The McCumber Model

There have been many different methods proposed as a framework for information security.  One that makes the most sense to me is The McCumber Model (created by John McCumber).  The factors to consider are arranged in a cube, with each axis representing a different perspective of any information security problem and each axis having three primary components.  It ends up looking like a Rubik's cube.  27 little cubes all stacked together.

The three axes are: Desired Goals, States of Information, and Counter-measures.

By looking at things from the perspective of the intersection of the three axes, you can be sure to look at all sides of an information security issue.  Pick any of the smaller 27 cubes and think about the problem or concerns from that perspective.

Desired Goals
When dealing with information, you have three goals:

• Confidentiality.  Information should only be accessed by those who should see it.
• Integrity.  Information should not be changed outside of proper processes.
• Availability.  Information should be accessible when it is wanted.

A failure at meeting any of these goals results in less-than-adequate outcomes and at best, some very angry end-users.  Depending on the sensitivity of the information, these goals can actually result in life-or-death realities.

States of Information
Information exists in three different states of being:

• Storage.  An inactive state of information hibernation - the information is waiting to be accessed.
• Transmission.  Anytime information moves, it is in this state.
• Processing.  When being actively examined or modified, information is in this state.

You can go so far as to compare these phases to the traditional states of matter (solid, liquid, and gas).  That actually makes sense to me - the fluidity and/or malleability of data fits this analogy quite well.  It's a fun thought experiment!

Counter-measures
The methods of reducing or removing threats to the three desired goals are accomplished by:

• Technology.  Using hardware or software to limit threats.
• Policy & Practice.  Using procedures that mitigate risk or eliminate the possibility of threats.
• Awareness, Training, & Education.  Giving each consumer of information the knowledge of how to identify and handle threats.

The closer a counter-measure gets to the actual end-user, the more effective it is.  For example, when countering the threat of viruses:  Virus scanners must be updated at least daily to stay effective (technology).  Company computers will not allow you to open attachments (policy & practice).  Teaching every user on the network to only open attachments that they are expecting and only install programs they have scanned works the best (awareness, training, & education).

This method of analysis is becoming more useful in daily life every year.  When evaluating what information to put online, it helps to be able to think about these issues.  We live in the information age, and it behooves us all to continually be learning about what that means for us personally.