The McCumber Cube is a model that helps analyze and assess the security aspects of information systems. This security model is depicted as a three-dimensional Rubik’s Cube-like grid. It consists of three dimensions:
Desired goals
- Confidentiality: assurance that sensitive information is not intentionally or accidentally disclosed to unauthorized individuals.
- Integrity: assurance that information is not intentionally or accidentally modified in such a way as to call into question its reliability.
- Availability: ensuring that authorized individuals have both timely and reliable access to data and other resources when needed.
Information states
- Storage: in an information system, such as that stored in memory or on a magnetic tape or disk.
- Transmission: transferring data between information systems – also known as data in transit.
- Processing: performing operations on data in order to achieve the desired objective.
Safeguards
- Policy and practices: administrative controls, such as management directives, that provide a foundation for how information assurance is to be implemented within an organization. (examples: acceptable use policies or incident response procedures) – also referred to as operations.
- Human factors: ensuring that the users of information systems are aware of their roles and responsibilities regarding the protection of information systems and are capable of following standards. (example: end-user training on avoiding computer virus infections or recognizing social engineering tactics) – also referred to as personnel
- Technology: software and hardware-based solutions designed to protect information systems (examples: anti-virus, firewalls, intrusion detection systems, etc.)
The McCumber Cube is a valuable tool for organizations to evaluate their overall information security posture by considering these three critical dimensions. It provides a comprehensive perspective on security, recognizing the importance of policies and practices, human factor, and technology in maintaining a secure environment.
Real life usage examples
Assume that a security model is needed for the protection of written work (homework) assignments for this Information Security class you are taking. Assume that a written work assignment is:
- processed (created, formatted, prepared for submission) and stored on the student’s computer,
- transmitted (uploaded) to the Virtual Learning Environment,
- stored there,
- transmitted (downloaded) to the teacher’s computer,
- processed (checked) and stored there.
Below is a table of McCumber cube usage for information security. This table can be used as a template for performing information security tasks or designing an information system. Notice, some rows are empty on purpose.
| No. | Intersection of | Identification of the cell | Controls |
| 1 | Confidentiality, Transmission, Human factors | Educational controls for the teacher and the student to protect the confidentiality of written work, in transmission, to and from Virtual Learning Environment while being transmitted from the student‘s computer or to the teacher‘s computer. | Student and teacher should be trained to identify malicious websites, that try to imitate Virtual Learning Environment and not submit any sensitive data, if not necessary. |
| 2 | Confidentiality, Transmission, Policy and Practices | Administrative controls to protect the confidentiality of written work while it is in transmission from the student’s computer to the Virtual Learning Environment (upload) and from the Virtual Learning Environment to the teacher’s computer (download). | Policy that students and teachers should upload/download written work only using University VPN. |
| 3 | Confidentiality, Transmission, Technology | Technological controls to protect the confidentiality of written work while in transmission from student’s and to teacher’s computers in Virtual Learning Environment. | Use of secure communication protocols like TLS 1.3. |
| 4 | Confidentiality, Storage, Human factors | Educational controls for the teacher and the student to protect the confidentiality of written work in Virtual Learning Environment storage. | Encouraging students and teachers to use up to date software in their devices to decrease likelihood of malicious actions. |
| 5 | Confidentiality, Storage, Policy and Practices | Administrative controls to protect the confidentiality of written work while it is in storage in Virtual Learning Environment. | Using data encryption algorithms for data at rest like AES-256. |
| 6 | Confidentiality, Storage, Technology | Technological controls to protect the confidentiality of written work while in storage in Virtual Learning Environment. | Implement a strong multi-factor authentication for accessing the written work, so that only student and teacher can access this resource. |
| 7 | Confidentiality, Processing, Human factors | Educational controls for the student to protect the confidentiality of written work after work creation, but before uploading to Virtual Learning Environment. | Educate (train) student to sanitize written work files, so that they don‘t contain personal information (metadata). |
| 8 | Confidentiality, Processing, Policy and Practices | ||
| 9 | Confidentiality, Processing, Technology | Technological controls to protect the confidentiality of downloaded written work while processing in teacher‘s computer. | Implement mechanism, that checks, if downloaded work files contain any sensitive information. Automatically remove this information, if it does. |
| 10 | Integrity, Transmission, Human factors | ||
| 11 | Integrity, Transmission, Policy and Practices | ||
| 12 | Integrity, Transmission, Technology | Technological controls to ensure integrity of written work while in transmission from student‘s computer to Virtual Learning Environment and to teacher‘s computer. | Implementing strong transmitted data integrity checking using hash functions, checksums. |
| 13 | Integrity, Storage, Human factors | Educational controls for the teacher and the student to protect the integrity of written work while being stored by the student or the teacher on their respective computers. | Encouraging student and teacher to encrypt created/downloaded work files using archives with predetermined password. |
| 14 | Integrity, Storage, Policy and Practices | ||
| 15 | Integrity, Storage, Technology | Technological controls to protect the integrity of written work while in storage on student’s and teacher’s computers and in Virtual Learning Environment. | A host intrusion detection system (HIDS), which would alert the student, the teacher, or the administrator of the Virtual Learning Environment when a written work file was modified or deleted. |
| 16 | Integrity, Processing, Human factors | ||
| 17 | Integrity, Processing, Policy and Practices | ||
| 18 | Integrity, Processing, Technology | ||
| 19 | Availability, Transmission, Human factors | ||
| 20 | Availability, Transmission, Policy and Practices | ||
| 21 | Availability, Transmission, Technology | Technological controls to ensure availability of written work while in transmission from student‘s computer to Virtual Learning Environment and to teacher‘s computer. | Using load balancing to ensure that loads are distributed evenly and in case of failure, switch to another working node. |
| 22 | Availability, Storage, Human factors | ||
| 23 | Availability, Storage, Policy and Practices | ||
| 24 | Availability, Storage, Technology | Technological controls to ensure availability of written work while in storage in Virtual Learning Environment. | Having distributed storage system with redundancy and fail over mechanisms. |
| 25 | Availability, Processing, Human factors | Educational controls for the teacher and the student to protect the availability of written work while being processed by the student or the teacher on their respective computers. | Educate (train) the student and the teacher on how to restore the written work if it got corrupted while being edited by them. |
| 26 | Availability, Processing, Policy and Practices | ||
| 27 | Availability, Processing, Technology |
Sources:
- https://en.wikipedia.org/wiki/McCumber_cube
- Easttom, Chuck – Computer Security Fundamentals, 4th Edition-Pearson IT Certification (2019)
Hey people!!!!!
Good mood and good luck to everyone!!!!!