DIC/DICP Criteria: The Pillars of Cybersecurity Explained
The DIC/DICP criteria — Availability, Integrity, Confidentiality and Proof — form the foundation of any cybersecurity strategy. Understanding and applying these principles means ensuring the continuity, trust, and compliance of your organisation.
In a world where every company depends on its information system, cybersecurity is no longer an option. It has become a true pillar of business continuity and of trust between partners, clients and employees. But where should one begin when aiming to effectively protect data?
The answer often comes down to three letters: DIC for Availability, Integrity, Confidentiality – and its extended version DICP, which adds the dimension of Proof. These criteria are to cybersecurity what foundations are to a building: invisible to many, but absolutely essential to avoid collapse.
In this article, we will look in detail at the meaning of the DIC/DICP criteria, their strategic importance, their links with current regulations and, above all, the concrete way in which a CISO, CIO or executive can integrate them into a risk management approach.
Definition of DIC/DICP Criteria
The DIC criteria represent the three main pillars of information security. They provide a framework for analysing the robustness of an information system.
- Availability consists of ensuring that information remains accessible when authorised persons need it. A simple server failure can paralyse a production line or interrupt a critical service.
- Integrity ensures that data does not undergo unauthorised alterations. Whether it is an invoice, a contract or a patient record, any undue modification can undermine an organisation’s credibility.
- Confidentiality protects information against unauthorised access. It is the foundation of the protection of industrial secrets, client databases or medical data.
Over time, a fourth criterion has emerged: Proof. It is no longer sufficient to protect information, one must also be able to demonstrate what was done, by whom and at what time. This traceability has become essential during audits, investigations or disputes.
In summary: DIC protects, DICP protects and demonstrates.
Why are the DIC/DICP Criteria Essential in Cybersecurity?
When a CISO or an executive questions the security of their organisation, the DIC/DICP criteria make it possible to ask the right questions: Are my data available in the event of an incident? Can I trust their accuracy? Who has access to them? And finally, am I able to provide proof of my actions?
These questions are anything but theoretical. They are directly linked to economic performance and to the trust an organisation inspires. Prolonged unavailability can cost millions of euros in lost revenue. A breach of confidentiality can destroy a reputation built over years. As for the absence of proof, it can leave an organisation defenceless against regulatory sanctions or litigation.
This is why the DIC/DICP criteria are at the heart of regulations. The GDPR insists on the integrity and confidentiality of personal data. ISO 27001 structures its methodology around availability, integrity and confidentiality. The NIS2 directive highlights the resilience and availability of essential services. Finally, the DORA regulation, which applies to the financial sector, strongly emphasises the notion of proof and traceability.
Concrete Illustrations for CISOs and Executives
To fully understand the scope of the DIC/DICP criteria, nothing is more telling than real-life examples:
- In the industrial sector, a supervision server that fails brings an entire production line to a halt. This is an availability issue that can generate delays, contractual penalties and significant financial losses.
- In a hospital, a ransomware attack exposing patient records violates the confidentiality of medical data. The consequences go far beyond the technical scope: patient trust and the institution’s reputation are directly at stake.
- In banking, a financial transaction modified by malware illustrates a breach of integrity. Even an error of a few cents undermines the trust placed in payment systems.
- In the public sector, the traceability of votes during an electronic ballot demonstrates the importance of proof. Without reliable logs and digital signatures, the result of the vote could be contested.
These cases show that the DIC/DICP criteria are not reserved for specialists: they directly concern executive management and influence overall company strategy.
How to Measure and Evaluate the DIC/DICP Criteria?
Knowing the criteria is not enough: one must also be able to evaluate them. In practice, two approaches coexist.
- The qualitative approach. It consists of assessing the level of criticality of an asset by asking, for example, whether unavailability would be low, medium or high. This method has the merit of simplicity and facilitates discussions with business units.
- The quantitative approach. It seeks to estimate the financial or operational impact of a breach of availability, integrity, confidentiality or proof. How much would one day of production stoppage cost? What revenue loss would a client data breach entail? These questions provide quantified arguments to convince management.
In practice, a good evaluation exercise combines both. One starts from a simple criticality grid, then enriches the analysis with figures whenever possible. The important thing is to prioritise actions on assets presenting the highest risks, rather than getting lost in excessive complexity.
Link with Standards and Regulations
The DIC/DICP criteria are so universal that they are found in most standards and regulations. ISO 27001 explicitly refers to availability, integrity and confidentiality. The GDPR, in its article 32, requires the protection and integrity of personal data. The NIS2 directive insists on the availability and resilience of essential services. Finally, the DORA regulation, which applies to the financial sector, highlights the ability to provide proof, particularly in the event of incidents.
For a CISO, this means that by aligning risk analysis with the DIC/DICP criteria, a wide compliance perimeter is automatically covered. In other words, a single well-conducted approach makes it possible to simultaneously meet several legal or normative requirements.
Integrating DIC/DICP into a Risk Management Approach with Egerie
This is where a platform like Egerie brings real value.
Rather than relying on theoretical lists, Egerie makes it possible to concretely model the impacts linked to availability, integrity, confidentiality and proof. Critical assets are identified, risk scenarios are simulated, and each DIC/DICP criterion can be automatically assessed.
The results are presented in clear dashboards. A CISO can thus show the executive committee which threats weigh on business continuity and how much they could cost. Traceability is integrated natively: every stage of the analysis is documented, facilitating audits. Finally, automation significantly reduces the time spent on risk management, leaving more room for decision-making.
Best Practices to Strengthen DIC/DICP in an Organisation
Strengthening security around the DIC/DICP criteria is based on a few fundamentals. Employee awareness remains the first line of defence: a trained employee better identifies phishing attempts or risky behaviours. Availability is ensured by reliable and regularly tested backups. Encryption protects both the confidentiality and integrity of sensitive data. Strict access management — applying the principle of least privilege — reduces the risk of intrusion. Finally, traceability relies on the use of reliable event logs, indispensable for guaranteeing proof.
These practices should not be seen as mere technical constraints, but as genuine investments in resilience and business sustainability. The DIC/DICP criteria provide a clear framework for prioritising actions, strengthening compliance and building lasting trust with clients and partners.
To go further, Egerie enables you to concretely model your risks according to the DIC/DICP criteria and to manage your security priorities. Request a demo and discover how to transform these principles into strategic levers for your organisation.
FAQ on the DIC/DICP Criteria
What is the difference between DIC and DICP?
DIC includes Availability, Integrity and Confidentiality. DICP adds the notion of Proof, essential for traceability and compliance.
What are the risks if a criterion is neglected?
Unavailability leads to operational losses, a breach of integrity undermines trust, a violation of confidentiality exposes to sanctions, and a lack of proof makes defence difficult in the event of litigation.
How can the DIC/DICP criteria be applied in practice?
By identifying critical assets, assessing their exposure to each criterion, and implementing appropriate measures such as backups, encryption, strict access management and traceability.
Which tools make it possible to monitor these criteria?
Risk management platforms such as Egerie facilitate continuous assessment and monitoring according to the DIC/DICP criteria.
