The key resource of an information system is the information it generates, stores, processes and disseminates. Information security is the practice of defending this information from unauthorized or unlawful access, disclosure, disruption, modification, or destruction to ensure confidentiality, integrity, and availability (CNSS, 2010). ISO/IEC (2016) defines information security as: “The preservation of the confidentiality, integrity and availability of information. Furthermore, other properties may also be involved, such as authenticity, accountability, non-repudiation and trustworthiness." The foundations of security rest on the three fundamental principles or security attributes of confidentiality, integrity and availability (Commission of the European Communities , 1991). These are also called CIA triad. Confidentiality is the property that prevents disclosure of information to unauthorized individuals, entities or processes. In addition to these three concepts, five additional attributes were included as an extension of the CIA triad: accountability, verifiability, authenticity, non-repudiation and privacy concern mechanisms to control access