A colleague – who is quite "techie", had no idea what CIA meant. People may laugh at this, but to be honest until a few years ago I was the same. It is easy, as say a desktop support guy, to concentrate on your job and not look at data risk, techies like techie stuff, and information security and data retention policies bore them to death.The principles of CIA are logical and common sense, but put someone on the spot “What is CIA?” then they have not got a clue.So many people will say “I know what CIA is”, and may feel this post is pointless, but just because you know it, doesn’t mean everyone does. My colleague is a pretty smart guy, but reading up on perhaps the more “boring” side of data security for a techie, wasn’t high on his list.Here’s the kicker, if you go for a security job, if you are asked about CIA in an interview and have no idea what they are talking about, you are not going to get the job. You can't work in IT Security and not know what CIA means. Not knowing CIA in an interview is a BIG school boy error.
Below is what I sent him as an email. Relating it to yourself helps you understand it, so hopefully people who have heard of CIA but not paid too much attention to it, can read this and "get it".
CIA (Confidential, Integrity, Availability) is a big thing in Information Security. Whenever you are assessing an incident, you’ll need to think about which of these elements has been compromised.A lot of “human error” I encounter is preventable, it is about people being lazy and taking shortcuts, or simply not relating the work they do (and the care they need to show), to how it could affect a real person.If you apply things to your viewpoint or your children, then suddenly surprise-surprise the penny drops and people get it.In assessing if there has been a data breach, you can apply CIA to it eg.Relating CIA to real life – against yourself as an individual;Medical records are confidential
– should only be accessed by the people that need access – eg. medical staff, Doctors; records accessed by unauthorised people can cause distressMedical records should have integrity
– should be accurate, your health/life could depend on itMedical records should be available
– if not available, the ability to provide the right care could put your health/life at riskBottom line – your
health and well-being is at risk. If your health and well-being or that of your child is important - so is the health and well-being for other people. Relate a situation to yourself, then flip and translate it to another person.The key thing that needs getting across to end users, especially about risk is relating it to themselves. Once they understand that side, they can relate it better to other people and situations.-----Thanks for reading. If you like it and would like more posts like this, let me know in the comments!