Computer Security Basics: The CIA Triad and Core Principles

Computer security is the practice of protecting systems, networks, and data from unauthorized access, damage, disclosure, or destruction. This guide covers the CIA triad, attack surfaces, the distinction between threats, vulnerabilities, and risks, 5 threat categories, and 6 foundational security principles used in every professional security framework.

What Is Computer Security?

Computer security is a discipline that applies controls—technical, administrative, and physical—to protect information systems and the data they process. The goal is not to eliminate all risk, but to reduce risk to an acceptable level defined by organizational policy.

According to IBM’s Cost of a Data Breach Report 2023, the average cost of a data breach reached $4.45 million, a 15% increase over 3 years. Healthcare breaches averaged $10.93 million per incident—the highest of any industry.

Security applies to 3 asset categories: hardware (physical devices), software (operating systems, applications, firmware), and data (stored, processed, and transmitted information).

What Is the CIA Triad?

The CIA triad defines 3 core properties that every secure system must maintain: Confidentiality, Integrity, and Availability. Every security control exists to protect one or more of these 3 properties.

Confidentiality

Confidentiality ensures that information is accessible only to those authorized to access it. Unauthorized disclosure violates confidentiality. Controls include encryption, access control lists (ACLs), data classification, and multi-factor authentication (MFA).

Example violation: A database containing 50 million user credentials is exposed without encryption, allowing unauthenticated access to plaintext passwords.

Integrity

Integrity ensures that data is accurate and has not been modified by unauthorized parties. Controls include cryptographic hashing (SHA-256), digital signatures, version control, and checksums.

Example violation: An attacker intercepts a financial transaction and changes the recipient account number. The data arrives intact but altered—an integrity failure.

Availability

Availability ensures that authorized users can access systems and data when needed. Controls include redundancy, failover systems, DDoS mitigation, and backup infrastructure.

Example violation: A Distributed Denial of Service (DDoS) attack floods a web server with traffic, rendering a banking application inaccessible for 4 hours—an availability failure.

What Is an Attack Surface?

An attack surface is the total set of points where an unauthorized user can attempt to enter or extract data from a system. A smaller attack surface results in fewer exploitable points.

Attack surfaces include 3 categories:

1. Digital attack surface: Open network ports, web application endpoints, APIs, software vulnerabilities, and misconfigured services accessible over a network.
2. Physical attack surface: Server rooms, USB ports, exposed hardware, unattended workstations, and physical media such as hard drives.
3. Social engineering attack surface: Employees who can be manipulated through phishing, pretexting, or impersonation to disclose credentials or grant access.

Attack surface reduction is achieved by disabling unused services, closing unnecessary ports, removing unnecessary software, applying network segmentation, and enforcing the principle of least privilege.

Threat vs. Vulnerability vs. Risk: What Is the Difference?

These 3 terms are distinct in professional security contexts and are frequently misused interchangeably:

• Threat: Any potential event or actor that could cause harm to an asset. Threats are external to the system. Examples: a ransomware group, a disgruntled employee, a natural disaster.
• Vulnerability: A weakness in a system that a threat can exploit. Examples: an unpatched software flaw (CVE), a weak password policy, an unlocked server room.
• Risk: The probability that a threat will exploit a vulnerability and the resulting impact. Risk = Threat × Vulnerability × Impact. Risk is measured and prioritized, not eliminated entirely.

What Are the 5 Primary Threat Categories?

