). Know which aspect the question is asking about.
Non-Repudiation
Non-repudiation ensures that a party cannot deny having performed an action. It provides proof of origin, proof of delivery, or proof of receipt.
This concept extends beyond the CIA triad but is tightly linked to integrity.
Mechanisms that provide non-repudiation:
- Digital signatures (the primary mechanism)
- Audit logs with tamper-proof storage
- Certificates and PKI
- Transaction logs
- Notarization services
Key distinction: authentication proves who you are right now. Non-repudiation proves you did something in the past and cannot deny it. A digital signature provides non-repudiation because only the signer's private key could have created it.
If a question asks about proving that a specific person sent a message or approved a transaction, the answer involves non-repudiation — almost always through digital signatures.
Gap Analysis
A gap analysis compares the current state of security to the desired state. It identifies where controls are missing, insufficient, or misaligned with policy or compliance requirements.
A gap analysis typically includes:
- Defining the target state (framework, standard, or policy requirements)
- Assessing the current state (existing controls, configurations, processes)
- Identifying gaps between current and target
- Prioritizing gaps based on risk
- Developing a remediation plan
CompTIA tests gap analysis as a practical tool. When a question describes an organization preparing for a compliance audit, implementing a new framework, or evaluating security maturity, gap analysis is often the first step.
The Triad in Conflict
One of the most important concepts for the exam: the CIA principles can conflict with each other.
- Confidentiality vs. availability: Encrypting data protects confidentiality but can slow access (reducing availability). Requiring MFA increases confidentiality but adds friction.
- Integrity vs. availability: Strict change control protects integrity but can delay critical patches. Requiring multiple approvals ensures integrity but slows response times.
- Availability vs. confidentiality: Making systems highly available may require wider access, which can reduce confidentiality.
The exam tests whether you can balance these tensions based on the scenario. A healthcare system prioritizes availability (patient care). A military system prioritizes confidentiality (classified data). A financial system prioritizes integrity (transaction accuracy).
Pattern Recognition
Security+ questions on the CIA triad follow these patterns:
- Scenario identification: "Data was modified during transmission without detection." Which principle was violated? (Integrity)
- Control mapping: "Which control BEST protects the confidentiality of data at rest?" (Encryption)
- Priority determination: "An e-commerce site must process transactions accurately above all else." Which principle is PRIMARY? (Integrity)
- Non-repudiation triggers: Any question about proving an action occurred or preventing denial points to digital signatures
- Gap analysis triggers: Questions mentioning "preparing for compliance" or "assessing current state" point to gap analysis
Trap Patterns
Common wrong answers and why they are wrong:
- Confusing confidentiality with integrity: Data encryption protects confidentiality (prevents unauthorized reading). Hashing protects integrity (detects unauthorized changes). They are not interchangeable
- Assuming availability means uptime only: Availability also includes timely access. A system that is online but so slow that users cannot work has an availability problem
- Confusing authentication with non-repudiation: Logging in proves identity at that moment. Non-repudiation proves a past action cannot be denied. A digital signature provides non-repudiation; a password does not
- Selecting the wrong priority: If the scenario describes a hospital, availability is likely the priority. If it describes a law firm, confidentiality is likely the priority. Read the context
Scenario Practice
Question 1
A financial institution discovers that transaction records were altered during transmission between branch offices. The altered records resulted in incorrect account balances for several customers.
Which security principle was PRIMARILY violated?
A. Availability of the transaction processing systems across branch offices
B. Confidentiality of customer financial data during network transmission
C. Integrity of the transaction records during transmission between locations
D. Non-repudiation of the transactions submitted by branch office staff
Answer & reasoning
Correct: C
The records were altered — this is a modification issue, which is integrity. The data was not exposed to unauthorized parties (not confidentiality) and the system was still operational (not availability).
Non-repudiation is about proving who performed an action, which is not the issue here.
Question 2
A company needs to prove that a specific executive digitally approved a contract and cannot later deny having done so. The legal team requires cryptographic evidence of the approval.
Which mechanism should be implemented to meet this specific requirement?
A. Encrypt the contract document using the executive's public encryption key
B. Require the executive to apply a digital signature using their private key
C. Store the contract in a system protected by multi-factor authentication
D. Create a hash of the contract and store it in a secure audit log system
Answer & reasoning
Correct: B
Non-repudiation requires proof that a specific individual performed an action. Digital signatures, created with the signer's private key, are the primary mechanism. Only the executive's private key can create that signature.
Encryption proves confidentiality, not identity. MFA proves current authentication, not past action. Hashing proves integrity of the document but not who approved it.
Question 3
An organization is adopting a new compliance framework and needs to understand where its current security posture falls short of the framework requirements before committing resources.
What should the organization perform FIRST?
A. Deploy additional security controls across the environment immediately
B. Conduct a gap analysis comparing current controls to framework requirements
C. Hire external consultants to replace the existing security architecture
D. Purchase a governance risk and compliance platform for automated tracking
Answer & reasoning
Correct: B
Before spending money or making changes, the organization needs to understand the gap between where it is and where it needs to be. A gap analysis is always the first step when adopting a new framework.
Deploying controls without understanding gaps wastes resources. Hiring consultants or buying tools may be appropriate later, but assessment comes first.
Key Takeaway
The CIA triad is not just a definition to memorize — it is a decision framework. Every security scenario on the exam maps back to confidentiality, integrity, or availability. Your job is to read the scenario, identify which principle is at stake, and select the control that addresses that specific principle. When non-repudiation appears, think digital signatures. When gap analysis appears, think "assess before you act." The triad is the lens through which CompTIA views every security decision.