Take the following three cases:
- Publishing publicly available information such as telephone records in the form of a telephone book
- A public messaging service such as twitter
- Medical records at a doctor’s office
Each case will give pragmatic priority to one aspect of CIA over the others. In the first case it’s about integrity, not confidentially or availability. If we publish telephone records we want them to have integrity and be accurate most of all. We are not concerned about the confidentiality of the records (since they are public) and the availability of the book is dependent on the household resident. In the second case it’s about availability over confidentiality and integrity. Most all twitter accounts are public (confidentiality) and tweets are user supplied input (integrity). In terms of the CIA triad, as an information security professional at twitter we’re probably most concerned with availability; since we do not want people to change other’s tweets, integrity is second. In the final case it’s about confidentiality over availability and integrity. Sure, if we’re in an emergency we would like our medical records to be instantly available to the doctors treating us. That’s a rare circumstance. The reality is that confidentiality of my dental records is more important than availability at a moments notice. And, I hope the doctor recorded his analysis correct and that they are not taken out of the file cabinets and altered (integrity).
Neither article addresses the aspect of context and it’s my professional opinion that this is the source of a disagreement that should not be. Information security professionals would do well to pragmatically consider the situation and context of the entity they are protecting. Even through all members of the CIA triad deserve representation and consideration, the situation and context will determine which member of the CIA triad should deserve more focus than the others.