Inquiry Question 1: How are secure systems designed?
Describe how the confidentiality, integrity and availability (CIA) triad is applied to the design of secure software
A focused answer to the HSC Software Engineering Module 1 dot point on the CIA triad. Confidentiality, integrity, availability, how each is enforced in a real system, the worked banking-app example, and the traps markers look for.
Reviewed by: AI editorial process; not yet individually human-reviewed
Have a quick question? Jump to the Q&A page
What this dot point is asking
NESA wants you to define the three pillars of the CIA triad and explain how each shapes the design of a secure software system. You also need to recognise breaches of each principle and identify which design controls (encryption, hashing, redundancy, access control) defend each one.
The answer
The CIA triad is the foundation of secure software architecture. Every other security control maps to one or more of these three principles.
Confidentiality
Only authorised users can read sensitive data. Mechanisms:
- Encryption in transit (TLS/HTTPS) prevents eavesdropping on network traffic.
- Encryption at rest (database-level or full-disk encryption) protects data if storage is stolen.
- Access control (authentication and authorisation) keeps users out of data they should not see.
Integrity
Data is not altered by unauthorised parties or by accident. Mechanisms:
- Cryptographic hashes (SHA-256) detect tampering with files or messages.
- Digital signatures prove a message came from a specific sender and was not modified.
- Input validation prevents malformed data from corrupting the database.
- Audit logs record every change so unauthorised modifications can be detected and traced.
Availability
Authorised users can access the system when they need it. Mechanisms:
- Redundancy (multiple servers, multiple data centres) survives hardware failures.
- Backups allow recovery after data loss.
- Rate limiting and DDoS protection prevent attackers from exhausting capacity.
- Monitoring and alerting catch failures before users notice.
Two common extensions: authenticity and non-repudiation
NESA asks you to reason about secure design, and two ideas often appear alongside the triad. Authenticity is the assurance that data and the parties communicating are genuine (verified by digital signatures and certificates), and it underpins both confidentiality (you encrypt to the right party) and integrity (you trust the source). Non-repudiation means a party cannot later deny having performed an action; it is delivered by signed audit logs and digital signatures, and it is essential in banking and legal systems. Mentioning these where relevant shows depth, but you must still ground every answer in the three core principles, because that is what the dot point names.
Mapping threats to the triad
A useful exam technique is to classify any incident by which principle it attacks. Eavesdropping, data theft and unauthorised viewing attack confidentiality. Tampering with records, malware that alters files and man-in-the-middle modification attack integrity. Denial-of-service floods, ransomware that locks files and hardware failure attack availability. Many real attacks hit more than one: ransomware breaches availability (files locked) and, if data is exfiltrated first, confidentiality too. Being able to name the affected principle and justify it is exactly the skill the short-answer questions test.
An owned schematic maps four common incident types onto the three pillars, showing that some incidents strike a single pillar while ransomware with data theft strikes two at once.
How they trade off
The three principles can conflict. Strong encryption (confidentiality) can slow down a system (availability). Strict access controls (confidentiality) can frustrate legitimate users. A real design balances the three against the system's threat model, the set of attackers and risks it must realistically defend against. A public blog weights availability highly and confidentiality lightly; a medical records system weights confidentiality and integrity above raw performance. Secure software design is the deliberate act of choosing where on these trade-offs a system should sit, then selecting controls to match.
Exam-style practice questions
Practice questions written in the style of NESA exam questions on this dot point, with worked answer explainers. The year tag is the paper they imitate, not the source.
2024 HSC4 marksExplain how the CIA triad applies to the design of an online banking application. Give one example of each principle.Show worked answer →
The CIA triad gives three security goals every secure system must address.
Confidentiality means only authorised users can read sensitive data. In an online banking app, account balances are encrypted in transit using HTTPS and encrypted at rest in the database. A logged-in user can see their own balance but not other customers' balances.
Integrity means data is not altered by unauthorised parties or by accident. The app records every transaction in an append-only ledger and uses cryptographic hashes to detect tampering. If a hacker tries to modify a transaction amount, the hash mismatch flags it immediately.
Availability means authorised users can access the system when they need it. The bank runs the app across multiple data centres with automatic failover so a power outage in one region does not bring down the service. Rate limiting prevents denial-of-service attacks from exhausting capacity.
