Within the cybersecurity world, one of the well-established models for understanding security goals is the CIA triad, which stands for Confidentiality, Integrity, and Availability. This model is primarily formulated for information security and therefore recognizes the need for information to be confidential, have integrity, and be available. However, this model has been used more broadly beyond information security, for formulating information systems and network security goals.
The confidentiality goal means that data should only be accessed by people who have permission. Therefore, any access to data by people who are not authorized, compromises data confidentiality – this includes incidents such as data leakages and breaches. The largest data breach ever reported was by Yahoo in 2017 in which 3 billion accounts were affected. In recent years, many other companies have also suffered data breaches, which are projected to cost $5 trillion globally by 2024. At an individual level, data breaches can have adverse impacts on the individuals affected, such as financial loss, psychological harm, and a threat to life.
Implied in confidentiality, is the authentication goal, which is about ensuring the accuracy of the claimed identity. A standard attack against authentication involves compromising individuals’ account credentials through approaches such as guessing passwords, intercepting passwords across the network, or through social engineering.
The integrity goal means that data has not been modified or corrupted both during storage and communication. Many attacks target information integrity – some of these involve the malicious modification of data, for example, to embed malware in documents. However, some of the threats to integrity are due to inadvertent human error or due to the failure of data storage media.
The availability goal means that data should be accessible and available. Any partial or complete disruption of access to data compromises the availability goal. A ransomware attack, where attackers encrypt data and demand payment of ransom, is a good example of a disruption attack. Denial of service attacks are another common threat against availability which is on the rise globally.
Considered in detail the CIA triad allows organizations to think about information security and cybersecurity in a structured and systematic way. Many threat modeling approaches have been developed that help frame cybersecurity threats around the CIA triad, based on the specific digital resources owned or based on the motivations of potential attackers and threat actors. Using such approaches helps organizations to not only identify potential cybersecurity risks but also to put in place appropriate mitigation strategies.
While the CIA is being effectively used across businesses and organizations for enhancing their cybersecurity, it is not enough for informing individuals’ cybersecurity goals. This is because the CIA model is framed with a focus on technical assets and resources and cannot account for the multi-faceted, non-technical, and cyber-enabled threats that individuals are exposed to online.
In our work on citizen cyber resilience, we have formulated a list of over 100 types of threats that individuals can be exposed to online. Of these less than 40% are directly related to the CIA goals. This means that there is a lot more that individuals need to consider as far as their cybersecurity is concerned.
Some of these include social threats, such as cyberbullying, cyberstalking, and online scams, which make up about a third of the threats on our list. Recent studies have found that cyberbullying is on the increase, particularly among teenagers.
Other kinds of threats that individuals need to think about include cognitive and influence threats associated with misinformation and fake news as well as inappropriate online content.
For each of the various threats that individuals are exposed to there are several responses that can be adopted to enhance cybersecurity. These include measures such as practicing good cyber hygiene through good password management, regular data backups, and keeping software on devices updated. Further, there are attitudes that individuals can embrace, such as being suspicious, of email attachments from unknown senders; being critical, of online content, and learning to spot fake news and misinformation on social media. Lastly, depending on the nature of the threats and the severity of the adverse cyber incidents, individuals have the option of engaging relevant authorities and agencies.
Individuals need to understand the response options that are available to them within their respective contexts. For example, in Macau, the Macau Emergency Response Team Coordination Centre (MOCERT) is one agency that provides support to local enterprises and the public on cybersecurity incident handling, promoting cybersecurity awareness, and sharing cybersecurity advisories. From a legislative point of view, the Office of Personal Data Protection (GPDP) ensures legal compliance as far as the Personal Data Protection Act (PDPA) is concerned. The office also handles complaints and reports of personal data protection violations.
There also organizations that provide support through training and awareness-raising to improve individuals’ cybersecurity. The United Nations University institute in Macau is also working towards promoting the cyber resilience of the public in Macau and globally and is developing tools and resources to help individuals understand the threats they are exposed to online and how to handle those threats.
Overall, individuals need to think about their cybersecurity posture beyond the very narrow CIA goals, to consider all threats that limit and hamper the effective use of cyber resources.
Mamello Thinyane & Debora Christine
* Mamello Thinyane is a Principal Research Fellow at the United Nations University Institute in Macau. He leads research on Data and Sustainable Development and the Smart Citizen Cyber Resilience. Debora Christine is a Research Assistant at the United Nations University Institute in Macau. Her primary interests are on the nexus of development, media, ICTs, inequality and social exclusion, and the construction of knowledge.