The CIA triad is a waste of your time

There are multiple reasons for this:

  1. The triad is incomplete. This leads to information security goals being overlooked.
  2. The triad is ambiguous. (Not based on an operational definitions). This makes of communication of information security goals difficult or even impossible. A video on the same.
  3. There is no agreement on the triad definition. (Page 4), This leads to communication barriers and undesirable variance in performance.
  4. The three reasons above have been proven by falsification.
  5. You can't use the triad to measure security. This prevent the triad from being used to manage security, there are other ways to measure security.
  6. The triad is not a triad. Check slide 32.
  7. Read even more about in the ISSA Journal.

Luckily, THERE IS AN ALTERNATIVE, summarised in this funny video, or this other funny video with the Cookie Monster.

If you still believe the CIA triad is correct or useful in any way, I am more than willing to reopen the O-ISM3 Challenge.

Using O-ISM3 with TOGAF

In order to prevent duplication of work and maximize the value provided by the Enterprise Architecture and Information Security discipline, it is necessary to find ways to communicate and take advantage from each other’s work. We have been examining the relationship between O-ISM3 and TOGAF®, both Open Group standards, and have found that, terminology differences aside, there are quite a number of ways to use these two standards together. We’d like to share our findings with The Open Group’s audience of Enterprise Architects, IT professionals, and Security Architects in this article.

Pages