SECURITY CONCEPTSUsing ModelsIntroduction: Understanding, Selecting, and Applying Models Understanding AssetsLayered Security Using Models in Security Security Models for Information Systems Shortcomings of Models in SecuritySecurity in Context Reference Defining Information SecurityConfidentiality, Integrity, and Availability Information AttributesIntrinsic versus Imputed Value Information as an Asset The Elements of Security Security Is Security Only in Context Information as an Asset Introduction Determining Value Managing Information Resources ReferencesUnderstanding Threat and Its Relation to Vulnerabilities Introduction Threat Defined Analyzing Threat Assessing Physical Threats Infrastructure Threat IssuesAssessing Risk Variables: The Risk Assessment Process Introduction Learning to Ask the Right Questions about RiskThe Basic Elements of Risk in IT Systems Information as an Asset Defining Threat for Risk ManagementDefining Vulnerabilities for Risk Management Defining Safeguards for Risk ManagementThe Risk Assessment Process THE McCUMBER CUBE METHODOLOGYThe McCumber CubeIntroduction The Nature of InformationCritical Information Characteristics Confidentiality IntegrityAvailability Security MeasuresTechnology Policy and Practice Education, Training, and Awareness (Human Factors) The Model ReferencesDetermining Information States and MappingInformation Flow Introduction Information States: A Brief Historical Perspective Automated Processing: Why Cryptography Is Not SufficientSimple State Analysis Information States in Heterogeneous Systems Boundary Definition Decomposition of Information StatesDeveloping an Information State MapReference Decomposing the Cube for Security Enforcement Introduction A Word about Security PolicyDefinitions The McCumber Cube Methodology The Transmission StateThe Storage State The Processing StateRecap of the MethodologyInformation State Analysis for Components andSubsystemsIntroduction Shortcomings of Criteria Standards for Security AssessmentsApplying the McCumber Cube Methodology for ProductAssessments Steps for Product and Component Assessment Information Flow Mapping Cube Decomposition Based on Information States Develop Security Architecture Recap of the Methodology for Subsystems, Products, andComponentsReferencesManaging the Security Life CycleIntroduction Safeguard Analysis Introduction Technology SafeguardsProcedural Safeguards Human Factors SafeguardsAssessing and Managing Security Risk in IT SystemsVulnerability-Safeguard Pairing Hierarchical Dependencies of Safeguards Security Policies and Procedural Safeguards Developing Comprehensive Safeguards: The Lessons of the Shogun Identifying and Applying Appropriate SafeguardsComprehensive Safeguard Management: Applying theMcCumber Cube The ROI of Safeguards: Do Security Safeguards Have a Payoff?Practical Applications of McCumber Cube AnalysisIntroduction Applying the Model to Global and National Security IssuesProgramming and Software DevelopmentUsing the McCumber Cube in an Organizational InformationSecurity Program Using the McCumber Cube for Product or Subsystem AssessmentUsing the McCumber Cube for Safeguard Planning and Deployment Tips and Techniques for Building Your Security Program Establishing the Security Program: Defining You Avoiding the Security Cop Label Obtaining Corporate Approval and Support Creating Pearl Harbor FilesDefining Your Security PolicyDefining What versus HowSecurity Policy: Development and ImplementationReference SECTION III APPENDICESVulnerabilities Risk Assessment MetricsDiagrams and TablesOther Resources

John McCumber