What is information security? This is the question that this article will attempt to answer, by proposing, and arguing for, a definition of said subject. However, this question is potentially ambiguous, since ‘information security’ could refer to many things, e.g., the name of an academic subject, a practice, a goal, or a state of affairs. Thus, in order to answer the question, it must first be disambiguated. The authors believe that the most fundamental and interesting question to answer is when some information (system)Footnote 1 is secure, since unless one has an understanding of this core notion, one does not know what the ideal would be that one is striving towards in the information security domain. The aim of this paper is thus to define this state.

Such a definition of security should fulfil at least three conditions. First, it should supply necessary and sufficient conditions for the state of security of any information (system). Second, these conditions should capture the meaning, or sense, of the concept (thus matching a suitable understanding of the term to be defined). These two conditions encapsulate what Anil Gupta calls “three grades of descriptive adequacy of a definition: extensional, intensional, and sense”.Footnote 2 The first condition, i.e. necessary and sufficient conditions, ensures that the definition is adequate both extensionally (i.e. it has no actual counter-examples) and intensionally (i.e. it has no possible counter-examples), while the second condition focuses on the sense of the concept.Footnote 3 Supposing a definition has captured the adequate sense of the concept there is also a third condition; that it should be helpful in an analysis of security breaches, incidents, and security related value conflicts. This third condition is especially important for increasing the value of the definition beyond pure demarcation issues (as will be clear from the examples in the “Further Arguments for the AA Definition” section, the proposed definition may be helpful in analysing, e.g., security/privacy conflicts).

Before presenting the definition, however, the need for a new definition will first be motivated by demonstrating the shortcomings of the main antagonist in this paper: the so-called ‘CIA definition’, the dominating definition of information security in the literature.Footnote 4 The CIA definition is based on the following triad of properties:

  • Confidentiality: “property that information is not made available or disclosed to unauthorized individuals, entities, or processes”.

  • Integrity: “property of accuracy and completeness”.

  • Availability: “property of being accessible and usable upon demand by an authorized entity”.Footnote 5

To these base properties others are sometimes added.Footnote 6 Variations of these characterisations can be found in ISO-standards, US federal law and standards, as well as other national standards, handbooks, and articles.Footnote 7 While the exact formulations vary, the critique here put forward is valid across the variations. For this reason, the CIA properties will henceforth be characterized in accordance with the ISO definitions.

In what follows, the idea that information security can be defined by the CIA properties will be challenged. However, a potential worry that is worth considering already at the outset is that the CIA triad is not intended as a definition.Footnote 8 For example, some theorists argue that CIA supplies goals for a secure system rather than serving as a definition supplying a demarcation between secure and insecure information (systems). The problem with this retreat position is twofold. First, since the CIA properties are not necessary, the CIA-triad cannot properly function as goals either.Footnote 9 Secondly, the CIA triad is de facto utilized as a definition in many international standards, as well as in many US standards, and is the textbook characterisation in the security profession. Consequently, the need for a proper analysis of the CIA triad as a definition—and a way forward should it be found wanting—is much needed. This is the task of the present paper.Footnote 10

Before substantially analysing the CIA definition, one immediate problem needs to be overcome: the problematic form of the definition found in standard texts. In order to properly discuss potential counter-examples, the CIA definition will be modified so that it clearly states necessary and sufficient conditions. The authors propose the following specification:

The CIA definition of secure information: some information I is secure if, and only if, all parts of I retain the properties of confidentiality, integrity, and availability.

Henceforth, when the ‘CIA definition’ is mentioned it refers to this specification. This is a definition of absolute security, which is taken to be the most fundamental property to define and hence the main concern of the current paper.Footnote 11 In practice, however, it is relevant to determine not only if security of some information (system) is breached, but to what degree it is breached or the likelihood that it is secure. For this reason, the extent to which the criticism also encompasses gradable versions of the CIA definition will be discussed below.

This paper is structured as follows. In the next section, the CIA definition is critically evaluated and it is shown how it is susceptible to counter-examples. It will be argued that these problems are rooted in its lack of a proper relation to an analysis of security. As history has shown, security is not only about technical solutions, but also about human actions and interactions. According to Gurpreet Dhillon and James Backhouse, a majority of breaches depend on insiders,Footnote 12 indicating that ‘soft issues’—involving human, organizational, cultural, ethical, policy, or juridical aspects—play an important role.Footnote 13 A definition of information security must be properly applicable to such analyses. Based on these counter-examples and the need for a more fundamental analysis of security, “The Appropriate Access definition” section proposes a new definition of information security that is suitably applicable also to the softer side of information security, and treats a number of potential objections to our definition. In the following section additional arguments for the definition are treated, which includes examples that show that the definition useful beyond pure security-issues. In the final section, our conclusions are summarised.

Counter-Examples to the CIA Definition

The first and perhaps most fundamental problem with the CIA definition is that it is both too broad and too narrow, i.e. it defines insecure states as secure and secure states as insecure. This section will start by addressing the latter problem, arguing that the CIA triad does not supply necessary properties for information security.

