---
title: "CIA Triad — AP Cybersecurity Definition & Exam Guide"
description: "The CIA triad is the three-principle model (Confidentiality, Integrity, Availability) every security control protects, and it's the backbone of Unit 2 risk and defense questions."
canonical: "https://fiveable.me/ap-cybersecurity/key-terms/cia-triad"
type: "key-term"
subject: "AP Cybersecurity"
unit: "Unit 2"
---

# CIA Triad — AP Cybersecurity Definition & Exam Guide

## Definition

In AP Cybersecurity, the CIA triad is the model of three core security principles, Confidentiality, Integrity, and Availability, that every security control is designed to protect, and it's the foundation of how you evaluate threats and defenses in Unit 2.

## What It Is

The CIA triad is the three-word answer to "what are we actually trying to protect?" The letters stand for **[Confidentiality](/ap-cybersecurity/key-terms/confidentiality "fv-autolink")**, **Integrity**, and **Availability**, and per EK 2.1.F.1 every [security control](/ap-cybersecurity/unit-2/cyber-foundations/study-guide/0oS8jJyX7iolYntwz5Eh "fv-autolink") addresses at least one of them.

Here's the plain-language version. Confidentiality means only authorized people, systems, or processes can see the data; lose it and you get [data theft](/ap-cybersecurity/unit-2/physical-vulnerabilities-and-attacks/study-guide/ZcvQYEyowkyIYrjESpUp "fv-autolink"). Integrity means the data is accurate and trustworthy; lose it and someone can quietly tamper with your data. Availability means the data and services are there when authorized users need them; lose it and you get unexpected downtime, like a site going dark during a denial-of-service attack. When you design or analyze a defense, you're always asking which of these three legs it props up.

## Why It Matters

This lives in [Unit 2](/ap-cybersecurity/unit-2 "fv-autolink"): Securing Spaces, Topic 2.1 Cyber Foundations, and it directly powers [AP Cybersecurity](/ap-cybersecurity "fv-autolink") 2.1.F (identify types of security controls). EK 2.1.F.1 literally defines controls by which CIA principle they serve, so the triad is the lens you use for the whole control discussion. It also threads into 2.1.G on defense in depth, because a layered strategy stacks controls across all three principles. The triad is the shared vocabulary that ties risk assessment, controls, and layered defense into one coherent story.

## Connections

### Security controls and defense in depth (Unit 2)

Every control you study exists to protect one or more legs of the triad, and a defense-in-depth strategy works because it stacks controls covering all three. If one control fails, another still guards confidentiality, [integrity](/ap-cybersecurity/key-terms/integrity "fv-autolink"), or availability.

### Risk and assets (Unit 2)

Risk assessment in 2.1.D is really about which CIA leg a [threat](/ap-cybersecurity/key-terms/threat "fv-autolink") would knock out. A vulnerability that exposes data threatens confidentiality; one that crashes a service threatens availability. Naming the leg sharpens your risk argument.

### Phases of a cyberattack (Unit 2)

The attack phases in 2.1.C map onto the triad too. Data theft attacks confidentiality, data manipulation attacks integrity, and a takedown attacks [availability](/ap-cybersecurity/key-terms/availability "fv-autolink"). Knowing the adversary's goal tells you which principle is under fire.

## On the AP Exam

Expect the triad to show up as the framework behind questions, not always by name. An MCQ might describe an attack and ask which security principle it violates, so a stolen-records scenario points to confidentiality, a tampered-database scenario to integrity, and a server-overload scenario to availability. On free response, you can use it to justify a control choice or explain why a defense-in-depth setup is stronger. No released FRQ has used "CIA triad" verbatim, but the exam tests the three principles individually through EK 2.1.F.1, so practice mapping any scenario to the right leg.

## CIA triad vs integrity

Integrity is just one leg of the CIA triad, not the whole thing. Integrity means the data is accurate and untampered; confidentiality is about who can see it, and availability is about whether it's there when you need it. If a question only mentions data being altered, the principle at stake is integrity specifically, not the full triad.

## Key Takeaways

- The CIA triad stands for Confidentiality, Integrity, and Availability, and every security control protects at least one of these three principles.
- Confidentiality controls who can access data, integrity keeps data accurate and trustworthy, and availability keeps data and services reachable for authorized users.
- When a system lacks confidentiality it's open to data theft, when it lacks integrity it's open to data manipulation, and when it lacks availability it suffers downtime.
- Defense in depth works because layered controls cover all three legs, so one bypassed control still leaves the others protecting the data.
- To analyze any attack or control on the exam, ask which leg of the triad it targets or defends.

