Security for Beginners
by Sergey Okinchuk
What Security Actually MeansThreats, Vulnerabilities, and Risk
Topic 02

The Three Things We Protect

Concept

When someone says a system is "secure," what exactly is being kept safe? It is a fair question, and the answer is surprisingly tidy. Almost everything in security is protecting one of just three things: keeping information secret, keeping it correct, and keeping it available.

Security people call these three the CIA triad — confidentiality, integrity, and availability. (No relation to the spy agency; it is just the initials.) Once you have these three slots in your head, nearly every attack and defense in the rest of this course drops neatly into one of them.

The CIA triad — the three goals every defense serves
Confidentiality — kept secret
only the right people can read it · broken by a leak
Integrity — kept correct
the information is accurate and unaltered · broken by tampering
Availability — kept reachable
it is there when you need it · broken by an outage or attack

Confidentiality: Only the Right People Can Read It

Confidentiality means information is seen only by those who are supposed to see it. When Olivia messages a friend, the contents should stay between the two of them; when she logs into her bank, her balance is hers to see, not a stranger's. The opposite of confidentiality is a leak — information reaching someone who should never have had it.

This is the slot most people imagine when they think "security," and it matters enormously. But it is only one of three, and a system that nails secrecy while failing the other two is still failing.

Integrity: It Stays Correct

Integrity means the information is accurate and has not been changed by anyone who shouldn't. Olivia's bank balance must be the real number — not one an attacker quietly edited. A medical record, a contract, the price on a checkout page: all of these have to be trustworthy, and integrity is the promise that they are. The opposite is tampering, where data is altered behind your back.

Notice that this is a different worry from secrecy. An attacker who can't read your data might still be able to change it — and a changed-but-readable record can be just as harmful as a stolen one, sometimes more.

Availability: It Is There When You Need It

Availability means the system actually works when you go to use it. Olivia's banking app loading on payday, a hospital's records being reachable during an emergency, a shop's website staying up on its busiest day — that is availability. The opposite is an outage: the system is down, and being down can be just as damaging as being leaked.

Availability is the slot people most often forget is a security concern at all. But knocking a system offline on purpose is a real and common attack, which is why "is it up?" sits right alongside "is it secret?" as something defenders protect.

Why Three, and Not One

The three goals are separate, and protecting one does nothing for the others. A database that is perfectly secret but permanently offline is useless; a website that is always up but serving tampered prices is dangerous. So defenders weigh all three together, and this is why "is it encrypted?" is never the whole security question — encryption mostly helps with confidentiality and leaves integrity and availability still to be handled.

Each goal can fail on its own — the other two stay intact
Confidentiality fails
Passwords leak to an attacker — the system stays up and the data is unaltered, but secrecy is gone.
Integrity fails
An attacker quietly changes a transfer amount — the site stays up and nothing is exposed, but the number is wrong.
Availability fails
A flood of fake traffic takes a bank offline — the data is correct and private, but nobody can reach it.
Common Confusions
  • "Security just means keeping things secret." Secrecy is only one of the three goals. Keeping data correct (integrity) and keeping it reachable (availability) are just as much part of security.
  • "Availability isn't really a security thing — that's just reliability." Deliberately knocking a system offline is a genuine attack. Being there when needed is a defended property, not just an engineering nicety.
  • "Integrity and confidentiality are basically the same." Confidentiality is about who can read the data; integrity is about whether it is still correct. An attacker can break one without the other.
  • "If it's encrypted, all three are covered." Encryption mainly protects confidentiality. A system can be encrypted and still be tampered with or taken offline, so the other two goals still need their own defenses.
Why It Matters
  • The CIA triad is a three-slot checklist you will reuse on almost every later topic — when you meet an attack, you can ask which of the three it breaks.
  • It explains why "is it encrypted?" is never the full story: encryption is mostly about one of the three goals, not all of them.
  • It puts availability on the map as a security concern, so a deliberate outage reads as an attack rather than bad luck.

Knowledge Check

An attacker secretly changes the amount on a bank transfer, without reading anyone's private data. Which part of the CIA triad has been broken?

  • Integrity
  • Confidentiality
  • Availability
  • None of the three — editing data isn't a security issue

Why isn't availability just "reliability" rather than a security concern?

  • Because a deliberate outage is a real attack, not just bad luck
  • Because keeping a system online is the same as keeping its data secret
  • Because availability only refers to whether your password still works
  • It actually isn't a security concern; it was added to the list by mistake

Why do defenders care about all three goals instead of just encrypting everything?

  • Encryption mainly protects secrecy, not correctness or availability
  • Because encryption is far too slow to ever use on real systems
  • Because protecting any one goal automatically covers the other two as well
  • Because secrecy doesn't actually matter, only uptime does

You got correct