Integrity, Availability, and Information Security

In an earlier post, I discussed confidentiality in the context of information security. In this post, I would like to elaborate on the remaining two components of the C-I-A security triad -- namely, integrity and availability. In order to understand the difference between confidentiality and integrity, remember that confidentiality is concerned with access to information assets, whereas integrity is concerned with preventing unauthorized modification of assets. Integrity, of course, is more difficult to measure than confidentiality because it is context dependent; that is, integrity has different meanings in different situations. Further, integrity of information assets is not a simple binary, true/false proposition. Instead, there are degrees of data integrity. For these reasons it is necessary for each organization to establish its own criteria by which to measure and evaluate the integrity of its information assets.

Broadly speaking, availability refers to the capacity of an information system to make information assets readily accessible to authorized parties in a timely and reliable manner. As with integrity, availability is also context dependent, and is thus a very complex issue. Put another way, availability means different things to different people. A CEO, for example, might measure availability by whether she can access her corporate dashboard while traveling. To a data analyst, by contrast, availability might be measured by whether she can carry out her statistical analyses in a timely manner without having to wait for the system to execute her requests. As a general set of guidelines, then, we might consider information assets to be available when organizational information systems (1) respond in a timely manner to user requests, (2) allocate resources among users fairly and equitably, (3) incorporate hardware and software that are fault-tolerant, and (4) employ a solid concurrency control strategy in order to accommodate situations in which multiple users are attempting to use the same information assets at the same time.