You are here: Home Contents V10 N3 V10N3_Samonas.html
Personal tools

The CIA Strikes Back: Redefining Confidentiality, Integrity and Availability in Security



Full text

Journal of Information System Security
Volume 10, Number 3 (2014)
Pages 2145
ISSN 1551-0123
Spyridon Samonas — Virginia Commonwealth University, USA
David Coss — Virginia State University, USA
Information Institute Publishing, Washington DC, USA




This paper reviews the history of the CIA (Confidentiality, Integrity and Availability)triad from the perspectives of information security practitioners and scholars.Whilst the former have trusted the technical orientation of the triad as a uniquepoint of reference in information security, the latter have questioned the triad’scapacity of addressing the breadth of socio-technical issues that have emerged insecurity since the 2000s. Through a revisiting of the key tenets of the triad, thepaper reconciles these two, seemingly fragmented, approaches. The main argumentis that the CIA triad will continue to assume a major role in information securitypractice. However, this is not due to the fact that practitioners have discarded, orrejected the enhancements that socio-technical security scholars have proposedover the years; rather, it is because these enhancements can be accommodated by abroader re-conceptualization of the original CIA triad. The paper concludes withpotential areas for future research.




Confidentiality, Integrity, Availability, Socio-technical security




Åhlfeldt, R.-M., Spagnoletti, P. and Sindre, G. (2007). Improving the Information Security Model by using TFI, In IFIP International Federation for Information Processing Proceedings, Vol, 232, No. 1: New Approaches for Security, Privacy and Trust in Complex Environments, Springer, pp. 73-84.

Anderson, J. (2002). Why we need a new definition of information security. Computer & Security, 22 (4), 308-313.

Angin, P., Bhargava, B., Ranchal, R., Singh, N., Othmane, L.B., Lilien, L. and Linderman, M. (2010). An Entity-centric Approach for Privacy and Identity Management in Cloud Computing, 29th IEEE Symposium on Reliable Distributed Systems, Oct 31-Nov 3 New Delhi, India.

Backhouse, J. and Halperin, R. (2009). Approaching interoperability for identity management systems, Springer.

Baskerville, R. (1988). Designing information systems security, Wiley, Chichester England; New York.

Baskerville, R. (1993). Information systems security design methods: implications for information systems development, ACM Computing Surveys (CSUR), 25, 4, 375-414.

Baskerville, R. L., & Myers, M. D. (2009). Fashion waves in information systems research and practice. MIS Quarterly, 33(4), 3.

Benassi P. (1999). TRUSTe: an online privacy seal program. Communications of the ACM Volume 42 Issue 2, Feb. 1999, 56 – 59.

Benbasat, I., & Zmud, R. W. (1999). Empirical research in information systems: the practice of relevance. MIS Quarterly, 3-16.

Bell, D., and La Padula, L. (1975). Secure Computer System: Unified Exposition and Multics interpretation. Technical Report ESD-TR-75-306, The MITRE Corporation, Bedford, MA.

Biba, K.J. (1975). Integrity Considerations for Secure Computer Systems. Technical Report MTR-3153, MITRE Corporation, Bedford, MA.

Bowen, S. A. (2004). Organizational Factors Encouraging Ethical Decision Making: An exploration into the case of an exemplar. Journal of Business Ethics 52(4), 311-324.

Camp, L. J. (1999). Web security and privacy: An American perspective. The Information Society, 15(4), 249-256.

Canhoto, A. I. and Backhouse, J. (2007). Profiling under conditions of ambiguity—An application in the financial services industry, Journal of Retailing and Consumer Services, 14, 6, 408-419.

Cardinali, R. (1995). Reinforcing our moral vision: Examining the relationship between unethical behavior and computer crime. Work Study 44(8), 11-17.

Cavoukian, A. (2009). Privacy by design: The 7 foundational principles. Information and Privacy Commissioner of Ontario, Canada Chapman, M. (2012). In Information security management handbook, (Eds, Tipton, H. F. and Krause, M.), CRC Press.

Choobineh, J., Dhillon, G., Grimaila, M. R. and Rees, J. (2007). Management of information security: Challenges and research directions. Communications of the Association for Information Systems, 20, 1, 57.

Chowdhuri, R., Dhillon, G., & Harris, M. A. (2012). Understanding Information Security. Journal of Information System Security, 8(2).

Cody-Allen E., Kishore R. (2006). An Extension of the UTAUT Model with E-Quality, Trust, and Satisfaction Constructs, Proceedings of the SIGMIS conference, April 13-15, Claremont, CA, USA, ACM Press, 82-89

Choobineh, J., Dhillon, G., Grimaila, M. R., & Rees, J. (2007). Management of information security: Challenges and research directions. Communications of the Association for Information Systems, 20(1), 57.

Coss, D. L. (2013). Cloud Privacy Audit Framework: A Value-Based Design (Doctoral dissertation, Virginia Commonwealth University, Richmond, Virginia).

