CIA triad in AP Cybersecurity

In AP Cybersecurity, the CIA triad is the model of three core security principles, Confidentiality, Integrity, and Availability, that every security control is designed to protect, and it's the foundation of how you evaluate threats and defenses in Unit 2.

Verified for the 2027 AP Cybersecurity examLast updated June 2026

What is the CIA triad?

The CIA triad is the three-word answer to "what are we actually trying to protect?" The letters stand for Confidentiality, Integrity, and Availability, and per EK 2.1.F.1 every security control addresses at least one of them.

Here's the plain-language version. Confidentiality means only authorized people, systems, or processes can see the data; lose it and you get data theft. Integrity means the data is accurate and trustworthy; lose it and someone can quietly tamper with your data. Availability means the data and services are there when authorized users need them; lose it and you get unexpected downtime, like a site going dark during a denial-of-service attack. When you design or analyze a defense, you're always asking which of these three legs it props up.

Why the CIA triad matters in AP Cybersecurity

This lives in Unit 2: Securing Spaces, Topic 2.1 Cyber Foundations, and it directly powers AP Cybersecurity 2.1.F (identify types of security controls). EK 2.1.F.1 literally defines controls by which CIA principle they serve, so the triad is the lens you use for the whole control discussion. It also threads into 2.1.G on defense in depth, because a layered strategy stacks controls across all three principles. The triad is the shared vocabulary that ties risk assessment, controls, and layered defense into one coherent story.

Keep studying AP Cybersecurity Unit 2

How the CIA triad connects across the course

Security controls and defense in depth (Unit 2)

Every control you study exists to protect one or more legs of the triad, and a defense-in-depth strategy works because it stacks controls covering all three. If one control fails, another still guards confidentiality, integrity, or availability.

Risk and assets (Unit 2)

Risk assessment in 2.1.D is really about which CIA leg a threat would knock out. A vulnerability that exposes data threatens confidentiality; one that crashes a service threatens availability. Naming the leg sharpens your risk argument.

Phases of a cyberattack (Unit 2)

The attack phases in 2.1.C map onto the triad too. Data theft attacks confidentiality, data manipulation attacks integrity, and a takedown attacks availability. Knowing the adversary's goal tells you which principle is under fire.

Is the CIA triad on the AP Cybersecurity exam?

Expect the triad to show up as the framework behind questions, not always by name. An MCQ might describe an attack and ask which security principle it violates, so a stolen-records scenario points to confidentiality, a tampered-database scenario to integrity, and a server-overload scenario to availability. On free response, you can use it to justify a control choice or explain why a defense-in-depth setup is stronger. No released FRQ has used "CIA triad" verbatim, but the exam tests the three principles individually through EK 2.1.F.1, so practice mapping any scenario to the right leg.

The CIA triad vs integrity

Integrity is just one leg of the CIA triad, not the whole thing. Integrity means the data is accurate and untampered; confidentiality is about who can see it, and availability is about whether it's there when you need it. If a question only mentions data being altered, the principle at stake is integrity specifically, not the full triad.

Key things to remember about the CIA triad

  • The CIA triad stands for Confidentiality, Integrity, and Availability, and every security control protects at least one of these three principles.

  • Confidentiality controls who can access data, integrity keeps data accurate and trustworthy, and availability keeps data and services reachable for authorized users.

  • When a system lacks confidentiality it's open to data theft, when it lacks integrity it's open to data manipulation, and when it lacks availability it suffers downtime.

  • Defense in depth works because layered controls cover all three legs, so one bypassed control still leaves the others protecting the data.

  • To analyze any attack or control on the exam, ask which leg of the triad it targets or defends.

Frequently asked questions about the CIA triad

What is the CIA triad in cybersecurity?

It's the model of three core security principles, Confidentiality, Integrity, and Availability, that every security control is built to protect. In AP Cybersecurity it comes from EK 2.1.F.1 and frames how you evaluate controls in Unit 2.

Does the CIA triad have anything to do with the spy agency?

No. The CIA in this triad is just an acronym for Confidentiality, Integrity, and Availability and has nothing to do with the intelligence agency. Don't let the name throw you on a test question.

How is integrity different from confidentiality in the CIA triad?

Confidentiality is about who can see the data, so breaking it means theft or unauthorized access. Integrity is about whether the data is accurate and untampered, so breaking it means manipulation. They're two separate legs, and a question can target one without the other.

Which CIA principle does a denial-of-service attack violate?

Availability. A denial-of-service attack overwhelms a service so authorized users can't reach it, which is exactly what availability protects against per EK 2.1.F.1.

How does the CIA triad connect to defense in depth?

Defense in depth stacks multiple controls so different threats are each met by the control best suited to them. Because controls map to confidentiality, integrity, and availability, a layered strategy keeps all three legs protected even if one control is bypassed.

Keep studying AP Cybersecurity

Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.