Everybody who ever did a formal information security training or searched for information security on Wikipedia is familiar with the information security triangle. The theory of this triangle is that information security is about protecting information against threats to its Confidentiality, Integrity or Availability (often abbreviated with CIA).
Early information security
One of the earliest and most famous examples for applied information security is the Ceasar cipher. Suetonius has recorded the use of this cipher as follows: “…he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to decipher these, and get at their meaning, he must substitute the fourth letter of the alphabet, namely D, for A, and so with the others.” This and almost every other application of encryption primarily protects the confidentiality of information. Or, to put it in laymen’s terms, to keep information secret. Having and keeping secrets is the most intuitive aspect of information security and the CIA triangle. The rise of telegraphy and radio communication served to increase the popularity of cryptography, since people wanted to protect messages from eavesdropping by either the operator or an adversary. Well know historical examples are the German Enigma machine, which was broken by the ‘code breaks’ of Bletchly Park and the use of Navajo Indians by the American army during the war with Japan..
The upcoming internet changed a lot of things, however initially it did not change much for the focus of information security. Confidentiality was still the main point in the CIA trangle.
The age of availability
As the dependency on information technology increased, e.g. because of online services that was also available outside office hours, the focus shifted to ‘Availability’. Now, if information systems were unavailable it could directly be translated to lost productivity or turnover.
The emphasis on Availability was also visible in the advertising of service providers in those days. They were bidding with each other in a war over who could offer the SLA with the most “nines” or even 100% availability
The importance of Integrity
As more and more business processes got automated and moved to the Internet, crime moved too.
Digital crime, like fraud and theft, mostly, tries to influence the integrity of data. Before banking went digital, banks kept physical money in a vault in the building. These days banks are mainly databases and applications that keep record of who owns who what amount of money. If you would want to rob a modern bank, you would now have to penetrate a vault, but gain access to the database to manipulate the data to manipulate the amount of money in an account. This is an attack against the Integrity of data. Thus, protecting the Integrity of data became more important to prevent losses.
Privacy
Present day we see a renewed interest for Confidentiality. There is a clear distinction between the pre-Snowden and post-Snowden age. Mostly by his revelations, it became apparent that, in this case, the US government, was listening in on person to person communication on the Internet on a massive scale. Politics has, long ago, recognized the importance of the right to privacy. It is, after all, the 12th right recorded in the Universal Declaration of Human Rights. Snowden’s revelations increased public awareness and worry with regards to privacy.
In practise, we see that this public worry has led to increased attention for privacy. The public wants companies and governments to ensure that data about them is kept Confidential. Cryptography is used more and more, e.g. in WhatsApp and while surfing the Internet. Governments have responded with new legislation like the Dutch ‘Meldplicht datalekken’ and the new EU Data Protection regulation which has to be incorporated in the National laws of all member states by May 2018. Confidentiality is a topic again.
Conclusion
Information Security has gone full circle: Confidentiality is a new focus. While we went through the cycle we did learn a few things. Availability and Integrity will continue to have focus as well. The focus of information security follows the focus of the business. This is a good thing, because “Business runs the business, not security.”