We Got it WRONG When it Comes to the CIA Triad
Confidentiality, integrity, and availability, also known as CIA, is a model designed to guide policies for information security within an organization. Its purpose is to ensure security and reliability of information systems.
So where does our interpretation of CIA go wrong?
First, our view of a system is incomplete.🔭
A system is not just machines and data. It includes people and processes. Specifically, a system is a collection of entities, seen by someone as working together to produce something. Even more specifically, an information system is an integral part of an organization that supports the communication and sharing (internal and external) aspects of the business.
According to NIST, an information system is:
An interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.
Second, our understanding of information is incomplete and somewhat, skewed.📨
Central to information is the person or situation out of which it emerges…not the system that holds/controls it (unless it is also the person/situation)
Information is much more than than the analog converted to digital.
Its channels are not just relegated to radio waves, electricity, light and chemicals. If we are working to ensure people and organizations can effectively manage risks associated with working and living in the digital world, we need to fully know and understand what information actually is.
To aid you in seeing how an upgraded POV of “system” and “information” can impact how we thnk and what we do in regards to CIA, moving forward, when you see the word “information” in this post I want you to think of “people and processes”.
Finally, our understanding of our role in securing information is ancient, disrespectful and impossible to perform.
CIA is meant to “… ensure security and reliability of information systems”, meaning our role as cybersecurity professionals is to protect, defend and secure information systems from natural and man-made threats.
It’s a noble but impossible job.
Security is like health. How do you protect, defend and secure the health of another person?
You can’t!!!!!! At the end of the day, they make the final decision on how healthy they want to be.
Cyber professionals are fighting a losing battle when it comes to keeping information private, accessible to only those who need it, and trustworthy. It’s time to get with the program.
The growing uselessness of the CIA triad is largely due to our understanding, but also to technological innovations, sophisticated hackers with no rules and regulations, and the countless uses of today’s digital information by individuals and businesses.
You cannot secure information when it does not want to be secured — to the degree that you (and the business) want to secure it.
“Thou shalt be secure”, has never and will never work.
It’s also hard to impose security when you have so many legal constraints and ethical boundaries… that adversaries and attackers do not adhere to.
In addition, people choose to share their information because they value the convenience, profit, usefulness, and knowledge that sharing brings.
The primary vulnerability in information systems is the information!
Information must be communicated, moved, changed, and manipulated in a hundred different ways so it can do what information is purposed to do.
Think of information as your front door. Yes there is risk that, burglars, bugs, uninvited in-laws, and criminals can come through the door, but the door also provides opportunity for people you love, your door dash order, and your Amazon packages to get to you quickly and easily.
You’re not going to get rid of your front door (avoid the risk), block it with concrete (mitigate the risk), not tell anyone about it (mitigate the risk) or burn the house down (avoid the risk) because there’s the possibility something awful can come through the door.
Face it, people (including you and me) are willing to be “known” and “informed” in order to make the day-to-day a little easier, our bank accounts a little fatter, and our reputation and work visible and known by other information systems.
So, what do I propose?
I suggest we “join em” since we can’t “beat em”. Let’s realize that information does want the freedom to be known and used, just as Steve Wozniak said. To something that wants the freedom to be known, security that is imposed sounds and feels like imprisonment. Unless you are an officer at Shawshank, your job is not to “secure” that which prefers to be free.
Information is not created sui generis from people and people want to share, be valued and be known.
My security is not your responsibility.
It’s MY responsibility because only I have the power and accountability to choose how secure I want to be.
Let’s try using the S.A.V (pronounced “save”) MODEL OF INFORMATION FREEDOM
By creating organizational policies, practices and training that values digital citizens (the people who share information within and across the enterprise) is how Chief Information Security Officers (CISOs) and other cyber professionals can cease trying to stifle freedom to choose security, and instead, harness its energy and potential.
This model is influenced by the idea of “holistic security” . Cyber professionals are here as “human rights defenders” for the digital world. Our mission is to ensure everyone’s right and freedom to be secure.
SHARING (we refer to this as confidentiality and availability which is about “things” not people)
Information sharing describes our role in facilitating the preservation and exchange of data between various organizations, people and technologies. There are several types of information sharing:
📌Information shared by individuals (such as a video shared on Facebook or YouTube)
📌Information shared by organizations (such as the RSS feed of an online weather report)
📌Information shared between firmware/software (such as the IP addresses of available network nodes or the availability of disk space)
The advent of wide distributed networks, intranets, cross-platform compatibility, application porting and standardization of IP protocols have all facilitated the huge growth in global information sharing.
Information sharing is increasing as more networks and organizations connect and information becomes easier to share across the internet. This is all energy that can be used to move forward security education and profitable security decisions.
INTEGRATING (We currently see this as “interity” which is about the truthfulness of data not the integration of people)
Integrated security is applied together or as one.
Physical security is applied with security software in the virtual environment. Systems and devices and work are compatible and interoperable. Employees are involved in providing feedback, suggestions, and identifying security holes and opportunities. Security policies and procedures are clearly understood by all who will be working with and in the information system so the expectation is that they will have input in its implementation.
VALUING is the monetization, management, and measuring of the information shared and used. The discipline of infonomics takes you beyond thinking and talking about information as an asset to actually valuing and treating it as one. Infonomics provides the foundation and methods for quantifying information asset value and tactics for using the information as your competitive edge to drive growth.
This perspective also makes easier the task of threat modeling, asset management, knowledge management, and a plethora of other processes that depend on our knowledge of what’s most important to the organizational mission and culture.
Each of these aspects of information freedom describes information and the person from whom the information originates. It’s a person-centered model that needs to be considered, tested, further researched, and implemented.
Listen to my video on CIA and Computer Love!
