Security Principles


🛡️ Understanding Security: CIA, DAD, and Security Models
🔐 Introduction to Security
Everyone talks about security—but what does it actually mean?
Before applying security measures, we must know who we're protecting against. Are we trying to stop a toddler from accessing our laptop? Or a hacker trying to steal millions of dollars worth of data?
🔑 Security is not one-size-fits-all. We choose protections based on the level of threat.
And remember: No system is 100% secure. But our goal is to make it harder for attackers to succeed.
🔺 CIA Triad – The Foundation of Security
Security is built on three core principles, known as the CIA Triad:
🔒 1. Confidentiality
Only authorized people should access sensitive data.
Example (Shopping): Your credit card info must be visible only to the payment system.
Example (Medical): Doctors must keep your medical records private.
🧩 2. Integrity
The data should stay correct and unchanged unless by authorized people.
Example (Shopping): An attacker shouldn’t be able to change your shipping address.
Example (Medical): Changing a patient’s record could lead to dangerous treatment.
⚙️ 3. Availability
The system and data must be available when needed.
Example (Shopping): You can't order if the website is down.
Example (Medical): Doctors must be able to access patient records during checkups.
💡 Balance is key: Too much focus on one can weaken the others.
❌ DAD Triad – The Attacker’s Goals
The DAD Triad shows what attackers try to do:
🔓 1. Disclosure (opposite of Confidentiality)
Stealing or leaking private data.
Example: Publishing stolen medical records online.
✏️ 2. Alteration (opposite of Integrity)
Changing data without permission.
Example: Modifying patient treatment info.
🛑 3. Destruction/Denial (opposite of Availability)
Making systems unavailable.
Example: Ransomware crashes hospital systems, halting treatment.
🛡️ Defending against DAD = Preserving CIA.
🧠 Security Models: How to Build Secure Systems
Security models give us rules and blueprints for building secure systems. Here are three key models:
🔐 Bell-LaPadula Model (Focus: Confidentiality)
No Read Up: Lower-level users can't read top-secret data.
No Write Down: High-level users can't leak data to lower levels.
📌 Summary: Read Down, Write Up
🛡️ Biba Model (Focus: Integrity)
No Read Down: High-trust systems can't read low-trust data.
No Write Up: Low-trust users can't write to important files.
📌 Summary: Read Up, Write Down
✅ Clark-Wilson Model (Focus: Integrity via Rules)
CDI (Constrained Data Item): Critical data to protect.
UDI (Unconstrained Data Item): Input from outside.
TPs (Transformation Procedures): Safe ways to change data.
IVPs (Integrity Verification Procedures): Ensure data is still valid.
🧱 Other Models: Brewer-Nash, Graham-Denning, Harrison-Ruzzo-Ullman, etc.
🏰 Defence-in-Depth – Layered Security
Defence-in-Depth means protecting your system using multiple layers, like this:
Locked drawer
Locked room
Locked apartment
Locked building gate
Security cameras
Each layer slows down or blocks the attacker. Even if one layer fails, others stand in the way.
🎯 Goal: Delay attackers and give yourself more time to stop them.
🔏 Beyond CIA: Authenticity & Nonrepudiation
✅ Authenticity
Ensures the data is real and from a trusted source.
🚫 Nonrepudiation
Prevents someone from denying they did something (like placing an order).
- Example: A company can't afford to send 1000 cars and then find out the order was fake!
🔷 The Parkerian Hexad – Six Elements of Security
Confidentiality
Integrity
Availability
Authenticity
Utility – Is the data still useful?
- Example: Lost encryption key = Useless data.
Possession – Do you still control the data?
- Example: Hacker steals your backup drive.
📌 Final Thoughts
Security is not about just locking one door—it’s about multiple layers, smart rules, and balanced protection.
🧠 Think like an attacker to build stronger defence.
Let me know if you want:
Matching images or infographics
SEO titles and meta descriptions
A short intro or conclusion for your blog
Quiz questions or a PDF summary
Subscribe to my newsletter
Read articles from Sylvester (ANBU) directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

Sylvester (ANBU)
Sylvester (ANBU)
This blog serves as a beginner-friendly guide to understanding the world of cybersecurity. From defining what cybersecurity is to exploring its two major domains—offensive and defensive security—it breaks down various career paths such as Security Analyst, Engineer, Penetration Tester, and more. Whether you're just curious or planning a career, this blog gives you the insight and direction to get started in the cybersecurity field.