Maybe we should rename CIA. I don’t mean the government agency by that name. I’m risking heresy by saying that the tired old acronym CIA for Confidentiality, Integrity, and Availability isn’t sacred text. We talk about CIA in Learning Tree’s System and Network Security Introduction course. Let’s take a critical look at it here.
I’ve read that the CIA acronym for information security was a hasty last-minute addition to a presentation that promised to be overly boring. Adding “Triad” makes it sound even more important. Kissingerian, even, as if it’s part of a strategic arms treaty.
“CIA Triad” has become a shibboleth, a special saying that signals your membership in an exclusive community. If you wear an adequately conservative suit and conservative haircut, and you say “CIA Triad” in the appropriately grim way, why, you must be on the side of Law and Order and any problem is due to those pesky users.
One huge problem with cyber security is the trend of blaming users for being in unwinnable situations. Many systems frustrate users with horrible interfaces and unsatisfiable requirements.
The policy requires long and complex passwords everywhere. “You must use at least two special characters”, the system says. “Oh, except not that special character!” Other systems have different fussy rules about which special characters are allowed. Some systems complain about where they appear within the password. “Use one, but don’t start with one!”
Having finally satisfied one system’s requirements, it’s on to the next. Every online identity must have a unique password.
Why? Because so many sites inappropriately store passwords as plaintext. We users don’t know which sites, or when they will be hacked, so we must limit risk exposure through unique passwords.
And, of course, every password must be changed frequently. Oh, and you only get three chances to type it. If you forget or mistype, you will be locked out.
There is no way that users can deal with this.
Maybe the users discover KeePassX. But they are immediately told, “That is free and open-source software, and so you must not use it!”
So, the users start writing down all those complex passwords. Then a physical inspection finds the notes and puts a stop to that.
Now the cyber security system has carried out a complete denial-of-service attack against the users.
Project managers complain that their programmers can’t work because they’re always locked out. The cyber security staff puts on their most serious face to talk about the CIA Triad being the crucial protection against the Russian mob and the Chinese military. If those users quit complaining and applied their fear of nation-state attacks to their memorization work, we might have a chance.
There has to be a better way!
For many people, e-mail is little more than a mechanism for forwarding attachments and web page links. No one wants to type literal content. That’s a lot of work! Besides, Microsoft Office can make really pretty documents. Beautiful fonts, colors, background patterns, clip art, etc.
Users have been trained to always open the attachments and click on the links because that’s where the information resides.
And when they click on hostile content and links? “Those sloppy users shouldn’t do that!”
We must do exactly that. Help the users.
Some of this requires better user interfaces. I’m seeing a lot of discussion of UI/UX, the User Interface, and the User Experience. Let’s call them buzzacronyms as they aren’t words. System design must support cyber security through improved UI/UX.
Then we have to help the users in a way that they recognize as help. Quit creating policies that punish users for being humans.
Describe things in non-threatening ways. “We want to help you to protect your data” instead of “You have to be careful or else our system will be attacked.”
Get them involved. They have a stake. Involvement requires understanding.
The term “CIA Triad” sounds unnecessarily exclusive. The effort to associate it with elite levels of government has succeeded. Users get the message that it’s nothing for them. In fact, maybe it’s inappropriate for them to know anything about it. Maybe they should try to ignore it.
I think that CIA should be replaced by PAR, standing for Privacy, Accuracy, and Reliability. That would help users understand it. They would realize that cyber security directly helps them. And, they would better understand what to do and why.