CIA and Non-Repudiation
Key Takeaways
- Confidentiality protects against unauthorized disclosure.
- Integrity protects against unauthorized or unexpected modification.
- Availability keeps systems, services, and data usable when needed.
- Non-repudiation depends on identity, integrity, logging, time, and evidence preservation.
- Security+ scenarios often ask which part of CIA is primarily affected, even when several are involved.
CIA as a Decision Tool
The CIA triad is not just vocabulary. It is a fast way to classify what went wrong, what risk is highest, and what control is most relevant.
| Principle | Protects against | Common controls | Scenario clue |
|---|---|---|---|
| Confidentiality | Unauthorized disclosure | Encryption, access control, data masking, classification | "Exposed", "read by unauthorized user", "leaked" |
| Integrity | Unauthorized or unexpected change | Hashing, digital signatures, file integrity monitoring, input validation | "Modified", "tampered", "unexpected hash", "altered records" |
| Availability | Loss of access or service | Redundancy, failover, backups, capacity planning, DDoS protection | "Unavailable", "outage", "latency", "ransomware lockout" |
| Non-repudiation | Credible denial of an action | Digital signatures, audit logs, time stamps, strong identity proof | "Cannot deny", "prove who approved", "signed transaction" |
Scenario Classification
| Scenario | Primary principle | Why |
|---|---|---|
| A contractor downloads customer records from a folder they should not access | Confidentiality | Data was disclosed to an unauthorized user |
| A payment file hash does not match the known-good value | Integrity | The evidence suggests unauthorized or accidental modification |
| A DDoS attack prevents customers from reaching a portal | Availability | The service cannot be used when needed |
| A manager disputes approving a high-risk firewall exception | Non-repudiation | The business needs reliable proof of who approved the action |
Non-Repudiation Requires More Than a Log
An audit log can support non-repudiation, but only if the identity and log integrity are trustworthy. A shared admin account with editable local logs is weak evidence. A named account with MFA, centralized append-only logging, time synchronization, and change ticket approval is stronger evidence.
| Weak evidence | Stronger evidence |
|---|---|
| Shared administrator account | Named privileged account |
| Local log file on the same server | Centralized tamper-resistant logging |
| No time synchronization | NTP-backed time stamps |
| Verbal approval | Signed or ticketed approval with approver identity |
| Plain message content | Digital signature tied to a private key |
Exam Trap: More Than One CIA Impact
Ransomware can affect confidentiality if data is stolen, integrity if files are modified, and availability if files are encrypted and unusable. Read the question stem. If it says "users cannot access files," availability is probably primary. If it says "sensitive files appeared on a public site," confidentiality is primary.
Fast Rule
Ask this in order:
| Question | If yes, think |
|---|---|
| Did someone see data they should not see? | Confidentiality |
| Did data or code change without authorization? | Integrity |
| Can users or systems use the service when needed? | Availability |
| Does the organization need proof that a party performed an action? | Non-repudiation |
A database table is changed so account balances are incorrect, but no data was exposed and the application remains online. Which security principle is primarily affected?
Which set of controls best supports non-repudiation for an executive approval workflow?
Match each scenario to the primary security principle.
Match each item on the left with the correct item on the right