Consider availability, i.e. the “property of being accessible and usable upon demand by an authorized entity”.Footnote 14 There are genuine examples of devices intended to provide security that conflicts directly with—and as such contradicts the necessity of—availability. Take, e.g., time-locks: the whole idea of time-locks is that they provide security by making its content unavailable. Another example is the global seed vault on Svalbard. In this vault seeds are stored in the case of major catastrophes. At this moment, or in the foreseeable future, mankind do not need access to the seeds. Thus, in a more general sense the only purpose of the vault is to make sure that the integrity of the seeds remains, and if the seeds are inaccessible for some period of time—making them not usable upon demand—this would not affect the state of security. But, according to the CIA definition, it would. Cases such as these show that availability cannot be considered a necessary property for information security.

Now, a proponent of the CIA definition might perhaps argue that in the case of the time-lock one has simply given priority to the protection of integrity and confidentiality.Footnote 15 While this may be the case, it actually supports rather than undermines the ‘too narrow’ point. If using a time-lock prioritizes confidentiality and integrity over availability without compromising security, then availability simply isn’t necessary for all kinds of information (systems). Therefore, the conclusion to draw here is that the CIA definition simply isn’t properly attuned to the different needs that different information (systems) have. While this is in practice recognized by many security experts, the definition fails to recognize this.

The other two properties of the CIA definition arguably face similar problems. Take integrity; here, a counter-example could be an open artwork similar to fridge magnet poetry where anyone could change the content of the information, so that the artwork is made to be whatever people make of it. While the integrity of the information would not be protected when the content is changed, it seems correct to say that the security of the artwork is still protected, since there is no need whatsoever to protect its integrity—rather the point is to compromise the integrity (in the CIA-sense of the term) of the artwork.Footnote 16

Perhaps it may be argued that the fridge magnet artwork is insecure, because it lacks integrity, but that insecurity in this case is unproblematic, since the artwork does not need to be secure.Footnote 17 In effect, this amounts to insisting that the notion of integrity is analytically tied to security. But while the authors can appreciate that intuitions about individual cases may vary, on closer inspection there is little reason—beyond old habit—to hold on to this intuition. In order for the term ‘insecure’ to apply to a system or piece of information, there should surely be something undesirable about the state of the system or information. And here the lack of integrity does not constitute something undesirable in any way, but is on the contrary something positively desirable. Consequently, the term ‘insecure’ seems to have little grip in a case like this.

In the case of the final property, confidentiality, it is important to note that a counter-example against confidentiality along the same lines as the previous examples is not attainable. A system which has no confidential information satisfies the property of confidentiality simpliciter, since if there is no confidential information then everyone is authorized to access any information and the property is satisfied. The problem, however, is that it is not clear that a loss of confidentiality necessarily implies (that there is or has been) a security breach (and consequently a loss of security). The property of confidentiality requires that no information is disclosed to unauthorized individuals. But imagine a case in which a person who shouldFootnote 18 be authorised, and perhaps soon will be so, is—for expedience—disclosed information for which she is currently not authorized. While it constitutes a security breach according to the CIA definition (and plausibly an action in conflict with the security policy of the organisation), it seems that security is not breached if this person should have been authorised. Just because a person is not (yet) authorized by an organization doesn’t mean that her access would be improper for that organization (just as a person that is authorized perhaps shouldn’t be, if one aims to retain the security of a certain organization, as the examples of Manning and Snowden have shown).

A recent security scandal also exemplifies a parallel case. The scandal concerned the outsourcing of the Swedish Transport Agency’s IT operations. Part of the problem was that “foreign personnel who didn’t have Swedish security clearance gaining access to classified information”.Footnote 19 While this clearly violates the confidentiality criteria it is, however, not clear that the information has not been—otherwise—handled correctly. Indeed, imagine that the personnel would have passed a security clearance (if they had been properly vetted). Suppose it was true, then it seems counter-intuitive to claim that the information is insecure only because this was not done earlier. Thus, although this was a violation of Swedish law it is not obvious that the security has actually been breached.

There is a substantial discussion to be had on the role of a gradable conception of security in situations like these. However, if it is correct that the CIA properties are not necessary, then a gradable conception of security in terms of the CIA properties does not work either, since, e.g., if a property is not necessary making it less likely that it is retained does not necessarily lead to decreased security either.

More can be said about the properties of integrity and confidentiality, in particular—which admittedly require a more substantial discussion to be conclusive—but in order not to foreshadow the positive arguments for the Appropriate Access definition (treated in later sections), the issue will not be further pursued here. Turn instead from the ‘too narrow’ aspect of the criticism to the ‘too broad’ aspect: i.e. the claim that the CIA definition defines insecure states as secure. In other words, it entails false positives.