Cowan, D. (2012). Comment: Too Much Security May Affect Business Processes, Infosecurity, 27 June 2012,, last accessed on 16th July 2014.

D'Arcy, J. & Greene, G. (2009). The multifaceted nature of security culture and its influence on end user behavior. In International Workshop on Information Systems Security Research (pp. 145-157).

Denning, D. E. (1987). An intrusion-detection model. Software Engineering, IEEE Transactions on, (2), 222-232.

Dhamija, R., & Dusseault, L. (2008). The seven flaws of identity management: Usability and security challenges. IEEE Security & Privacy, 6(2), 24-29.

Dhillon, G. (1995). Interpreting the management of information systems security, Department of Information Systems, The London School of Economics and Political Science (LSE), London, UK.

Dhillon, G. (2001). Information security management: Global challenges in the new millennium, Idea Group Publishing, London, UK.

Dhillon, G. (2007). Principles of information systems security: text and cases, John Wiley & Sons, Hoboken, NJ.

Dhillon, G. and Backhouse, J. (1996). Risks in the use of information technology within organizations, International Journal of Information Management, 16, 1, 65-74.

Dhillon, G. and Backhouse, J. (2000). Technical opinion: Information system security management in the new millennium, Communications of the ACM, 43, 7, 125-128.

Dhillon, G. and Backhouse, J. (2001). Current directions in IS security research: towards socio ‐ organizational perspectives, Information Systems Journal, 11, 2, 127-153.

Dhillon, G., Oliveira, T., Susarapu, S., & Caldeira, M. (2012). When Convenience Trumps Security: Defining Objectives for Security and Usability of Systems. In Information Security and Privacy Research (pp. 352-363). Springer Berlin Heidelberg.

Dhillon, G. and Kolkowska, E. (2011). Can a cloud be really secure? A socratic dialogue, In Computers, privacy and data protection: an element of choice, Springer, pp. 345-360.

Dhillon, G. and Torkzadeh, G. (2006). Value-focused assessment of information system security in organizations. Information Systems Journal, 16, 3, 293-314.

Dinev, T., Xu, H., Smith, J. H., and Hart, P. (2013). Information privacy and correlates: an empirical attempt to bridge and distinguish privacy-related concepts. European Journal of Information Systems, 22(3), 295-316.

Eibl, C. J. and Schubert, S. E. (2008). Development of e-learning design criteria with secure realization concepts, In Informatics Education-Supporting Computational Thinking, Springer, pp. 327-336.

Fieser, James, Ethics, The Internet Encyclopedia of Philosophy (2006), at (accessed on 30 December 21, 2014).

Fitzgerald, K. J. (1995). Information security baselines. Information Management & Computer Security, 3(2), 8-12.

Gattiker, U.E. and H. Kelley: 1999, Morality and computers: Attitudes and differences in judgments, Information Research, 10(3); p. 233

Gill, G., & Bhattacherjee, A. (2009). Whom are we informing? Issues and recommendations for MIS research from an informing science perspective. MIS Quarterly, 33(2), 3.

Gollmann, D. (2010). Computer security. Wiley Interdisciplinary Reviews: Computational Statistics, 2(5), 544-554.

Gopalakrishnan, A. (2009). Cloud computing identity management. SETLabs briefings, 7(7), 45-54.

Gunson, N., Marshall, D., Morton, H. and Jack, M. (2011). User perceptions of security and usability of single-factor and two-factor authentication in automated telephone banking, Computers & Security, 30, 4, pp. 208-220.

Hall, E. T. (1969). The silent language. 1959. Hidden Dimension.

Halperin, R. (2006). Identity as an emerging field of study, Datenschutz und Datensicherheit - DuD, 30, 9, 533-537.

Halperin, R., & Backhouse, J. (2007). Using structuration theory in IS research: Operationalizing key constructs. Proceedings of the International Conference on Information Systems, (ICIS), p127.

Halperin, R., & Backhouse, J. (2008). A roadmap for research on identity in the information society. Identity in the information society, 1(1), 71-87.

Harrington, S. J. (1996), The effect of codes of ethics and personal denial of responsibility on computer abuse judgments and intentions. MIS Quarterly 20(3), 257-278.

Harris, S. (2002). CISSP all-in-one certification exam guide. New York, USA: McGraw-Hill/Osborne.

Harris, M. (2010). The Shaping of Managers' Security Objectives Through Information Security Awareness Training, Department of Information Systems, Virginia Commonwealth University, Richmond, Virginia, USA.

Hedström, K., Dhillon, G., & Karlsson, F. (2010). Using actor network theory to understand information security management. In Security and Privacy–Silver Linings in the Cloud (pp. 43-54). Springer Berlin Heidelberg.

Jensen, M., Schwenk, J., Gruschka, N., & Iacono, L. L. (2009). On technical security issues in cloud computing. In Cloud Computing, 2009. CLOUD'09. IEEE International Conference on (pp. 109-116). IEEE.

Joshi, J. B., Aref, W. G., Ghafoor, A., & Spafford, E. H. (2001). Security models for web-based applications. Communications of the ACM, 44(2), 38-44.

