What is the CIA triad in cybersecurity?

The CIA triad is the three core goals of information security: Confidentiality (only authorized people can access data), Integrity (data is accurate and untampered), and Availability (systems are accessible when needed). Nearly every security control exists to support one or more of these properties. Good security balances the three for a given context rather than maximizing all of them blindly.

What is the difference between a vulnerability, a threat, and a risk?

A vulnerability is a weakness that could be exploited, such as an unpatched system. A threat is anything with the potential to exploit that weakness, like a ransomware group or a natural disaster. Risk is the combination of the two: the likelihood of a threat exploiting a vulnerability multiplied by the resulting impact.

Why is OT/ICS security prioritized differently from IT security?

In IT the CIA triad is usually ordered Confidentiality, Integrity, Availability because protecting data matters most. In OT and ICS environments the order often flips to Availability, Integrity, Confidentiality, because keeping a physical process running safely is more critical than keeping a sensor value secret. OT systems also involve legacy hardware, safety risks, and real-time requirements that change which security tools are appropriate.

What does defense-in-depth mean?

Defense-in-depth is the practice of layering multiple independent security controls so that if one fails, others still protect the system. Typical layers span the network perimeter, internal segmentation, endpoints, applications and data, identity, and people and process. The goal is that no single point of failure can compromise the whole environment.

Which cybersecurity framework should I start with?

There is no single right answer, but many teams begin with the CIS Controls because they provide a prioritized, concrete list of safeguards. The NIST Cybersecurity Framework is excellent for structuring an overall risk-based program, while ISO/IEC 27001 is the choice when formal, auditable certification is required. The frameworks are complementary and are often used together.

Engineering·10 min read·June 17, 2026

🛡️ Cybersecurity Fundamentals: The CIA Triad, Threats, and Defense-in-Depth

A practical, vendor-neutral introduction to cybersecurity for engineers and IT/OT professionals: the CIA triad, the modern threat landscape, core risk concepts, layered defense, IT vs OT security, control categories, and the major frameworks.

Why Cybersecurity Matters to Engineers

Cybersecurity is no longer just an IT department concern. As control systems, building automation, and field devices connect to networks, the people who design and operate physical infrastructure increasingly need to think like defenders. A compromised PLC, building management system, or maintenance laptop can have consequences that go far beyond data loss, affecting safety, uptime, and physical equipment.

This article establishes the vocabulary and mental models that the rest of cybersecurity rests on. Master these and the more specialized topics, from network segmentation to incident response, become far easier to follow.

The CIA Triad: The Foundation

Almost every security decision can be traced back to three properties known as the CIA triad. They define what we are actually trying to protect.

Confidentiality ensures information is accessible only to those authorized to see it. It is enforced through encryption, access control, and authentication. A data breach that exposes customer records is a confidentiality failure.
Integrity ensures data and systems are accurate and have not been tampered with, whether maliciously or accidentally. Hashing, digital signatures, and change control protect integrity. An attacker altering a financial record, or a corrupted firmware update, is an integrity failure.
Availability ensures systems and data are accessible when legitimate users need them. Redundancy, backups, and resilience against denial-of-service attacks protect availability. A ransomware outage that halts production is an availability failure.

These three goals constantly trade off against one another. Strong encryption (confidentiality) can slow a system (availability); aggressive availability through wide-open access can undermine confidentiality. Good security is about balancing the triad for a given context, not maximizing all three blindly.

The Modern Threat Landscape

Threats evolve quickly, but most attacks fall into recognizable categories:

Malware is malicious software, including viruses, worms, trojans, and spyware, designed to disrupt, damage, or gain unauthorized access to systems.
Ransomware is malware that encrypts data and demands payment for its release. Modern variants also exfiltrate data first, threatening to publish it, a tactic called double extortion. It is one of the most damaging threats to operational continuity.
Phishing and social engineering manipulate people rather than machines, tricking users into revealing credentials, clicking malicious links, or transferring funds. Humans remain the most exploited attack vector.
Insider threats come from employees or contractors, whether malicious (deliberate theft or sabotage) or negligent (misconfiguration, lost devices). They are dangerous because insiders already hold legitimate access.
Supply-chain attacks compromise a trusted vendor, library, or update mechanism to reach many downstream targets at once. Trusted software updates and third-party components are increasingly targeted.
Distributed denial-of-service (DDoS) attacks flood a system or network with traffic to exhaust resources and deny availability to legitimate users.

Core Concepts: Vulnerability, Threat, and Risk

These three terms are often used loosely but mean distinct things, and confusing them leads to poor decisions.