Take the case of Edward Snowden. While the details of how Snowden managed to gather all of these confidential documents are not widely known, some claim, for example, that Snowden fabricated a few digital keys, meaning that already at the gathering process he had affected the system integrity (and therefore the security according to the CIA definition).Footnote 20 However, one can imagine a situation in which Snowden didn’t have to perform any hacks (digital or otherwise, i.e. by eliciting non-authorized access by other means) in order to gather the documents. In other words, he would then be authorized to access (and, therefore, gather) all the documents that he actually gathered. Let the person in this (plausible) counterfactual situation be known as ‘c-Snowden’.Footnote 21 In accordance with the CIA definition it would not have been a security breach for c-Snowden to gather the documents (since he was authorized to access them all). Instead, according to the CIA definition, security was breached by c-Snowden only when he passed the secret documents to a non-authorized third-party (‘T’), since only then would the confidentiality of the information be breached.

It seems more plausible to say, however, that the security breach happened before c-Snowden actually shared the secret documents. Imagine two possible scenarios:


c-Snowden gives the secret documents to T.


c-Snowden intends to give documents to T, but on his way to do so, he ends up in a traffic accident and the plan is uncovered. As a result of this the information is retrieved before any non-authorized user could access it.

Now, according to the CIA definition it would be the sharing of the information that is the breach; consequently, security is breached in S1, but not in S2. But that seems counter-intuitive, since the intention and preparatory act alone should suffice for there to be a security breach in S2. If one asked those who retrieved the documents if there had been a security breach (or incident), answering ‘no’ hardly would seem proper. What they should say is that ‘yes, there was a security breach, but the documents are now secure’. It seems, though, that the CIA definition here gets the cart before the horse: it is the breach of security that enables the sharing of confidential information, not the other way around. While a breach enabled sharing in both S1 and S2, circumstances disabled sharing in S2. Thus, that confidentiality wasn’t retained (in S1) is a consequence of a security breach, not the security breach itself. In the case of S2 what one should say is that the security was breached, but that the breach had non-severe consequences, since the confidentiality of all the documents were retained (and the documents are now secure).

In order to save the CIA definition, one might argue that the above examples only work if one considers an absolute sense of security, or one might try to say that the serious consequences of S1 is what makes it a security breach and that the lack of serious consequences of S2 explains why it isn’t a security breach. The idea then would be that the CIA-triad defines such serious consequences. However, just as one should not conflate the consequences of a security breach with what constitutes the breach itself, one should not conflate the normative evaluation of the consequences of a security breach with what constitutes the breach itself. Nevertheless here follows yet another argument against this possibility that also cuts against the idea that the CIA definition can be used to define a gradable conception of security, e.g., according to which some information (system) is secure to the degree that it is likely to retain the CIA properties. Consider the following situation:


c-Snowden gives the secret documents to T, but before T can do anything with the documents the incident is uncovered, and during a police raid T is shot dead, and as result of this the information is retrieved before any further non-authorized user could access it.

In S3, confidentiality is breached and thus according to the CIA definition security is breached. However, the results of the incident are only as serious as (or less than, since T is eliminated and that threat is therefore gone) that of S2, so it would be a mistake to think that focusing on consequences might save the CIA definition. This also illustrates why a gradable version of the CIA definition does not help, since in S3 confidentiality is breached, meaning that the likelihood of it being breached is 100%. Yet the information is not less secure in S3 than in S2 and S1.Footnote 22

Returning to the issue of mistakenly conflating the consequences of a breach with the actual breach (or, rather, with there actually being a breach) here follows a more clearly illustrative example: Think of an organization that has a master administrator, who has control over the whole information system. Imagine that someone takes her children hostage. Now, according to the CIA definition security is not breached until the hostage-takers force the administrator to do things that affects the confidentiality, integrity, or availability of the system. However, even if the hostage-taker is stopped before she does that, the security of the system was clearly breached (for a while).Footnote 23 All other conclusions seem clearly counterintuitive, since before the hostage-taker was stopped she had (indirect) absolute control of the system and the case that an adverse party (the hostage-taker) could do whatever she wanted with the system (during a certain period of time) is reason enough to consider it insecure (during that period of time).

Before ending this section, another aspect of these scenarios is worth mentioning. It is reasonable to argue that Snowden’s reasons for his actions were caused by an ethical conflict with NSA. According to Snowden himself, he did report “to more than ten distinct officials” what he thought was problematic; “none of whom took any action”, and as far as the authors can tell this has not been disputed.Footnote 24 For analysing such ethical aspects of information security, however, the CIA definition offers no help. Indeed, it is perfectly blind to such a security breach. While the CIA definition is compatible with the recognition that a soft issue, such as an ethical conflict, may lead to a security breach, it is not, however, compatible with the idea that the soft issue, in itself, can constitute the breach (since according to the CIA definition only the violation, i.e. non-retaining, of the CIA properties can constitute a breach of security). The Snowden/NSA example illustrates that a security breach can be constituted by other properties. Again, as was argued earlier, it was the breach that led to the violation of the CIA properties, not the other way around. This is part of the reason why the ability to properly analyse security breaches is such a vital feature for a proper definition of the security of information.

