McCumber Cube: A Model illustrating the dimensions and principles of Cybersecurity

The below is an excerpt from a paper I wrote for my fundamentals of cybersecurity course

Dimensions and Principles of Cybersecurity

To help illustrate the concepts of establishing and evaluating security, the McCumber cube was created. The first dimension of this cube refers to the Principles of Cybersecurity. These principles are known to be Confidentiality, Integrity, and availability. Confidentiality refers to the prevention of unauthorized access to sensitive information. On the other hand, integrity refers to the process of maintaining the consistency, accuracy, and trustworthiness of information. Finally, the third principle is availability. Availability helps to ensure that the system’s users have timely and uninterrupted access to the information so long as they have the proper authorization. The second dimension of the McCumber cube deals with protecting data in various states. These states include processing, storage, and transmission. For example, data processing is about how data is used in performing operations such as record keeping. Transmission on the contrary alludes to data travelling from one system to another. Lastly, storage is about data not in motion. The third dimension of the McCumber cube pertains to methods that an analyst would use to safeguard data. These methods can refer to policy and procedures, user training, as well as technologies such as VPNs or firewalls. In summary the third dimension is focused on how one can mitigate risks using software technologies as well as education and policy.

Overall Security

When it comes to the overall security of an organization the objective of implementing cybersecurity policy is to maintain confidentiality, integrity, and availability. To help improve and enforce the security of systems it is important to protect these fundamentals. The first dimension of the McCumber Cube addresses these three principles. For example, an organization may choose to improve its security by requiring employees and other authorized individuals to use multi factor authentication when signing onto internal organizational systems like web portals. It is vital to maintain confidentiality, as a loss of confidentiality can be damaging to the reputation of the organization. For example, in January 2022 the international committee of the Red Cross suffered a severe data breach. “The breach resulted in the compromise of data on over 515,000 vulnerable people separated from their families due to conflict, migration, and other disasters “. (Ekran System, n.d). When operating with data, the end user must be confident that the data they are interacting with can be trusted. In practice this can be achieved by the principle of integrity. An example of this can be that “integrity is achieved when measures are put in place to ensure that email communication between a sales representative and a customer isn't intercepted and modified by an intruder when it's still in transit.” (study.com, 2021). Therefore, to improve the integrity of systems, organizations should invest in error detection software, encrypt sensitive information, and have clear backup and recovery procedures in place. The operations of an organization can be halted and result in both financial and non-financial losses if the availability of data is not secure. A Denial-of-service attack is one example of a loss of availability. In a Denial-of-Service attack, “attackers target systems, servers, or networks and flood them with traffic to exhaust their resources and bandwidth.” (Simpli Learn, Shruti M, 2022).

One situation that can consist of greater risks for an organization is when data is being processed or stored. The second dimension of the McCumber cube focuses on protecting data in a variety of states. For example, a bank is responsible for collecting both personal and financial information regarding its customers and may work with external organizations to perform background checks on potential customers. In 2017 the credit agency: Equifax suffered a major breach and the personal data of over one hundred million people was exposed. Even mundane tasks such as storing the annual rainfall in a city into a government database can result in data corruption. Therefore, it is vital to follow the third dimension of the McCumber cube and use technology such as firewalls and VPNs to safeguard information systems. However, technology cannot be the only solution a professional utilizes. First and foremost, leaders of organizations must establish procedures that outline information assurance and best practices. They must then communicate those guidelines to every member of the organization. Educating both new and experienced members of the organization is crucial as an alert staff can be the best line of defense against potential attacks. Defending systems is a challenging task. Fortunately, the McCumber cube is an important model for helping an organization achieve this task. Each dimension of the cube helps to secure a system. Whether it be educating employees, or protecting the state of data, the Cybersecurity cube provides a guideline to improve security.

Assured Operations

According to the Computer Security Resource Center, assurance is defined as a “Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy.” (NIST n.d) Both end users as well as internal employees of an organization need to have confidence that the integrity, availability, and confidentiality of their data will be there. For example, you would not trust a health provider who did not take the proper steps to improve their security apparatus. An organization would also be unable to continue their operations smoothly if the data were corrupted either during storage or transmission. It is for this reason that the first dimension of Cybersecurity which constitutes the information security triad is an effective model for improving the security operations of an organization.

Confidentiality is a foundational principle that enables organizations to help keep their data more secure. Nothing in the concept of security is secure as systems can always be hacked or breached. However, steps can be taken to improve security. One way to achieve this is to implement encryption so that the contents of data can be hidden from unauthorized individuals. This is done using keys. An effective implementation of cybersecurity should ensure that unauthorized individuals do not have access to systems or data. In conjunction, individuals who are authorized should be given the appropriate privileges or rights to access information systems. Having access to data is not very useful if the data is not dependable or has been tampered with. Integrity of data should be maintained by making sure that the data is genuine, reliable as well as accurate. Encryption which helps to maintain confidentiality may also assist in improving the integrity of data. Another way to improve the integrity of the data is to use hashing. When you hash a file for example you produce a number that can be used to check whether the data inside has been modified. “Even if data is kept confidential and its integrity maintained, it is often useless unless it is available to those in the organization and the customers they serve.” (Fortinet, n.d). Whether it be power outages due to natural causes or a faulty server there are many ways that the availability of a system could be compromised. To improve the availability of a system companies should ensure that software data has been backed up as well as make sure that regular security updates are performed. It may also be beneficial to not only back up data on physical servers but to make use of cloud computing technology. Not only can cloud computing save an organization money, but it can also provide improved protection against server infrastructure theft or damage.

Conclusion

“Cybersecurity is the practice of deploying people, policies, processes and technologies to protect organizations, their critical systems and sensitive information from digital attacks” (Gartner n.d). Threats against information systems are both constant and ever changing. There is no one thing that an individual or an organization can do to be completely safe. On the other hand, the dimensions of the McCumber cube illustrate how one can improve the security of information system. The third dimension of the cube highlights how user education in conjunction with established frameworks can help to improve security. The first dimension of the cube along with its principles: confidentiality, integrity, and availability provide a check list to help keep systems more secure. Organizations should always be alert to what threats may appear in the future. Therefore prior to responding to threats they should prepare by designing their systems around prevention. They should upgrade the network infrastructure by making use of firewalls and manage identity access. Software should help aide employees in detecting threats. Most importantly, they should utilize their greatest tool and that is education. Periodically informing and ensuring that employees and customers are informed about the organization’s security policies as well as threats that may arise will help improve security tremendously. No one person can help keep information systems safe but collectively everyone can work to improve the security of an organization so that the confidentiality, integrity, and availability of data are not compromised.