Markers reward all three principles named correctly, one concrete banking-context example each, and at least one mechanism (encryption, hashing, redundancy) per principle.
2024 HSC Sample3 marksA hospital records system has been compromised. Patient records were viewed but not altered, and the system stayed online throughout. Which element of the CIA triad has been breached?Show worked answer →
The breach is of confidentiality only.
Confidentiality requires that sensitive data is accessible only to authorised users. Unauthorised viewing of patient records is a direct confidentiality breach, even though no data was altered or deleted.
Integrity has not been breached because the data has not been changed. Availability has not been breached because the system stayed online.
Markers reward correct identification of confidentiality, an explicit statement that integrity and availability were not breached, and reference to the criterion (unauthorised viewing of data).
Practice questions
Original practice questions graded from foundation to exam level, each with a full worked solution. Try them before revealing the solution.
foundation3 marksDefine the three principles of the CIA triad and state, for each, one word that describes what an attacker does when they breach it (e.g. 'reads', 'changes', 'blocks').Show worked solution →
Confidentiality: only authorised users can read sensitive data; an attacker breaching it READS data they should not see.
Integrity: data is not altered by unauthorised parties or accident; an attacker breaching it CHANGES data without authorisation.
Availability: authorised users can access the system when needed; an attacker breaching it BLOCKS or denies access.
Marking criteria: 1 mark per correctly defined principle with its matching attacker action, up to 3 marks.
foundation4 marksA retail website is hit by three separate incidents in one week: (i) a database backup file left on a public server is downloaded by a stranger, (ii) a bug in a discount-code script lets a customer set any product's price to $0.01 in the database, (iii) a flash sale generates so much traffic the site returns errors to every visitor for two hours. Classify each incident against the CIA triad.Show worked solution →
(i) A stranger reading an exposed backup is a confidentiality breach: unauthorised viewing of data, nothing was changed or made unavailable.
(ii) A customer altering product prices via a bug is an integrity breach: data (the price) was changed without authorisation.
(iii) The site becoming unreachable under load is an availability breach: authorised customers cannot access the system when they need it.
Marking criteria: 1 mark per correctly classified incident (3 marks total), 1 mark for briefly justifying at least one classification with the correct definition.
core5 marksA fitness-tracking app stores step counts, heart-rate data and payment details for its subscription. Propose one specific technical control for each CIA principle that suits this app, and justify why each control matches the sensitivity of the data involved.Show worked solution →
- Confidentiality
- Encrypt payment details at rest with column-level database encryption and require the user to re-authenticate before viewing billing history; this matches the high sensitivity of payment data, which is a common target for theft.
- Integrity
- Validate heart-rate and step-count values against physiologically plausible ranges (e.g. reject a heart rate of 400 bpm) before storing them, and hash daily summaries so tampering with historical fitness data is detectable; this matters because corrupted health data could mislead a user's training decisions.
- Availability
- Run the sync service across at least two regions with automatic failover, since users expect their tracker to sync data immediately after a workout, and an outage during peak morning exercise hours would frustrate a large share of the user base at once.
Marking criteria: 1 mark for a specific (not generic) control per principle (3 marks total), 2 marks distributed for justifications that correctly link each control's strength to the actual sensitivity or usage pattern of that data type.
core4 marksExplain why ransomware is often described as attacking more than one element of the CIA triad, using a specific scenario.Show worked solution →
Ransomware first encrypts a victim's files with a key only the attacker holds, which directly breaches availability: authorised users can no longer open or use their own files.
Many modern ransomware operations also copy sensitive files to an attacker-controlled server before encrypting them ("double extortion"), threatening to publish the stolen data if the ransom is not paid. This second step breaches confidentiality, because unauthorised parties have read data they should never have accessed.
For example, if a law firm's case files are encrypted and copied off-site, the firm loses access to its own files (availability) while client-privileged documents are simultaneously exposed to the attacker (confidentiality), showing a single incident can breach two principles at once.