So the problem with the CIA definition is not only its inability to deal with contextual variations of the needs of particular organizations, it is also that it has incorrectly conflated security breaches with the consequences of security breaches, and that it is inapplicable to situations that are insecure because of various soft issues, such as ethical conflicts. In sum, there are both actual and possible counterexamples to the CIA definition, and there are counterexamples which show that the CIA definition is analytically false (i.e. it has the wrong sense), and there are examples which show that it fails to be helpful in a proper analysis of security breaches.

The Appropriate Access Definition

In this section the authors will present and argue for a new definition of information security, the appropriate access definition. This definition will be argued for in relation to some of the fundamental problem previously raised against the CIA definition. Consider the last discussion in the previous section, in which it was argued that the analysis of the Snowden-NSA incident showed that the security breach was partly constituted by an ethical conflict between Snowden and NSA. Taking another perspective on the issue one may conclude that Snowden acted in conflict with what NSA needed, and wanted, in order to achieve security (given NSA’s perspective). As such, although he was authorized, he should not have been so. This fundamental relation—between the needs of a stakeholder and those able to affect its security—is, if spelled out properly, the basis of information security. The general definition scheme, the Appropriate Access definition (‘AA’), thus describes a relation between an object of security, an agent,Footnote 25 and a stakeholder:

AA (general): The object O is secure for stakeholder H if, and only if: For every agent A, and every part P of O, A has just the appropriate access to P relative to H.

This scheme may be applied either to information, or to an information systemFootnote 26:

AA (information): The information I is secure for stakeholder H if, and only if: For every agent A, and every part P of I, A has just the appropriate access to P relative to H.Footnote 27

AA (information system): An information system S is secure for stakeholder H if, and only if: For every agent A, and every part P of S, A has just the appropriate access to P relative to H.Footnote 28

Given the main aim of this article, the above definitions specify absolute security, i.e., the state of being secure. However, they can easily be modified to suit a more gradable sense of security.Footnote 29 Henceforth, although the focus will be on this absolute sense of security, it should be clear, mutatis mutandis, how the upcoming examples would apply also to some such gradable conception of security.

Before proceeding to further motivate this definition, the basic question of how the term ‘appropriate’ should be understood needs to be addressed. The answer to this is directly correlated to why the AA definition treats security as a property that is relative to a certain stakeholder. According to the AA definition some information (system) may be secure relative to one stakeholder but not relative to another. In other words, on this option, security is relativized to a particular stakeholder. The alternative would be that some information (system) is secure regardless of stakeholder. The two options may be compared with a case of rainfall. The case that it rains is not stakeholder-relative. Whether it is good that it rains, however, is plausibly a stakeholder-relative fact: for the farmer, it may be good, although not for the tourist.

We suggest that the most plausible interpretation in the context of information security is the first, stakeholder-relative interpretation. A database system used by an organisation to inform the public, and hence grant everyone access to its files, might be totally secure given the needs of that organisation, while that system is surely not secure relative to the needs of another organisation that has another stake in the information, which requires that it is more strictly handled.Footnote 30 In what follows, security will primarily be discussed relative to some stakeholder. On this reading, the question, strictly speaking, is thus not ‘Is the information secure?’, but ‘Is the information secure for stakeholder H?’. This feature of the definition enables it to be used to explicitly to clarify conflicts due to different stakeholder-perspectives. The upshot of this suggestion is that ‘appropriate’ should be given an instrumental, ‘appropriate- for’ or ‘relative to’, i.e. the appropriate access is the access that is appropriate, or necessary, for the stakeholder from whose perspective the security property is evaluated.

The formal characterizations of the AA-definitions may be rephrased to enable us to more easily capture the problem in the current situation.Footnote 31 For example, one may speak of an agent not being the appropriate kind of agentFootnote 32 (given the access relations she has), which of course would be equivalent to the agent not having the appropriate access relations (given who she is and how she behaves).Footnote 33 Now, given that security is to be assessed in relation to a stakeholder, for each application of the definition one must operationalize the property of just the appropriate access in relation to the needs of some stakeholder (e.g., a particular organization, or individual).Footnote 34 As such the AA definition manages to deal with the time-lock, and other related counter-examples, because if security is retained when information is time-locked it is because this is in line with the stakeholder’s needs (i.e. it is part of what is just the appropriate access relative to that stakeholder). Hence the definition achieves stability over time. It allows both for historical analysis, for which the CIA definition may be highly unsuitable,Footnote 35 and it will be compatible with any future developments. It is highly unlikely that one can foresee all the possible needs and threats of the future, but because of the contextual sensitivity of the AA definition it will be perfectly applicable to all such cases. This is particularly important since the field of information security has gone through several paradigmatic changes in fairly short time, transitioning in only a few decades from security as a mostly technical problem (with mainframes) to security as a management problem, and thereafter to yet new paradigms.Footnote 36

Furthermore, one can explain the security breaches in scenarios S1–S3 by referring to the fact that an authorized user at some moment ceased to be the appropriate kind of agent (or equivalently that the access he had was no longer appropriate). Because c-Snowden was no longer the appropriate kind of agent for NSA, he should no longer have that kind of access to the information that he had. Lastly, here follows a sketch of how the AA definition is also fully compatible with a gradable conception of security. Firstly, the quantification of the degree of a breach is relative to the importance of those access-relations which aren’t just appropriate. Secondly, if one is more interested in the likelihood that some information (system) is secure one need only to quantify the likelihood that the access relations are just appropriate.Footnote 37 Such quantifications are worthy of further discussion, but as previously stated it will not be the focus of this paper. This issue will thus be ignored henceforth.

