In some cases, it is not enough to ensure information is protected from changes. Some information is private, privileged, business confidential, or classified and must be protected from unauthorized access of any type. Part of the value of confidential information is that it is available only to a limited number of authorized users. Some examples of confidential information include financial information, either personal or corporate; personal medical information; and secret military plans.

Confidentiality also introduces a need for an additional layer of protection. Sometimes, it is necessary to limit users with access to many resources by only allowing them to access specific resources on a need-to-know (NTK) basis. For example, a manager may have access to project documents that contain sensitive information. To limit the damage that could occur from accidents or errors, it is common to limit access to documents that directly relate to the manager’s projects only. Documents that do not directly relate to the manager’s projects are not accessible. This means that although a user possesses sufficient access for a resource, if the user does not have a specific need to know what a resource stores, the user still cannot access it.

A successful attack against confidential information enables the attacker to use the information to gain an inappropriate advantage or to extort compensation through threats to divulge the information.

Confidentiality has long been the subject of many types of legislation. Legislative bodies in many countries have enacted laws and regulations to protect the confidentiality of personal medical and financial information. Attorneys and physicians have long enjoyed the privilege of confidentiality when conversing with clients and patients. This assurance of confidentiality is crucial to the free flow of necessary information.

Information is valid only when it is correct and can be trusted. The second tenet of information security ensures that information can be modified only by authorized users. Ensuring integrity means applying controls that prohibit unauthorized changes to information. Controls that ensure information integrity can be based on the user’s role. Other examples of integrity controls are security classification and user clearance.

Since information may change as a result of application software instructions, it is important that controls ensuring integrity extend to the application software development process. Regardless of the specific controls in use, the goal of integrity is to protect information from unauthorized changes.

Secure information is serving the purpose for which it was created. This means that secure information must be available when the information is requested.

Many attacks focus on denying the availability of information. One common type of attack that denies the availability of information is the denial of service (DoS) attack. This type of attack does not need to actually access or modify information, but it prevents authorized users from accessing it. For example, an attack that denies access to Amazon.com’s web-based information would have a negative impact on sales. Amazon can’t afford to allow its information to be inaccessible for any length of time. Since so many businesses rely on available information to function properly, unavailable information poses a risk to the primary business functions.

Over the last decade, a different type of adversary has joined the ranks of cyber attackers. These attackers use their skills to make social statements. These activists with hacking abilities, called hacktivists, often target victims with the goal of making some sort of social impact. Hacktivists are behind more and more large-scale attacks, the intent of which is generally to bring attention to some political or social issue. For example, Charles Tucker, also known as the “Bitcoin Baron,” was recently sentenced to 20 months in prison for carrying out a series of hacktivist attacks in 2015. One of the attacks for which Mr. Tucker was convicted was a distributed denial of service (DDoS) attack against the 911 service of Madison, WI. This attack severely degraded the ability of Madison 911 Emergency Services from responding to critical requests for help. Mr. Tucker stated that his activities were in response to the shooting of a suspect by a Madison police officer. Hacktivists are increasingly disrupting critical services with the hope of bringing attention to a specific issue.