Marking criteria: 1 mark for identifying the availability breach with correct reasoning, 1 mark for identifying the confidentiality breach (data exfiltration) with correct reasoning, 2 marks for a coherent worked scenario that ties both breaches to the same incident.
core4 marksDescribe non-repudiation and authenticity as extensions of the CIA triad, and explain why a bank would need both when processing a large electronic funds transfer.Show worked solution →
Authenticity confirms that a message or party is genuine, for example verifying that a funds-transfer instruction really came from the account holder's registered device, using a digital signature or certificate.
Non-repudiation ensures the account holder cannot later deny having authorised the transfer, typically by keeping a signed, tamper-evident audit log of the instruction and its authorisation.
A bank needs authenticity to stop a fraudster from impersonating the account holder in the first place, and non-repudiation so that if the genuine account holder later disputes a legitimate transfer, the bank can produce cryptographic proof the instruction was authorised by them, protecting the bank from false disputes and the customer from being blamed for a transfer they did not make.
Marking criteria: 1 mark for a correct definition of authenticity, 1 mark for a correct definition of non-repudiation, 2 marks for explaining why a bank specifically needs both in a funds-transfer context.
exam7 marksEvaluate the security design of a small clinic's patient records system that currently: stores records unencrypted on a single on-premises server, requires only a shared staff password to log in, and has no backup. Recommend and justify one improvement per CIA principle, and explain which improvement should be prioritised first.Show worked solution →
This is an extended-response evaluate question: markers reward identifying weaknesses against the correct principle AND a justified priority order, not just a list of fixes.
- Confidentiality weakness and fix
- A shared staff password means any staff member (or anyone who learns the shared password) can read every patient's record with no accountability; replace it with individual accounts and role-based access so nurses see only their ward's patients and administrators cannot view clinical notes, directly reducing unauthorised reading of sensitive data.
- Integrity weakness and fix
- Unencrypted storage on a single server has no mechanism to detect tampering; add an append-only audit log with per-change hashes, so any unauthorised edit to a diagnosis or medication record is detectable and traceable to a specific account.
- Availability weakness and fix
- A single on-premises server with no backup means a hardware failure, fire or ransomware attack could destroy all patient records permanently; implement automated, encrypted off-site backups on a daily schedule, with periodic restore testing.
- Priority
- The confidentiality fix (individual accounts and RBAC) should be implemented first, because the shared password is actively exploitable right now by any current or former staff member with no detection possible, whereas the integrity and availability gaps, while serious, require a specific triggering event (an edit or a disaster) before harm occurs; removing the shared credential closes the widest and most immediate exposure.
Marking criteria: 1 mark per correctly diagnosed weakness matched to the right principle (3 marks), 1 mark per justified fix (3 marks), 1 mark for a reasoned priority order that compares likelihood/impact rather than asserting an order without justification.
exam6 marksAssess the claim that "availability is a reliability concern, not a security concern", using the CIA triad and at least one named attack type in your answer.Show worked solution →
A strong assess response takes a clear position, supported by the definition and a named attack, and briefly reconciles the counter-view.
- Position
- The claim is false. NESA's CIA triad explicitly places availability alongside confidentiality and integrity as one of the three core goals of secure software design, because a deliberate attacker, not just a hardware fault, can just as easily deny access as they can steal or alter data.
- Evidence
- A distributed denial-of-service (DDoS) attack deliberately floods a server with traffic from many compromised machines specifically to exhaust its capacity and make it unreachable for legitimate users; this is unambiguously a security incident, carried out by an adversary with intent, not a random hardware failure. Ransomware is a second example: it deliberately encrypts files to deny access until a ransom is paid, again a hostile act, not an accident.
- Reconciling reliability
- It is true that ordinary reliability engineering (redundant servers, backups, monitoring) protects availability against both accidental failures AND deliberate attacks, which is why the two concerns share tooling; this overlap likely motivates the claim. However, the fact that the SAME defence also stops a hostile actor does not make availability any less a security property, since the triad is defined by what is being protected (uninterrupted access) and against whom (including deliberate attackers), not by which team implements the fix.
- Judgement
- Availability is a genuine security concern because it has real adversaries with intent (DDoS operators, ransomware groups) who deliberately target it, even though the same controls also happen to improve ordinary reliability.
Marking criteria: 2 marks for a clear position with reasoning, 2 marks for at least one correctly explained named attack type demonstrating deliberate targeting of availability, 1 mark for engaging with the reliability counter-view, 1 mark for an explicit final judgement.