A good way of pointing to the appeal of the AA definition is to treat what may be the most natural objections from the CIA camp. Thus, before turning to additional (pro)arguments for the AA definition, three objections to the AA definition will be discussed.

Objection: the AA definition is too vacuous to be useful. The impression that the AA definition is vacuous or non-informative is natural, in the light that unlike the dominant CIA definition, the AA definition does not specify any substantive features which cause the information security to be retained. But this aspect of the AA definition directly reflects the authors conviction that it is the substantive feature specification of CIA that makes it too broad, and too narrow, as well as analytically incorrect. The CIA definition fails because it attempts to provide a definition as well as a checklist on security features, and as the counter-examples have shown this is erroneous because the checklist would need to vary with the context. Conversely, the AA definition is exactly as open-ended as it needs to be to properly demarcate the contextually sensitive nature of security. The case is comparable with definitions of moral rightness. Attempts to define the concept in substantive terms have without exception failed, with only comparably non-substantive contenders such as ‘the act we desire to desire’ or ‘the act having the best consequences’ gaining partial support by moral theorists.Footnote 38 With some concepts, there is just too little descriptive content to find a substantive definition which supplies necessary and sufficient conditions for a concept. Even if the morally right act also is the kind act, sometimes refraining from kindness and instead be just constitutes the morally right thing to do. And as the arguments above have attempted to show, the analogue case goes for the CIA properties, as well as other substantive features that often, but not always, are conducive for security. While security has more descriptive content than the paradigmatically ‘thin’ concept of moral rightness—in the AA definition explicated by the appropriate access to an object (information)—the argument is that attempting to add more substantive properties to the AA definition will invalidate it, making it susceptible to the same kind of counter-examples as that used against the CIA definition in the previous section.

Indeed, the seemingly vacuous nature of the AA definition is what enables it to fit with the varying needs of different stakeholders. This rests on the previous analysis of the failures the CIA definition. Part of the problem for the CIA definition was the attempt to claim that all systems require retaining the same properties. Thus, the suggestion is that a correct definition of information security needs to be just as ‘non-substantive’ as the AA definition in order to avoid suffering from counter-examples.

Returning to the argument against the usefulness of the AA definition it is important to point out that while AA is a definition and not, in itself, a method for enhancing security, it can still be of help in the security analysis. In order to be useful not only for grasping the concept but for enhancing the security of an organisation, one needs to operationalize the definition. That is always the case, but due to its explicitly open-ended nature—which is needed, in order to get the correct demarcation of security—this is clear from the start when it comes to the AA definition. The AA definition states that information security is a matter of giving the appropriate access to every piece of (an) information (system). In order to understand what that means in relation to some particular organization, one need to analyse the system in context; an analysis that needs to be adapted to the specific stakeholder’s purposes for some information (system). In performing such an analysis it can be helpful to not only think in terms of which access-relations that are appropriate, but equivalently to think about who is the appropriate (or inappropriate) agent for specific purposes (both for humans and technical entities), what just the appropriate access entails for these agents, and what the relevant parts of the information (or system) is, to which these agents should have the appropriate access.Footnote 39 Also, by considering security in terms of the AA definition this enables the unification of both the technical side of information security and the softer side of security under one definition, because appropriate access is operationalized relative to all relevant aspects (i.e. both technical and soft issues). It is instructive to compare the flexibility and analytically open-ended nature of the AA definition with the CIA definition in this respect. Since most people in the field are already familiar with the CIA triad, one may get the impression that it is sufficiently operationalized and ready to go. On proper investigation, however, is clearly not the case. How should we, for example, assess the balance between the central properties confidentiality, integrity and availability? The problem here is not that the actual CIA definitions are varying,Footnote 40 but that regardless, it needs to be modified in practice. As previously discussed (and recognized by professionals), the individual CIA goals potentially conflict with each other, e.g., a too large focus on confidentiality can hamper availability.Footnote 41 In practice this is solved by operationalizing the CIA definition in accordance with the needs of some particular stakeholder. For example, the intelligence services might focus on confidentially, while for many Internet services availability might be more important. But the fact that one can solve these problems does not save the CIA definition, since no CIA definition can include a proper priority between the properties of the CIA triad (because the priorities differ between various systems).Footnote 42

Objection: giving up CIA is detrimental to current practices. The second type of criticism relates to the above discussion; many working in the technical field of computer science will probably say that they will never give up the notion of CIA, since it provides a both helpful and familiar tool for analysing information security. But this criticism is in fact off the mark, since what is disputed in this paper is not the importance of the CIA triad. What is disputed is the CIA triad interpreted as a definition of the state of secure information. Thus, this does not mean that the AA definition should completely replace the CIA triad when analysing security. The proposal is that the AA definition should replace the CIA definition, but that the CIA triad can, and should, still be used under the AA definition, in the sense that they point to important aspects of retaining information security (valid for many systems, even if not for all).