Security threats are organized into 5 categories based on their origin and mechanism:

1. Malware: Malicious software including viruses, worms, trojans, ransomware, and spyware. Malware executes unauthorized code on a system to steal data, encrypt files, or establish persistent access. In 2023, ransomware attacks increased by 95% over the prior year (NCC Group).
2. Social engineering: Psychological manipulation of users to disclose credentials or perform actions that compromise security. Phishing accounts for 36% of all data breaches (Verizon DBIR 2023).
3. Network attacks: Exploits targeting network infrastructure including man-in-the-middle (MitM) attacks, DDoS attacks, ARP spoofing, DNS poisoning, and packet sniffing.
4. Insider threats: Threats originating from current or former employees, contractors, or partners with authorized access. Insider threats account for 19% of data breaches (Verizon DBIR 2023). Insiders can be malicious (intentional) or negligent (accidental).
5. Physical threats: Unauthorized physical access to hardware, theft of devices, destruction of infrastructure, and tampering with physical components. Physical threats bypass all software-based security controls if not independently mitigated.

What Is Defense in Depth?

Defense in depth is a layered security strategy that deploys multiple independent controls so that the failure of one control does not compromise the entire system. The model originates from military strategy: multiple defensive lines force an attacker to overcome each layer independently.

A 7-layer defense-in-depth model includes:

1. Physical security: Locked server rooms, badge access, CCTV, biometric readers.
2. Network perimeter: Firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS).
3. Network internal: Network segmentation, VLANs, zero-trust network access (ZTNA).
4. Host security: Endpoint protection, host-based firewalls, OS hardening, patch management.
5. Application security: Secure coding practices, input validation, web application firewalls (WAF).
6. Data security: Encryption at rest (AES-256) and in transit (TLS 1.3), data loss prevention (DLP).
7. User and identity: MFA, privileged access management (PAM), user behavior analytics (UBA).

What Are the 6 Foundational Security Principles?

6 principles define sound security architecture, originally formulated by Jerome Saltzer and Michael Schroeder in their 1975 paper The Protection of Information in Computer Systems:

1. Least privilege: Every user, process, and system should operate with the minimum permissions required to perform its function. Excessive permissions increase the blast radius of a compromise.
2. Separation of duties: No single user or process should have the ability to complete a sensitive transaction alone. Requires multiple parties for high-impact actions, preventing fraud and errors.
3. Defense in depth: Multiple independent layers of security so no single point of failure compromises the entire system.
4. Fail-safe defaults: Systems should default to denying access when in doubt. A misconfigured firewall should block all traffic by default, not permit it.
5. Open design: Security mechanisms should not rely on the secrecy of their design (security through obscurity). Algorithms such as AES and RSA are publicly known yet secure because strength lies in key secrecy, not algorithmic secrecy.
6. Complete mediation: Every access request to every object must be validated against an access control policy, every time—not just at initial login. This prevents cached-credential attacks and session hijacking.

Security vs. Usability: The Fundamental Trade-Off

Increasing security controls reduces system usability. A system with no passwords is maximally usable but has zero confidentiality. A system requiring 20-character passwords, biometric MFA, and session timeouts every 5 minutes is maximally secure but practically unusable.

Security policy defines the acceptable point on this trade-off curve based on the value of assets protected, the threat environment, regulatory requirements (GDPR, HIPAA, PCI-DSS), and operational constraints.

Comparison of Attack Categories

Key Takeaways

• The CIA triad defines 3 required properties of secure systems: Confidentiality, Integrity, and Availability.
• A threat exploits a vulnerability. Risk is the product of threat probability, vulnerability severity, and asset impact.
• The average cost of a data breach was $4.45 million in 2023 (IBM).
• Defense in depth deploys 7 independent security layers so no single failure compromises the entire system.
• The 6 foundational security principles are: least privilege, separation of duties, defense in depth, fail-safe defaults, open design, and complete mediation.
• Every security control introduces a usability trade-off that must be calibrated against asset value and threat environment.

Frequently Asked Questions

Last Thoughts on Computer Security Basics

Computer security reduces risk to information systems by applying the CIA triad as a measurement framework, using threat-vulnerability-risk analysis to prioritize controls, and deploying layered defenses governed by 6 foundational principles. No system is fully secure—every security architecture balances protection against operational cost and usability, calibrated to the value of the assets being defended.