The three promises

Picture your bank account on a screen. For it to feel safe, three different things all have to be true at once, and most people never notice they are separate. No one else can see your balance. No one can quietly change it. And it is there for you the moment you log in. Take away any one of those, and the account is not secure — even if the other two are perfect. That split is the foundation of this whole course, so we start there.

”Secure” is a vague word until you split it

People say a system is “secure” as if it were one thing, like a locked door. It isn’t. Security is really three promises, and they fail in different ways for different reasons.

Professionals call them confidentiality, integrity, and availability. Plain English: keep it secret, keep it true, keep it there. Almost every attack you will ever read about is an attack on one of these three. Almost every defence protects one of them. Once you can name which promise is under threat, the rest of the subject stops being a fog of jargon and becomes a short list.

Keep it secret (confidentiality)

The first promise is that only the right people can read the data.

Your medical records, your messages, your password, your card number — these are supposed to be visible to you and the people you allow, and to no one else. When confidentiality breaks, a secret leaks: someone reads what they were never meant to see. Nothing has to be changed or destroyed. The harm is simply that a private thing became known.

This is the promise most people picture when they think “hacked” — data spilling out. But it is only one of the three.

Keep it true (integrity)

The second promise is that the data cannot be changed without permission, and that any change you do make is the change that sticks.

Imagine someone could not read your bank balance but could secretly edit it — move your money, add a payee, change one digit. They never saw a secret. They broke integrity instead: they altered the truth. A medical record with one wrong number, a contract with a quietly swapped clause, a software update with a hidden line added — all integrity failures.

Integrity is the quiet one. A leak gets noticed. A tampering can sit unseen for months, because the system still looks normal — it is just telling a lie.

Keep it there (availability)

The third promise is that the data and the service are there when you need them.

A balance that is perfectly secret and perfectly true is still useless if the site is down and you cannot reach your money. Availability is about access on demand. It breaks when a service is knocked offline, when files are locked away from their owner, or when a system is flooded with so much fake traffic that real users can’t get in.

People underrate this one because nothing is stolen and nothing is changed. But for a hospital, an airport, or a payment network, being down is the disaster. The data was safe. It just wasn’t reachable.

A worked example: one balance, three ways to fail

Hold your bank balance in mind and break each promise in turn.

Confidentiality fails: an attacker reads your statement. They now know what you earn and where you shop. They changed nothing — but the secret is out.

Integrity fails: an attacker adds a payee and moves £500. They may never have read your old statements. They altered the truth, and the number on the screen is now a lie.

Availability fails: the bank’s site is flooded and crashes on payday. Your money is secret and correct and completely out of reach for six hours.

Same account, three completely different harms, three completely different defences. Encryption protects the secret. Checks and signatures protect the truth. Backups and spare capacity protect the access. You cannot buy “security” in one box, because there is no one box — there are three.

Why this is the floor under everything

Every later lesson is really about one of these three promises.

When we talk about passwords and two-factor logins, we are protecting the secret and the truth — keeping the wrong person from reading or changing your things. When we talk about encryption and the padlock in your browser, we are protecting confidentiality on a line someone might be listening to. When we talk about ransomware locking your files, that is an attack on availability and integrity at once. When we talk about backups, that is the availability promise, kept in reserve.

So whenever you meet a new threat or a new tool in this course, ask the one question that organises everything: which promise is this about? Keep it secret, keep it true, keep it there. That question will carry you a long way.

On the whole

Security is not a wall and not a product. It is three promises, held at the same time, each one fragile in its own way and defended by its own tools. A system is only as secure as the weakest of the three.

And you are inside this system, not above it — every account you hold is a small bundle of these three promises, kept partly by companies you will never meet and partly by you. Seeing them as separate is the first humble step. You stop asking the useless question “is this secure?” and start asking the useful ones: secret from whom, true against what, available when it matters.