One way of expressing this is that the AA definition provides the benefit of being able to utilize the insights that the CIA triad represents, without the problems coming from attempting to use them as a definition of information security. The AA definition is completely compatible with CIA insights, and for all those systems for which it is purposefully applicable, the AA definition can be operationalized to cover this. To illustrate: the concept of confidentiality is about who should have access to what—the appropriate ‘who’ to the particular ‘what’ (i.e. just the appropriate access). Availability puts requirements on what just the appropriate access ought to be for all or for some specific agents, e.g., timely and reliable (if applicable for the needs of some specific stakeholder), and integrity demands that information and system are only accessed in such a way that integrity remains (which for different systems could mean very different things and thus needs to be operationalized accordingly; however, all such operationalisations can be done in terms of what is just the appropriate access). Thus, also from a pro CIA triad perspective, the AA definition is able to harbour all relevant aspects of information security.

Objection: the CIA definition can be saved by modifying the list of properties. While this is easily said, it is very hard to picture in actuality. Simply adding more properties or aspects—as is sometimes suggestedFootnote 43—will not suffice, since, as has already been argued, the CIA definition is both too broad and too narrow. The actual base properties of Confidentiality, Integrity and Availability would have to be modified as well. Here, the proof is in the pudding, naturally, but there is good reason to be sceptical to such a strategy on general grounds. The problem is not a lack of certain properties, but that the definition is neither open-ended enough making it insufficiently ‘flexible’ to properly adjust to contextual difference, nor are the properties of the adequate type for analytical correctness, since it conflates security breaches with the consequences thereof (because the properties are the type of properties that may, for some systems, be reasons for protecting security, rather than being the demarcation of security as such). More importantly: what the previous counter-examples aimed to show (beyond the fact that the CIA properties are neither necessary, sufficient, nor analytically correct) is that there is a contextual normative nature of security that cannot be defined by descriptive properties that hold for any information (system), since this varies with the information, system, and stakeholder. Thus, it is concluded that information security must be defined normatively, as the AA definition does.

One suggestion then would be to complement CIA by normative properties. Dhillon and Backhouse’s principles of RITE (responsibility, integrity, trust and ethicality) have been suggested as addition to CIA in order to address security in organizations, “without which future organizations are doomed”.Footnote 44 But Dhillon and Backhouse seem to suggest RITE given that organisations become less and less hierarchical. Thus, RITE is invented for a specific kind of organisation rather than as properties that can be generally applied. Indeed, while RITE bring forward important principles, they are hardly necessary. Think of an organized crime organization. Their basis for information security is probably based on fear, revenge, and, perhaps, loyalty. Thus, while RITE is hardly applicable to organized crime organizations, the AA definition is applicable to any organization (since it can be relativized to any stakeholder) and can deal with any of the perspectives (further examples of this will be presented in the next section). Thus, the idea of adding properties—intended to cover the soft issues of information security—will end up with the same kind of problems as CIA in itself, for it is highly unlikely that there are substantial and yet necessary properties humans should have that are suitable for the security purposes of any stakeholder.

What the AA definition does by supplying a more open-ended characterisation is to put both soft and hard issues under one definition. Using the AA definition, i.e. operationalizing it for your purposes, entails a unified characterisation of secure information rather than, as when attempting to modify the CIA definition, to add two distinctly different kinds of goals, or subsume soft issues under hard issues.

Further Arguments for the AA Definition

We will now turn to more direct and positive arguments for the AA definition. It has previously argued that there needs to be a proper relation between the analysis of security breaches and the definition of security. Furthermore, it has been shown that the CIA definition lacks such a relation, since it is unable to demarcate between secure and insecure states when these are differentiated by soft issues. A strong feature of the AA definition is that it is not merely a list of properties to retain or goals to achieve, but that it can be used for analytical purposes to understand potential security risks, and then operationalize it accordingly.Footnote 45 It will now be shown how the AA definition may be applied for such purposes, with a particular focus on how to incorporate soft issues. This will be done by returning to the well-known case of Edward Snowden and the NSA. For space reasons, as well as argumentative reasons (to stop potential factual disagreements from getting the points across), the discussion will closely align to the previously discussed idealized version of the story. The discussion will begin with two of the properties of RITE.Footnote 46

Integrity/ethicality. The general story of Snowden/NSA is quite well-known, despite the fact that many particulars remain unknown. As described previously: before collecting and leaking hundreds of thousands of documents Snowden reported to some officials the problems with the illegal, highly privacy invasive activities of NSA. Given the available information, the non-action of these officials gives important clues as to his reasons for leaking the information. In the following discussion the aim is not to ethically assess these events in terms of moral rightness and wrongness. The aim is to show that considerations about ethics and values can play a constitutive part in security breaches (indeed, as will be argued, it was the moral convictions of Snowden, in conjunction with his willingness to act, that resulted in, and was constitutive of, the leak).

