SWOT analysis of the CIA Triad

This paper will compare and contrast the basic premises of the CIA Triad.  In addition, a SWOT analysis will be conducted as a means to examine and discuss issues related to the CIA Triad.    This paper will be divided into two different sections. Section one will provide a brief introduction to the concepts of information security and the CIA Triad.  Section two will discuss the SWOT analysis and conduct a SWOT analysis of the CIA Triad.  

Introduction

Information security refers to any set of techniques or routines that an organization or individual deploys to ensure its valued information remains secure and accessible. In order to prepare information security measures, an organization must first conduct a risk analysis (Dale & Lewis, 2009).  Dale and Lewis (2009) define risk as the coupling of a threat with a vulnerability.  The risk analysis will indicate which information is most crucial to safeguard, identify potential risks, and determine how likely a risk may manifest. The preparations taken to reduce that risk is the key concern of information security.  The CIA Triad, discussed next, provides a helpful framework and guidelines to theorize about how to develop threat prevention techniques and counter-measures. 

The CIA Triad refers to one of the more fundamental concepts in information security.  The triad is a reference to the three cornerstones of the concept: confidentiality, integrity, and availability.  It should be noted that the CIA Triad is not the only such formulation of information security in the internet age.  There are other types with still more complex formulations such as the Parkerian hexad.  The Parkerian hexad incorporates such concepts as Confidentiality,  Control, Integrity, Authenticity, Availability, and Utility. Security professionals are still debating whether the CIA Triad is enough of a foundation for information security.  There are still ongoing debates over what even constitutes adequate security preparations (Cherry, 2012; Dale & Lewis, 2009).  

All three components of the Triad are concerned with protecting information security and it is helpful to review them in some detail. Confidentiality refers to securing private or proprietary information on the Web from intercept by potentially hostile third parties.  The kinds of information that private individuals would want to be protected by confidentiality include banking statements, social security numbers, credit card numbers, industrial secrets and some forms of classified government information.  A key hallmark of user confidence in internet security is the knowledge that confidential information remains private.  It is also important to know that private information won't fall into the hands of a criminal organization. 

Integrity is the second cornerstone of the Triad.  Information is considered to have integrity when it is stored in locations where third parties will be unable to make unauthorized changes to it.  It is crucial that information stored on the Web, or in other repositories, be precise and accurate in order for it to be reliable and have integrity.  An example of a type of information that has been tampered with would be the size of a money transfer.  If an individual indicates that the value of a money transfer is only $150, but a third party changes the value to $15,000, then the security protocols that enabled this to happen are said to lack integrity.  This mistake could also be quite costly to the individual who issued the money transfer.  This is particularly the case if the fraudulent transfer is redirected from its intended recipient to a third party. 

Cryptography is used to prevent unauthorized third parties or potential adversaries, from tapping into secure lines of communication and tampering with confidential information.  Its role is thus crucial in maintaining data integrity.  Some techniques that are used to maintain data integrity include hashing the data that was received and comparing it with the original sent version.  Another technique is to have the sender digitally sign the communication.  This can be done using GNU Privacy Guard (GPG).

The third component of the triad is availability.  Availability means that authorized individuals are able to access their own accounts and information on demand.  Preventing authorized parties from access to such information can take the form of what's called the distributed denial of service (DDos) attack.  DDos attacks are a not uncommon means of digital aggression against websites.  The main goal of such attacks is to prevent access to the website in question by the user base for a specified period.  This means the conduct of normal business operations becomes impossible.  The types of websites victimized by such attacks may be government or business-related.   Attacks can be undertaken with political or criminal objectives in mind.  In either case, this downtime can exact a significant expense on the proprietors of the website, government agency or business.  However, human agency is not the only factor that can interrupt the provision of web-related services.  Natural disasters can also shut down access to web sites and communications infrastructure.  This is particularly the case where power outages occur.  

The usual method to safeguard data in the event of such events is to ensure that all data is regularly backed up.  The backups should be kept in a safe, offsite location away from potential harm.   This harm may be caused by an agency that is either on or off the network.  When major operations are restored, the secured information can then be restored from backups.  There is one rule of thumb.  The more critical the information is to the user, then the more crucial it is to create multiple redundancies of their data. 

