- Author:
- John McCumber
Assessing and Managing Security Risk in IT Systems: A Structured Methodology builds upon the original McCumber Cube model to offer proven processes that do not change, even as technology evolves. This book enables you to assess the security attributes of any information system and implement vastly improved security environments.Part I delivers an overview of information systems security, providing historical perspectives and explaining how to determine the value of information. This section offers the basic underpinnings of information security and concludes with an overview of the risk management process. Part II describes the McCumber Cube, providing the original paper from 1991 and detailing ways to accurately map information flow in computer and telecom systems. It also explains how to apply the methodology to individual system components and subsystems.Part III serves as a resource for analysts and security practitioners who want access to more detailed information on technical vulnerabilities and risk assessment analytics. McCumber details how information extracted from this resource can be applied to his assessment processes.
Cited By
Goman M Towards unambiguous IT risk definition Proceedings of the Central European Cybersecurity Conference 2018, (1-6)- Arogundade O, Adeniran O, Jin Z and Xiaoguang Y (2016). Towards Ontological Approach to Security Risk Analysis of Information System, International Journal of Secure Software Engineering, 7:3, (1-25), Online publication date: 1-Jul-2016.
- Myers J (2014). The cheat sheet as pedagogical tool, Journal of Computing Sciences in Colleges, 30:2, (44-51), Online publication date: 1-Dec-2014.
- Dutt V, Ahn Y and Gonzalez C Cyber situation awareness Proceedings of the 25th annual IFIP WG 11.3 conference on Data and applications security and privacy, (280-292)
- Myers J and Riela S (2008). Taming the diversity of information assurance & security, Journal of Computing Sciences in Colleges, 23:4, (173-179), Online publication date: 1-Apr-2008.
- Beachboard J, Cole A, Mellor M, Hernandez S, Aytes K and Massad N A tentative proposal Proceedings of the 3rd annual conference on Information security curriculum development, (194-196)
Index Terms
- Assessing and Managing Security Risk in IT Systems: A Structured Methodology
Recommendations
Reviews
S. V. Nagaraj
The objective of this book is to help the reader assess and manage security risks in information technology systems. The book makes use of a model known as the McCumber Cube model, which was developed by the author of this book. The goal of this model is to provide techniques that do not change if the underlying security technologies undergo transformation. The book is made up of three sections. The first section introduces information systems security, and includes historical perspectives and myths related to information systems. Emphasis is placed on how to find the worth of information. This section also looks at risk management. The author states that risk management is closely linked with the assessment and implementation of security. However, the author does not go deeply into these topics, but rather includes them in order to provide a perspective for using the McCumber Cube methodology. The second section explains the McCumber Cube model, as defined in the original 1991 paper on the subject [1]. One face of the McCumber Cube deals with information states: transmission, storage, and processing. Another deals with security measures: human factors, policy and practices, and technology. The third face deals with critical information characteristics: confidentiality, integrity, and availability. This section also explains methods for mapping, in a precise manner, the information flow in telecommunications and computer systems. The application of the McCumber Cube methodology to subsystems and individual system components is also explained. The author extracts information from MITRE's Common Vulnerabilities and Exposures (CVE) library, and demonstrates its application to the McCumber Cube methodology. The third section contains four appendices, and is concerned with technical vulnerabilities and risk management analytics. The first appendix addresses these vulnerabilities. The author claims that, although vulnerabilities and security exposures are at the heart of information security, they are not directly employed in the McCumber Cube methodology. This is because of their technology-centric nature. However, surprisingly, the author feels that the definitions and complete library of vulnerabilities in the MITRE CVE library have been well defined, and therefore any detailed analysis that excludes them would be wasteful, and possibly conflicting. This point is definitely debatable, and could have been better justified. At the outset, the author argues about the importance of avoiding a technology-centric approach, but, in the appendix, the exclusion of technology-centric approaches, such as vulnerabilities and exposures (as documented in the MITRE CVE library), is considered to be futile. The other three appendices include risk assessment metrics, diagrams and tables, and pointers to resources on the Internet. The diagrams and tables are intended to help the reader in assessing and deploying security in an organization. The book is well written and informative, but, in some places, a circuitous approach is taken to highlight key ideas. Those who want a different perspective on information systems security should read this book. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.