In AP Cybersecurity, the CIA triad is the model of three core security principles, Confidentiality, Integrity, and Availability, that every security control is designed to protect, and it's the foundation of how you evaluate threats and defenses in Unit 2.
The CIA triad is the three-word answer to "what are we actually trying to protect?" The letters stand for Confidentiality, Integrity, and Availability, and per EK 2.1.F.1 every security control addresses at least one of them.
Here's the plain-language version. Confidentiality means only authorized people, systems, or processes can see the data; lose it and you get data theft. Integrity means the data is accurate and trustworthy; lose it and someone can quietly tamper with your data. Availability means the data and services are there when authorized users need them; lose it and you get unexpected downtime, like a site going dark during a denial-of-service attack. When you design or analyze a defense, you're always asking which of these three legs it props up.
This lives in Unit 2: Securing Spaces, Topic 2.1 Cyber Foundations, and it directly powers AP Cybersecurity 2.1.F (identify types of security controls). EK 2.1.F.1 literally defines controls by which CIA principle they serve, so the triad is the lens you use for the whole control discussion. It also threads into 2.1.G on defense in depth, because a layered strategy stacks controls across all three principles. The triad is the shared vocabulary that ties risk assessment, controls, and layered defense into one coherent story.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view gallerySecurity controls and defense in depth (Unit 2)
Every control you study exists to protect one or more legs of the triad, and a defense-in-depth strategy works because it stacks controls covering all three. If one control fails, another still guards confidentiality, integrity, or availability.
Risk and assets (Unit 2)
Risk assessment in 2.1.D is really about which CIA leg a threat would knock out. A vulnerability that exposes data threatens confidentiality; one that crashes a service threatens availability. Naming the leg sharpens your risk argument.
Phases of a cyberattack (Unit 2)
The attack phases in 2.1.C map onto the triad too. Data theft attacks confidentiality, data manipulation attacks integrity, and a takedown attacks availability. Knowing the adversary's goal tells you which principle is under fire.
Expect the triad to show up as the framework behind questions, not always by name. An MCQ might describe an attack and ask which security principle it violates, so a stolen-records scenario points to confidentiality, a tampered-database scenario to integrity, and a server-overload scenario to availability. On free response, you can use it to justify a control choice or explain why a defense-in-depth setup is stronger. No released FRQ has used "CIA triad" verbatim, but the exam tests the three principles individually through EK 2.1.F.1, so practice mapping any scenario to the right leg.
Integrity is just one leg of the CIA triad, not the whole thing. Integrity means the data is accurate and untampered; confidentiality is about who can see it, and availability is about whether it's there when you need it. If a question only mentions data being altered, the principle at stake is integrity specifically, not the full triad.
The CIA triad stands for Confidentiality, Integrity, and Availability, and every security control protects at least one of these three principles.
Confidentiality controls who can access data, integrity keeps data accurate and trustworthy, and availability keeps data and services reachable for authorized users.
When a system lacks confidentiality it's open to data theft, when it lacks integrity it's open to data manipulation, and when it lacks availability it suffers downtime.
Defense in depth works because layered controls cover all three legs, so one bypassed control still leaves the others protecting the data.
To analyze any attack or control on the exam, ask which leg of the triad it targets or defends.
It's the model of three core security principles, Confidentiality, Integrity, and Availability, that every security control is built to protect. In AP Cybersecurity it comes from EK 2.1.F.1 and frames how you evaluate controls in Unit 2.
No. The CIA in this triad is just an acronym for Confidentiality, Integrity, and Availability and has nothing to do with the intelligence agency. Don't let the name throw you on a test question.
Confidentiality is about who can see the data, so breaking it means theft or unauthorized access. Integrity is about whether the data is accurate and untampered, so breaking it means manipulation. They're two separate legs, and a question can target one without the other.
Availability. A denial-of-service attack overwhelms a service so authorized users can't reach it, which is exactly what availability protects against per EK 2.1.F.1.
Defense in depth stacks multiple controls so different threats are each met by the control best suited to them. Because controls map to confidentiality, integrity, and availability, a layered strategy keeps all three legs protected even if one control is bypassed.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.