Katsikas, S. (2000). Health care management and information systems security: awareness, training or education? International Journal of Medical Informatics, 60(2), 129-135.

Katzan Jr, H. (2011). On the privacy of cloud computing. International Journal of Management & Information Systems,14(2).

Kolkowska, E., Hedström, K., & Karlsson, F. (2009). Information security goals in a Swedish hospital. In Security, assurance and privacy: organizational challenges. 8th Annual Security Conference, 15-16 April 2009, Las Vegas, USA.

Lewick, R. J., & Bunker, B. B. (1996). Developing and maintaining trust in work relationships. Trust in Organizations: Frontiers of Theory and Reach, 114-39.

Liebenau, J. and Backhouse, J. (1990). Understanding information: an introduction, Macmillan, London.

Luhmann, N. (1979). Trust and Power. Chichester: Wiley.

Luo, X. (2002). Trust production and privacy concerns on the Internet: A framework based on relationship marketing and social exchange theory. Industrial Marketing Management, 31(2), 111-118.

Mayer, R. C., Davis, J. H., & Schoorman, F. D. (1995). An integrative model of organizational trust. Academy of management review, 709-734.

McKnight, D. H., Choudhury, V., & Kacmar, C. (2002). Developing and validating trust measures for e-commerce: An integrative typology. Information Systems Research, 13(3), 334-359.

Olden, M. and Za, S. (2010). Biometric authentication and authorization infrastructures in trusted intra-organizational relationships, In Management of the Interconnected World, Springer, pp. 53-60.

Padayachee, K. (2012). Taxonomy of compliant information security behavior. Computers & Security, 31(5), 673-680.

Pearson, J. M., Pearson, A., and Shim, J. P. (2005). The Relevancy of Information Systems Research: The Practitioner’s View. Information Resources Management Journal (18:3), pp. 50-67.

Reichheld, F. F., Schefter, P., (2000). E-Loyalty: Your Secret Weapon on the Web, Harvard Business Review, 78 4 105.

Saltzer, J. H., & Schroeder, M. D. (1975). The protection of information in computer systems. Proceedings of the IEEE, 63(9), 1278-1308.

Sandhu, R., & Buell, D. A. (2003). Guest Editors' Introduction: Identity Management. IEEE Internet Computing, 7(6), 0026-28.

Samonas, S. (2012). Managing Computerized Bureaucracy: Opportunities and Hazards, Department of Management, Information Systems and Innovation Group, London School of Economics and Political Science (LSE), London, UK.

Sipior, J. C., B. T. Ward and G. R. Roselli (2005). The Ethical and Legal Concerns of Spyware. Information Management 22(2), 39-49.

Smithson, S. and Angell, I. (1991). Information systems management: opportunities and risks, Palgrave Macmillan.

Spagnoletti, P. and Resca, A. (2008) The duality of Information Security Management: fighting against predictable and unpredictable threats, Journal of Information System Security, 446-62.

Stamper, R. (1973). Information in business and administrative systems. John Wiley & Sons, Inc.

Straub Jr, D. W. (1990). Effective IS security: An empirical study. Information Systems Research, 1(3), 255-276.

van Deursen, N. (2014). HI-Risk: a Socio-Technical Method for the Identification and Monitoring of Healthcare Information Security Risks in the Information Society, Institute for Informatics and Digital Innovation, Edinburgh Napier University, Edinburgh, UK.

von Solms, R. and van Niekerk, J. (2013). From information security to cyber security, Computers & Security, 38, pp. 97-102.

Vroom, C., & Von Solms, R. (2004). Towards information security behavioural compliance. Computers & Security, 23(3), 191-198.

Wang, H, Lee, M, and Wang, C. (1998). Consumer Privacy Concerns about Internet Marketing. Communications of the ACM, March 1998, Volume 41, Number 3, 63-70.

Weir, C. S., Douglas, G., Carruthers, M. and Jack, M. (2009). User perceptions of security, convenience and usability for ebanking authentication tokens, Computers & Security, 28, 1-2, pp. 47-62.

Whitten, A., & Tygar, J. D. (1999). Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. In Usenix Security (August).

Williams, P. A. (2008). In a ‘trusting’ environment, everyone is responsible for information security. Information Security Technical Report, 13(4), 207-215.

Willison, R., & Warkentin, M. (2013). Beyond deterrence: an expanded view of employee computer abuse. MIS Quarterly, 37(1), 1-20.

Yan, L., Rong, C., & Zhao, G. (2009). Strengthen cloud computing security with federal identity management using hierarchical identity-based cryptography. Cloud Computing, 167-177.

Zucker, L. G. (1986). Production of trust: Institutional sources of economic structure, 1840–1920. Research in Organizational Behavior, Vol 8, 1986, 53-111.

Zwick, D., & Dholakia, N. (2004). Whose identity is it anyway? Consumer representation in the age of database marketing. Journal of Macromarketing, 24(1), 31-43.