Using Models

• Introduction: Understanding, Selecting, and Applying Models
• Understanding Assets
• Layered Security
• Using Models in Security
• Security Models for Information Systems
• Shortcomings of Models in Security
• Security in Context
• Reference

• Confidentiality, Integrity, and Availability
• Information Attributes
• Intrinsic versus Imputed Value
• Information as an Asset
• The Elements of Security
• Security Is Security Only in Context

• Introduction
• Determining Value
• Managing Information Resources
• References

• Introduction
• Threat Defined
• Analyzing Threat
• Assessing Physical Threats
• Infrastructure Threat Issues

• Introduction
• Learning to Ask the Right Questions about Risk
• The Basic Elements of Risk in IT Systems
• Information as an Asset
• Defining Threat for Risk Management
• Defining Vulnerabilities for Risk Management
• Defining Safeguards for Risk Management
• The Risk Assessment Process

THE McCUMBER CUBE METHODOLOGY

The McCumber Cube

• Introduction
• The Nature of Information
• Critical Information Characteristics
• Confidentiality
• Integrity
• Availability
• Security Measures
• Technology
• Policy and Practice
• Education, Training, and Awareness (Human Factors)
• The Model
• References

• Information Flow
• Introduction
• Information States: A Brief Historical Perspective
• Automated Processing: Why Cryptography Is Not Sufficient
• Simple State Analysis
• Information States in Heterogeneous Systems
• Boundary Definition
• Decomposition of Information States
• Developing an Information State Map
• Reference

• Introduction
• A Word about Security Policy
• Definitions
• The McCumber Cube Methodology
• The Transmission State
• The Storage State
• The Processing State
• Recap of the Methodology

• Introduction
• Shortcomings of Criteria Standards for Security Assessments
• Applying the McCumber Cube Methodology for Product
• Assessments
• Steps for Product and Component Assessment
• Information Flow Mapping
• Cube Decomposition Based on Information States
• Develop Security Architecture
• Recap of the Methodology for Subsystems, Products, and
• Components
• References

• Introduction

• Introduction
• Technology Safeguards
• Procedural Safeguards
• Human Factors Safeguards
• Assessing and Managing Security Risk in IT Systems
• Vulnerability-Safeguard Pairing
• Hierarchical Dependencies of Safeguards
• Security Policies and Procedural Safeguards
• Developing Comprehensive Safeguards: The Lessons of the Shogun
• Identifying and Applying Appropriate Safeguards
• Comprehensive Safeguard Management: Applying the
• McCumber Cube
• The ROI of Safeguards: Do Security Safeguards Have a Payoff?

• Introduction
• Applying the Model to Global and National Security Issues
• Programming and Software Development
• Using the McCumber Cube in an Organizational Information
• Security Program
• Using the McCumber Cube for Product or Subsystem Assessment
• Using the McCumber Cube for Safeguard Planning and Deployment
• Tips and Techniques for Building Your Security Program
• Establishing the Security Program: Defining You
• Avoiding the Security Cop Label
• Obtaining Corporate Approval and Support
• Creating Pearl Harbor Files
• Defining Your Security Policy
• Defining What versus How
• Security Policy: Development and Implementation
• Reference

Appendix A Vulnerabilities

Appendix B Risk Assessment Metrics

Appendix C Diagrams and Tables

Appendix D Other Resources