A vulnerability is a weakness that could be exploited, for example an unpatched server or a weak password policy.
A threat is anything with the potential to exploit a vulnerability, such as a ransomware group, a careless employee, or even a flood.
Risk is the combination of the two: the likelihood that a threat exploits a vulnerability, multiplied by the impact if it does. A vulnerability with no credible threat, or no meaningful impact, is low risk. Security work is fundamentally about managing risk, not eliminating every vulnerability.

Two more terms round out the picture. The attack surface is the total set of points where an attacker could try to enter or extract data, every open port, API, user account, and physical access point. Reducing the attack surface is one of the highest-leverage defensive moves. Threat actors are the people or groups behind attacks, ranging from opportunistic criminals and hacktivists to organized crime and nation-state groups, each with different motivations, resources, and patience.

Defense-in-Depth: Layered Security

No single control is perfect, so resilient systems use defense-in-depth: multiple independent layers so that if one fails, others still stand. The principle is borrowed from military fortification and physical security.

A typical layered model includes:

Perimeter controls such as firewalls and intrusion prevention systems.
Network controls such as segmentation, VLANs, and monitoring that limit how far an intruder can move laterally.
Endpoint controls such as anti-malware, hardening, and patch management on individual devices.
Application and data controls such as secure coding, input validation, and encryption at rest and in transit.
Identity controls such as multi-factor authentication and least-privilege access.
People and process controls such as security awareness training and incident response plans.

Closely related is zero trust, the modern principle of never trusting a connection by default, verifying every request regardless of where it originates, even inside the network perimeter.

IT Security vs OT/ICS Security

One of the most important distinctions for engineers is between traditional IT security and operational technology (OT) or industrial control system (ICS) security. OT covers the systems that monitor and control physical processes: PLCs, SCADA, DCS, and the like.

In IT, the CIA triad is usually prioritized as Confidentiality, Integrity, then Availability, because protecting data is the primary goal. In OT, the priority order often flips to Availability, Integrity, then Confidentiality. A power plant or water treatment facility cannot simply shut down because of a suspicious event; keeping the process running safely matters more than keeping a sensor reading secret.

Other key differences include:

OT systems often run for decades on legacy hardware and software that cannot be patched easily or rebooted on demand.
Safety and physical consequences are paramount; a security action that crashes a controller could be dangerous.
Real-time and deterministic behavior is required, so heavyweight IT tools may be unsuitable.
OT historically relied on isolation (air-gapping), which is eroding as IT and OT networks converge.

Frameworks such as IEC 62443 exist specifically to address OT/ICS environments, complementing the more general IT frameworks below.

Categories of Security Controls

Controls are the safeguards we put in place. They are classified along two useful axes.

By function:

Preventive controls stop incidents before they happen, for example firewalls, access control, and encryption.
Detective controls identify incidents in progress or after the fact, for example logging, intrusion detection, and monitoring.
Corrective controls limit damage and restore normal operation, for example backups, patching, and incident response.

By type:

Administrative controls are policies, procedures, and training, the human and organizational layer.
Technical controls are implemented in hardware and software, such as firewalls, encryption, and authentication systems.
Physical controls protect the tangible environment, such as locks, fences, badge access, and surveillance.

Effective security programs combine controls across both axes rather than relying on one category.

An Introduction to Security Frameworks

Rather than inventing controls from scratch, organizations adopt established frameworks. The three most common are:

Framework	Origin	Best for
NIST Cybersecurity Framework (CSF)	US NIST	A flexible, risk-based structure organized around the functions Govern, Identify, Protect, Detect, Respond, and Recover.
ISO/IEC 27001	International standard	A certifiable information security management system (ISMS) with formal audit and continual improvement.
CIS Controls	Center for Internet Security	A prioritized, prescriptive list of practical safeguards, ideal for teams that want concrete actions to start with.

These are complementary, not competing. Many organizations use the CIS Controls as a tactical starting point, the NIST CSF to structure their overall program, and ISO 27001 when they need formal certification. Other articles in this knowledgebase cover each of these frameworks in depth.

Key Takeaways

The CIA triad (Confidentiality, Integrity, Availability) defines what security protects, and its priorities shift between IT and OT.
Understand the difference between vulnerability, threat, and risk; security is about managing risk, not chasing every weakness.
Use defense-in-depth: no single layer is enough.
OT/ICS environments need a different approach because availability and safety often come first.
Frameworks such as NIST CSF, ISO 27001, and CIS Controls give you a proven structure rather than starting from zero.

Topics covered

CIA triadcybersecurity fundamentalsdefense in depthOT ICS securitythreat vs vulnerability vs riskNIST Cybersecurity Frameworksecurity controlsattack surface

🛠️ Related Free Tools

Put this knowledge to work on your iPhone

Browse our full catalog of professional iOS apps — from electrical code tools to AI builders.

Browse All 95+ Apps