Availability, or the big “A” is often the overlooked corner of the CIA triad. Perhaps a contributing factor is the common belief among security professionals that if data is not available, it is secure.  Corporate executives have a different opinion, as downtime carries with it a hefty price tag. While today’s corporate risk assessment certainly involves the aspect of availability, it is focused on redundancy, not on security.  Penetration tests, a result of the corporate risk assessment, also fail to test on availability security.  In fact, pen testing and vulnerability scanning contracts specifically avoid any tests which might cause degradation of service, often leaving these vulnerabilities unknown until it’s too late.  Availability is commonly handed off to be addressed by network engineering to design and build resilient networks.  Common risk mitigations in this arena include redundant power, internet links, routers, firewalls, web farms, storage, and even geographic diversity with use of hot, warm and cold data centers.  You get the picture; there is a ton of money invested in building network infrastructure to meet corporate availability requirements.