When comparing the three basic premises of the CIA Triad, the underlying problem that arises is data protection from unauthorized third parties.  Confidentiality, integrity, and availability are all premised on protecting data from tampering, blocking or pilfering by unauthorized entities.  These entities may have gained access by means of exploits in the websites security protocols.  Therefore solutions to protect that data are principally concerned with keeping third parties out from either having access to or taking control of the infrastructure on which the data is stored or transmitted.  

Where the premises are different is in the different ways that data can be exploited by a third party.  As noted above, confidentiality involves protecting data from unauthorized viewing by an external agent. It may be that a breach that results in an external party viewing the data, while disconcerting, does not lead to long term injury to affected parties.  That is, once affected users are notified, they can step to make changes to prevent further loss. Integrity means ensuring that an unauthorized party is unable to manipulate the data to serve criminal purposes.  Integrity takes the issues raised in confidentiality further by demonstrating how an unauthorized actor has the ability to change the information that is accessed.  Availability, may not lead to the kind of injury that integrity breaches would cause. Nor might it lead to the preventive measures confidentiality breaches would lead to.  However, lack of availability might lead to a considerable cost to a user who is not able to access bank accounts to pay creditors.  Thus security lockdowns, a natural disaster or DDos attacks can cause considerable harm to an individual user.

SWOT analysis

This section will review SWOT analysis and apply this technique to the CIA Triad. SWOT is an acronym that stands for Strength, Weakness, Opportunity, and Threat.  The analysis is used commonly in business enterprises to identify the strengths and weakness of the organization.  It can also be used to identify potential threats to the business or to major initiatives a business is undertaking.  SWOT analysis is often done on retreats or in group sessions in which key members of the management team collaborate and contribute ideas.  As such the key team member responsible for conducting the SWOT is a project manager.  The robustness of the analysis can also be bolstered by conducting surveys prior to undertaking the analysis.  Surveys with customers, users or even staff members, can help highlight an organization's strengths and weaknesses.  The results of surveys can also provide useful information on what strategies to adopt going forward. Also, SWOT analysis can be conducted at any phase of the implementation of a policy, program, product or service (Renault, n.d.).  

SWOT analysis is usually conducted in a table in which the applicable strengths and weaknesses are laid out in the graphical format. Under each attribute applicable lists are formulated.  The size and complexity of the table can vary with the size of the project, organization or project in question.  For this exercise the following table format will be used: 

(Table 1 omitted for preview. Available via download)

As seen in Table 1, the columns for strengths and threats are filled in.  These are the most applicable to this particular SWOT analysis.  The weaknesses and opportunities are not applicable in this case and are listed as unknown.  In fact, weaknesses and opportunities would most come in to play when discussing the kinds of issues more applicable to organizations rather than ideas.  Nevertheless, under internal, the strengths are listed.  These strengths refer to the methods an organization may take to protects its data under the CIA Triad.  It is hoped that these areas will be strong in an organization.  But the reality is that sometimes they are not.  The potential threats that the CIA Triad is set up to address are also listed. An organization must be aware of all the threats it may face and be prepared with the appropriate countermeasures.   The SWOT analysis can provide a good census of threats and countermeasures as balanced against the CIA Triad.  However, there is always the possibility that some information may be left out.

References

Chia, Terry. (2012, Oct. 20). Confidentiality, integrity, availability: The three components of the CIA Triad. Security.blogoverflow.com. Retrieved from http://security.blogoverflow.com/2012/08/confidentiality-integrity-availability-the-three-components-of-the-cia-triad. July 2013. 

Dale, Nell B., John A. Lewis. (2009). Computer Science Illuminated.  Sudbury, M.A.: Jones & Bartlett Learning. 

Renault, Val. (n.d.). SWOT analysis: Strengths, weaknesses, opportunities, and threats. Ctb.ku.edu. Retrieved from http://ctb.ku.edu/en/tablecontents/sub_section_main_1049.aspx.  July 2013.