Beyond confidentiality: the five principles of cyber security
The five principles of cyber security
Cyber security is often misunderstood as solely about confidentiality, but it’s more complex than that. Traditional definitions focused on three core principles: confidentiality, integrity, and availability. But true cyber security also includes an extra two elements: authenticity and non-repudiation.
The final two are principles increasingly critical today. ‘Fake news’, misinformation, and smishing (more information here) are the result of our inability to confirm data is authentic and to trust it’s origin.
These five principles are often referred to as the pillars of information assurance:
Confidentiality
Confidentiality ensures that information is only accessible to those who are authorised to access it. It focuses on keeping data private and protected from unauthorised access. For example, online banking uses encryption to protect financial details. This ensures that only you and the bank can access them.
Integrity
Integrity maintains the accuracy and completeness of data, and ensures it is not changed without proper authorisation. For example, when you access a bank statement, you should expect that all transactions are accurate and unchanged.
Availability
Availability ensures that authorised uses can access data and services when they are needed. This involves keeping systems functional and preventing disruptions.
Authenticity
Authenticity verifies that data, transactions, and communications are genuine, confirming that sources and identities are legitimate. For example, two step verification (2SV, also known as multi-factor authentication) on social media accounts ensures that the person accessing the account is the rightful owner of the account.
Non-repudiation
Non-repudiation prevents entities from denying their actions about data or transactions, which ensures accountability. For example, when you sign for a delivered package you create a record that it was received, which makes it difficult for the company to deny that they delivered it. The same principles apply online, for example with digital signatures and smart contracts. These rely on good cryptography and other technical and organisational controls to establish trust.
Beginning section Cyber security is not just about cyber attacks
Cyber security is not just about cyber attacks
Malicious activity (for example, hacking) is often what gets the headlines. However, many cyber security incidents are the result of errors or omissions by a person or an organisation. They are not the result of a deliberate attack.
JCSC can respond to cyber emergencies regardless of what causes them, just as in any other emergency. For example, if you call the fire service, firefighters will attend whether the fire was caused by arson or a chip pan fire. In cyber security incidents, cause can be hard to identify and often does not matter much in early response.
Beginning section What do the five principles of cyber security mean for my organisation?
What do the five principles of cyber security mean for my organisation?
Using the five principles – and your knowledge of your business – you can complete a basic assessment of the cyber security risks you face. Look at each principle and list out the scenarios that you think are most likely to affect your business. You can then identify the controls that could help prevent that scenario from happening.
Once you have these controls in place, you test them. You can do this through assurance (for example, through Cyber Essentials Plus, security scans, penetration testing, or audit.) You can also do this by running a desktop incident response exercise that looks at each critical scenario. There are many providers in Jersey who are can help you. You can find a full list on this webpage.