Now, the simple analysis is that Snowden leaked information because his ideals conflicted with those of NSA.Footnote 47 Snowden thought that what NSA was doing was wrong. A central aspect of the operationalization of the AA definition is the question of what kind of agent that is appropriate for a certain access-relation to a certain piece of information (or, e.g., which access relation that is appropriate for that agent). Accordingly, had NSA analysed the situation using the AA definition in relation to the contextual data they had available, they might have concluded that Snowden was not the appropriate kind of agent (because he was behaving inappropriately given the perspective of NSA). On the other hand, if one applies the perspective of another stakeholder on the issue, e.g., the perspective of many Americans (and others), it seems as if he was exactly the appropriate kind of agent: exposing their security infringements was relative to these stakeholders the appropriate thing to do. In a nutshell, it was this inherent ethical conflict that led to, and was partly constitutive of, this very famous security breach.Footnote 48

In order to understand this ethical conflict it may be illustrative to consider an example where the perspectives are more clearly diametrical. Take the cold war setting of US and Soviet and consider some secret US information that a spy has acquired, with the goal of selling it to the Soviet Union. Is the information secure? Well, that depends on what perspective one takes. From the US perspective the information is not secure, but would again be if it is retaken and the spy is, e.g., eliminated. On the other hand, from the Soviet perspective the information would be secure if they can retrieve it from the spy. This value-conflict is fairly obvious, but what is interesting about the Snowden/NSA situation was that this value-conflict was not external (as in the US/Soviet case) but it was an internal conflict within the organization. Thus, there was a goal conflict within the organization that motivated an agent (Snowden) to act contrary to what is appropriate for the stakeholder (NSA).

The AA definition can be used to expose security risks due to such value conflicts, because it allows one to reason from various perspectives (relative to different stakeholders) and what would be just the appropriate access according to the perspective of this or that stakeholder. Once one has operationalized the AA definition in accordance with the perspective of a certain stakeholder, e.g., that of NSA,Footnote 49 then one can see if that perspective risks conflicting, e.g., with the moral perspectives of their employees, consultants, or external agents. Such a value-conflict is not necessarily a security breach, which arguably also would require a willingness to act. But any conflict with the operationalization of the AA definition shows a security risk (a threat or a vulnerability—the difference is for this discussion irrelevant), e.g., that people may choose to act on other goals (e.g., efficiency or privacy) if fully motivated to do so (which in the case of Snowden obviously was the case). Thus, one may conclude that the AA definition is useful for exposing security risks and therefore avoid potential security breaches. The actual demarcation hangs on the conflict being substantial enough to be a cause for action. This is in itself a complex philosophical issue, which has to be discussed elsewhere.Footnote 50 However, this brings up the next pro-argument concerning the AA definition’s relation to analysis.

Exposing false trade-offs. The ethical dilemma shows yet another interesting problem that the AA definition can expose; false trade-offs. Now, consider the fact that Snowden reported what he saw as problematic to some supervisor, and that his reports were ignored. One might think that NSA opted for security over privacy, i.e. that there was a trade-off between the privacy (i.e. the privacy of the American people) and the information security of NSA. Admittedly, it is actually slightly more complicated since the goal of the trade-off is public safety or national security. In this trade-off it is reasonable to argue that information security (mainly in terms of the secrecy of the spy programs) were a means to this end, since by keeping the program secret it is reasonable to think that it takes less of an effort to defend against measures that the adverse parties (e.g., potential terrorists) do not know of. As previously noted, it was this secrecy that Snowden took conflict with (see fn. 47).

On closer analysis, what seemed to be a trade-off was not a proper trade-off. When Snowden reported the privacy problems to NSA it is likely that they thought a trade-off between privacy, or a right to consent, and secrecy (i.e. information security of their spy programs) was possible. However, a successful trade-off depends on one value actually being traded for another value—in this case the right of the public to consent to privacy invasive activities for increased security via secrecy. But, while NSA did trade-away the people’s right to consent/privacy it is clear that they did not get any increased information security by secrecy in return. Since their actions caused an information security (secrecy) risk, a risk which was also actualized. Arguably, Snowden leaked hundreds of thousands of documents because NSA failed to act on his reports; something he most likely would have refrained from doing, had NSA taken satisfactory measures to protect the privacy (of the American people) and/or given the public a chance to consent. Thus, not all trade-offs are successful. In particular, NSA’s trade-off between privacy and security failed to some extent; specifically, what failed was that part of the trade-off, or that specific trade-off, which focused on increased security through secrecy for a decrease (infringement, or violation) of the people’s privacy and/or their right to consent.

The problem is that when NSA traded privacy (and the public’s right to consent) for security (and security via secrecy), they did not trade-away the ethical conflict, and this ethical conflict was part of Snowden’s reasons for leaking the documents (i.e. it was substantial enough to be a cause for his actions). Consequently, the trade-off between privacy/consent and security via secrecy was a false trade-off that ended up creating a security risk that in fact was actualized. Generally, one needs to realize that actions that are ethically loaded will carry their own security risks.

