1 Security Concepts of Information Assurance

Organizations are socio-technical systems where people, processes, and technology interact to create value across both physical and digital infrastructures. Cybersecurity’s purpose is to preserve the normal operation of these systems by understanding organizational context, identifying relevant risks and threats, and applying appropriate protections to assets—everything of value, from facilities and hardware to software, data, reputation, contracts, and people. Because information systems and information itself may be digital or non-digital, security must span all forms. The chapter frames this mission through the lens of the CIA triad—confidentiality, integrity, and availability—which underpins information assurance and sets the ultimate objectives for safeguarding assets.

Core concepts include vulnerabilities (weaknesses), threats (potential sources of harm), and attacks (intentional exploitation), along with the actors behind them, ranging from insiders and hobbyists to criminal groups and nation-state–backed teams. Threats can be non-malicious (e.g., failure, error, natural events) or malicious (intentional harm). Security controls mitigate these risks through physical measures (e.g., access control and surveillance), technical measures (e.g., firewalls, encryption, anti-malware), and administrative measures (e.g., policies, procedures, training). Controls often overlap and must be layered to uphold CIA. The DAD triad—disclosure, alteration, denial—mirrors CIA by categorizing threat impacts and guiding control selection.

Because not all data has the same sensitivity or impact if exposed or altered, classification helps prioritize protection. Common levels range from public and internal to confidential and highly confidential/restricted, each with handling and access requirements. The chapter distinguishes sensitive from confidential information, then details personally identifiable information (PII)—including non-public personal information versus public personal information—and protected health information (PHI), which carries heightened privacy concerns and regulatory obligations. Collectively, these principles, definitions, and classifications provide a foundation for designing effective, risk-based controls and for advancing into deeper cybersecurity practices.

Illustration of the interdependence of the key information security principles of confidentiality, integrity, and availability along with the corresponding threats of disclosure, alteration, and denial.

1. The correct answer is D. Software is not a tangible asset. Unlike hardware, buildings, and machines, which have a physical form and can be touched, software is intangible. It consists of code and data that exist digitally rather than physically.
2. The correct answer is C. Availability is the component of the CIA triad that focuses on ensuring that information is available when it is needed. On the other hand, while Confidentiality and Integrity are part of the CIA, they have different purposes. Authentication is not part of the CIA triad.
3. The correct answer is A. Any factor that has the potential to disrupt an asset by exploiting a vulnerability is known as a threat. Threats can take many forms, including malicious actors such as hackers, computer viruses, or natural disasters such as hurricanes or earthquakes. The remaining options, on the other hand, are not threats because the first two unchecked options represent vulnerabilities, and the last unchecked option emphasizes the need for protective measures on an asset to counter potential threats.
4. The correct answer is C. A threat actor is an individual or entity responsible for launching cyberattacks. The remaining options are incorrect because a software vulnerability is a vulnerability, a phishing email is a threat vector, and a denial-of-service attack is an example of an attack method.
5. The correct answer is C. PII (Personally Identifiable Information) includes personal information such as names and addresses, while PHI (Protected Health Information) is a subset that focuses on health information, including medical records and treatment details. PII and PHI must be protected, but PHI has additional regulatory requirements.

FAQ