In 1991, John McCumber created a model framework for establishing and evaluating information security (information assurance) programs, now known as The McCumber Cube. This security model is depicted as a three-dimensional Rubik's Cube-like grid.
The concept of this model is that, in developing information assurance systems, organizations must consider the interconnectedness of all the different factors that impact them. To devise a robust information assurance program, one must consider not only the security goals of the program (see below), but also how these goals relate specifically to the various states in which information can reside in a system and the full range of available security safeguards that must be considered in the design. The McCumber model helps one to remember to consider all important design aspects without becoming too focused on any one in particular (i.e., relying exclusively on technical controls at the expense of requisite policies and end-user training).
Dimensions and attributes
- Confidentiality: assurance that sensitive information is not intentionally or accidentally disclosed to unauthorized individuals.
- Integrity: assurance that information is not intentionally or accidentally modified in such a way as to call into question its reliability.
- Availability: ensuring that authorized individuals have both timely and reliable access to data and other resources when needed.
- Storage: Data at rest (DAR) in an information system, such as that stored in memory or on a magnetic tape or disk.
- Transmission: transferring data between information systems - also known as data in transit (DIT).
- Processing: performing operations on data in order to achieve a desired objective.
- Policy and practices: administrative controls, such as management directives, that provide a foundation for how information assurance is to be implemented within an organization. (examples: acceptable use policies or incident response procedures) - also referred to as operations.
- Human factors: ensuring that the users of information systems are aware of their roles and responsibilities regarding the protection of information systems and are capable of following standards. (example: end-user training on avoiding computer virus infections or recognizing social engineering tactics) - also referred to as personnel
- Technology: software and hardware-based solutions designed to protect information systems (examples: anti-virus, firewalls, intrusion detection systems, etc.)
Per John McCumber's website, the idea is to push back the advance of security as an art and support it with a structured methodology that functions independent of technology evolution. The basis of this methodology is the inter-relationship among confidentiality, integrity and availability with storage, transmission and processing while applying the policy, procedures, human side and technology.
- Assessing and Managing Security Risk in IT Systems: A Structured Methodology by John McCumber (Author) [Publisher: Auerbach Publications; 1 edition (June 15, 2004)]