## FAQs

### What is the CIA triad in cybersecurity?

It's the model of three core security principles, Confidentiality, Integrity, and Availability, that every security control is built to protect. In AP Cybersecurity it comes from EK 2.1.F.1 and frames how you evaluate controls in Unit 2.

### Does the CIA triad have anything to do with the spy agency?

No. The CIA in this triad is just an acronym for Confidentiality, Integrity, and Availability and has nothing to do with the intelligence agency. Don't let the name throw you on a test question.

### How is integrity different from confidentiality in the CIA triad?

Confidentiality is about who can see the data, so breaking it means theft or unauthorized access. Integrity is about whether the data is accurate and untampered, so breaking it means manipulation. They're two separate legs, and a question can target one without the other.

### Which CIA principle does a denial-of-service attack violate?

Availability. A denial-of-service attack overwhelms a service so authorized users can't reach it, which is exactly what availability protects against per EK 2.1.F.1.

### How does the CIA triad connect to defense in depth?

Defense in depth stacks multiple controls so different threats are each met by the control best suited to them. Because controls map to confidentiality, integrity, and availability, a layered strategy keeps all three legs protected even if one control is bypassed.

## Related Study Guides

- [2.1 Cyber Foundations](/ap-cybersecurity/unit-2/cyber-foundations/study-guide/0oS8jJyX7iolYntwz5Eh)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-cybersecurity/key-terms/cia-triad#resource","name":"CIA Triad — AP Cybersecurity Definition & Exam Guide","url":"https://fiveable.me/ap-cybersecurity/key-terms/cia-triad","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-cybersecurity/key-terms/cia-triad#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-15T18:59:32.293Z","isPartOf":{"@type":"Collection","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-cybersecurity/key-terms/cia-triad#term","name":"CIA triad","description":"In AP Cybersecurity, the CIA triad is the model of three core security principles, Confidentiality, Integrity, and Availability, that every security control is designed to protect, and it's the foundation of how you evaluate threats and defenses in Unit 2.","url":"https://fiveable.me/ap-cybersecurity/key-terms/cia-triad","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 2, Topic 2.1, LO 2.1.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 2, Topic 2.1, LO 2.1.B"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 2, Topic 2.1, LO 2.1.C"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 2, Topic 2.1, LO 2.1.D"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 2, Topic 2.1, LO 2.1.E"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 2, Topic 2.1, LO 2.1.F"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 2, Topic 2.1, LO 2.1.G"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is the CIA triad in cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"It's the model of three core security principles, Confidentiality, Integrity, and Availability, that every security control is built to protect. In AP Cybersecurity it comes from EK 2.1.F.1 and frames how you evaluate controls in Unit 2."}},{"@type":"Question","name":"Does the CIA triad have anything to do with the spy agency?","acceptedAnswer":{"@type":"Answer","text":"No. The CIA in this triad is just an acronym for Confidentiality, Integrity, and Availability and has nothing to do with the intelligence agency. Don't let the name throw you on a test question."}},{"@type":"Question","name":"How is integrity different from confidentiality in the CIA triad?","acceptedAnswer":{"@type":"Answer","text":"Confidentiality is about who can see the data, so breaking it means theft or unauthorized access. Integrity is about whether the data is accurate and untampered, so breaking it means manipulation. They're two separate legs, and a question can target one without the other."}},{"@type":"Question","name":"Which CIA principle does a denial-of-service attack violate?","acceptedAnswer":{"@type":"Answer","text":"Availability. A denial-of-service attack overwhelms a service so authorized users can't reach it, which is exactly what availability protects against per EK 2.1.F.1."}},{"@type":"Question","name":"How does the CIA triad connect to defense in depth?","acceptedAnswer":{"@type":"Answer","text":"Defense in depth stacks multiple controls so different threats are each met by the control best suited to them. Because controls map to confidentiality, integrity, and availability, a layered strategy keeps all three legs protected even if one control is bypassed."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Cybersecurity","item":"https://fiveable.me/ap-cybersecurity"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-cybersecurity/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 2","item":"https://fiveable.me/ap-cybersecurity/unit-2"},{"@type":"ListItem","position":4,"name":"CIA triad"}]}]}
```