These are the kind of risks that the AA definition can expose, since if one operationalizes the AA definition in accordance with what presumably would be just the appropriate access for NSA, then the appropriate kind of agent is one that submits to such ethicalities (one that shares their priorities). The purpose of this example is not to judge the morality of NSA’s action. However, it is clear that the example concerns an ethical grey zone—or a moral dilemma—which was a problem for their information security. In fact, one can conclude that how they dealt with the value conflicts of the situation was an important part of what caused the security breach.Footnote 51

A general problem with these ethical dilemmas is that employees may, or they may not, be sensitive to them (and there is of course a risk that the latter category may also be insensitive to other ethical or moral issues). There are no general ways to trade off (or trade away) ethically loaded issues without having such effects on security. Since there is no simple way to trade between ethical considerations and security, if one wants to solve the effects on security due to ethical conflicts, then the conflicts as such must instead be solved. A virtue of the AA definition is that such conflicts can be identified by considering the various possible perspectives different agents could have as stakeholders, and analyse if security on those perspectives conflicts too severely with the perspective of the actual stakeholder.

Analysing different perspectives. From the discussion above, it can be concluded that if NSA would have operationalized security in terms of the AA definition, and analysed the situation from all relevant perspectives (e.g., by considering Snowden’s perspective), then they would most likely have identified a security breach within NSA, since Snowden was obviously not the appropriate kind of agent for NSA (and thus that he had access he should not have).Footnote 52

Consequently, one of the benefits of the AA definition is that it offers one definition that is suitable for any perspective, concerning the state of security. Thus, the AA definition is not only a better definition than the CIA definition because it properly demarcates information security, and is sufficiently fundamental; it is also a better starting-point for studying the security from any perspective. This is because the AA definition matches any proper analysis of a security breach. Thus, used properly, the AA definition promises to be helpful not only for security viewed as a technical problem, but also for studies of the soft issues of information security that do not need to use CIA as a comparative measurement.Footnote 53

The AA definition may be utilised as a way to make comparisons between individuals and organization in order to analyse security risks, relevant cultural issues and other central security notions. By comparing conceptualization of the AA definition from different perspectives (including both malicious and non-malicious agents) one can also discover, e.g., weaknesses, ways to improve security, or unnecessary security measures. Since the AA definition allows any perspective to be operationalized, it is a far better starting-point than the CIA definition. Furthermore, if one is interested in studying, e.g., how security perspectives varies in organizations, how such variation relates to overall organizational culture, or how it deviates from the organization’s security goals, the AA definition is a not only a superior definition but of more fundamental use in the analysis of information security.

Lastly, while space reasons have not permitted any further development of such an analysis in this paper, it should be clear from the examples given above that the analysis of, and possible resolution to, the conflicts between privacy and security, or different perspectives on security, can be helped by the AA definition. Thus, its virtues extend well beyond the direct applications discussed here.


It has been demonstrated that the CIA definition is susceptible to certain counter-examples, which shows that its supposed necessary properties aren’t necessary, that it does not sufficiently recognize that security needs vary with the context, that it incorrectly conflates security breaches with its consequences, and that the CIA definition simply doesn’t match up with the proper analyses of security breaches and incidents. Hopefully, it has been shown that these problems are serious enough to abandon CIA as a definition.

The open-ended nature needed in order to have a definition that is fundamental enough to capture the phenomenon cannot be on the detailed level of the CIA definition. The CIA definition is not flexible enough to deal with every situation and the varied requirements from different information, systems or organizations. It neither does, nor can, include human effects on security in a proper manner into the definition, especially not in a way that analytically identifies what the breach is, or when it occurs; nor does it supply necessary reasons for having security.

The AA definition, on the other hand, captures the notion of security of information both in terms of demarcation and in terms of explanatory salience (relating properly to analysis of security breaches and incidents). Its open-endedness guarantees its temporally stability, since future changes to the underlying properties of a system which enhances, or decreases, security will only affect the operationalisations of the AA definition, not the definition as such, irrespective of how radical such future changes may be. Also, the AA definition is flexible enough to deal with all possible situations, the soft issues, and the varied requirements of different information, systems, or organizations. It is concluded that rather than trying to patch the CIA definition to become a proficient definition, the AA definition should replace the CIA definition as the definition of secure information, while the CIA properties should be perceived instead as a useful (albeit fallible) rule of thumb for identifying important security aspects. The AA definition enables studies of the soft issues of security—including, e.g., humans, organizations, culture, ethics, policies, and law—by being a definition that recognizes all fundamental elements of security.Footnote 54 It thus bridges the divide between the hard (‘technical’) side of security and the soft side security, supplying one definition that encompasses all perspectives and is useful for any relevantly related security purpose. Lastly, a further virtue of the AA definition is that it is helpful beyond analysis of pure security issues, such as conflicts between privacy and security.