There are multiple reasons for this:
- The triad is incomplete. This leads to information security goals being overlooked.
- The triad is ambiguous. (Not based on an operational definitions). This makes of communication of information security goals difficult or even impossible. A video on the same.
- There is no agreement on the triad definition. (Page 4), This leads to communication barriers and undesirable variance in performance. Quite a few alternatives have arisen.
- The three reasons above have been proven by falsification.
- You can't use the triad to measure security. This prevent the triad from being used to manage security, there are other ways to measure security.
- The triad is not a triad. Check slide 32.
- Read even more about in the ISSA Journal.
If you still believe the CIA triad is correct or useful in any way, try passing the O-ISM3 Test.