In 1991, John McCumber created a model framework for establishing and evaluating information security (

information assurance Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information. Information assurance includes protection of the integrity, availability, authenticity, n ...

) programs, now known as The McCumber Cube. This security model is depicted as a

three-dimensional Three-dimensional space (also: 3D space, 3-space or, rarely, tri-dimensional space) is a geometric setting in which three values (called ''parameters'') are required to determine the position of an element (i.e., point). This is the informal ...

Rubik's Cube The Rubik's Cube is a Three-dimensional space, 3-D combination puzzle originally invented in 1974 by Hungarians, Hungarian sculptor and professor of architecture Ernő Rubik. Originally called the Magic Cube, the puzzle was licensed by Rubik t ...

-like grid. The concept of this model is that, in developing

systems, organizations must consider the interconnectedness of all the different factors that impact them. To devise a robust

program, one must consider not only the security goals of the program (see below), but also how these goals relate specifically to the various states in which information can reside in a system and the full range of available security safeguards that must be considered in the design. The McCumber model helps one to remember to consider all important design aspects without becoming too focused on any one in particular (i.e., relying exclusively on technical controls at the expense of requisite policies and end-user training).

Dimensions and attributes

Desired goals

* Confidentiality: assurance that sensitive information is not intentionally or accidentally disclosed to unauthorized individuals. * Integrity: assurance that information is not intentionally or accidentally modified in such a way as to call into question its reliability. * Availability: ensuring that authorized individuals have both timely and reliable access to data and other resources when needed.

Information states

* Storage: Data at rest (DAR) in an information system, such as that stored in memory or on a magnetic tape or disk. * Transmission: transferring data between information systems - also known as data in transit (DIT). * Processing: performing operations on data in order to achieve a desired objective.

Safeguards

* Policy and practices: administrative controls, such as management directives, that provide a foundation for how

is to be implemented within an organization. (examples: acceptable use policies or incident response procedures) - also referred to as operations. * Human factors: ensuring that the users of information systems are aware of their roles and responsibilities regarding the protection of information systems and are capable of following standards. (example: end-user training on avoiding computer virus infections or recognizing social engineering tactics) - also referred to as personnel * Technology: software and hardware-based solutions designed to protect information systems (examples: anti-virus, firewalls, intrusion detection systems, etc.)

Motivation

Per John McCumber's website, the idea is to push back the advance of security as an art and support it with a structured methodology that functions independent of technology evolution. The basis of this methodology is the inter-relationship among confidentiality, integrity and availability with storage, transmission and processing while applying the policy, procedures, human side and technology.

References