CIA and Non-Repudiation

CIA as a Decision Tool

The CIA triad — confidentiality, integrity, and availability — is the foundation of objective 1.2 on the current CompTIA Security+ SY0-701 exam (launched November 2023; up to 90 questions in 90 minutes; passing score 750 on a 100–900 scale; ~$425 voucher in the United States). Domain 1, General Security Concepts, is 12% of the exam, but its vocabulary recurs across all five domains. Treat the triad as a fast classifier: it tells you what went wrong, which risk is highest, and which control is most relevant.

Non-repudiation is grouped with the triad on SY0-701 even though it is not strictly part of CIA. It is the assurance that a party cannot later deny having performed an action — critical for contracts, financial approvals, and forensic accountability.

Scenario Classification

The exam rarely asks "define confidentiality." It describes an event and asks which principle is primarily affected. Map the outcome verb to a principle.

Non-Repudiation Requires More Than a Log

An audit log supports non-repudiation only if the identity and the log's integrity are trustworthy. A shared admin account with editable local logs is weak evidence; a named account with multi-factor authentication (MFA), centralized append-only logging, synchronized time, and ticketed approval is strong evidence.

Digital signatures deliver non-repudiation because only the holder of the private key could have produced the signature, and the matching public key proves it — while simultaneously providing integrity. Encryption alone does not, because anyone with the symmetric key could have authored the message.

A useful way to internalize the difference: confidentiality is about who can see, integrity is about whether it changed, availability is about whether it works, and non-repudiation is about who can be held responsible. A single sentence in an exam stem usually emphasizes exactly one of these four outcomes, and your job is to match the emphasized outcome to its principle while ignoring the plausible-but-secondary effects the question deliberately mentions to distract you. Candidates lose points by selecting the principle that is technically also true rather than the one the scenario is actually about.

Exam Trap: More Than One CIA Impact

Real incidents touch several principles at once. Ransomware can violate confidentiality (data exfiltrated before encryption — the modern "double extortion" pattern), integrity (files altered or corrupted), and availability (files encrypted and unusable). The exam still wants ONE primary answer, so anchor on the stem's stated outcome:

• "Users cannot access encrypted files" → availability is primary.
• "Stolen files appeared on a leak site" → confidentiality is primary.
• "Records were silently changed to alter balances" → integrity is primary.

A second classic trap pairs the wrong control with the goal. Encryption protects confidentiality, not integrity; a hash detects change but does not stop it; a backup restores availability but does nothing to prevent disclosure.

Fast Rule (Apply in Order)

Work the list top to bottom and stop at the first match the stem emphasizes. This ordering mirrors how SY0-701 distractors are built: they offer a true-but-secondary principle alongside the primary one to test whether you parsed the outcome rather than the surrounding noise.

Finally, watch for non-CIA distractors planted in answer lists, such as "deterrence" or "authentication." Deterrence is a control category, not a triad property, and authentication is the mechanism that supports confidentiality and non-repudiation rather than a principle in its own right. When all four CIA-style options appear, the answer is almost always one of confidentiality, integrity, or availability — non-repudiation surfaces only when the stem explicitly involves proving or denying that a specific party performed an action, such as a disputed approval, a signed transaction, or an audit finding that must hold up under later challenge.