Assessing & Managing Security Risk in IT Systems

Assessing & Managing Security Risk in IT Systems

The topic the author writes about in the book is the McCumber cube. It is a method or a framework for managing and assessing security breaches and risk in information technology systems. The security model is an advanced three-dimensional version of the Rubik grid that looked like a cube. The method used depends on the person implementing the system to identify the assets that information holds and then apply a deconstructed view point of risk management while maintaining the importance of the three critical information characteristics; integrity, availability and confidentiality.

The author aims to answer the question of whether there is a methodology for achieving maximum information security that functions without the consideration of the evolution of technology. By doing this, the author outlines an easy yet comprehensive method that guides the readers on how to analyze and mitigate information technology systems’ risks. The method depends on the interaction of the process of tracking information moving through the different states of storage, transmission, and processing; making decisions on the information security risks of procedures, technology and human interventions; and the laying of emphasis on information security characteristics of confidentiality, integrity, and availability.

The author describes a simple and thorough method that guides all information technology practitioners reading the book to correctly analyze and mitigate many problems associated with information technology systems. He gives extensive details on the application of concepts that are discussed within the Cube model though he does not discuss the technical implications.

McCumber first uses an approach that is centered on information. This is contrary to other methods that commonly use approaches that are centered on technology. The technology-centric approach is common in the market and is excellent in the evaluation of information systems’ risk. It is however unable to adapt to the ever changing technology. This leads to a high cost in maintenance of the system while trying to re-evaluate the system environment. McCumber’s approach, which is centered on information, is concerned with the assets attributed to information and the elements of technology along with the human factors, policies and procedures. All these are viewed as measures to be used to secure the assets. McCumber supports his creation by showing its relation to other information security approaches that are very independent of technology like Napoleon and his generals.

The Cube methodology reduces the recurring use of resources. The process does not require recurring replication; it is only required in the design and assessment phases of the creation of a security program. The subsequent use of the methodology is only required in cases where the environment of the information system has changed. The methodology also has the unique feature of reviewing the information system and considerably identifying the assets attributable to the information. The coverage of this methodology is quite comprehensive. This is because the method involves the identification of where the assets attributable to the information are related to the states of transmission, storage and processing.

A consideration to the availability, confidentiality and integrity needs for the entity is then done for each of the states of information. The outcome shall be a matrix that produces an eligible value of risk for the assets. The system developer shall then be required to put human factors, technology, procedures and policies into use for the mitigation of the risk. Information is always in the three states of transmission, storage and processing and the availability, confidentiality and integrity needs are always crucial in the information technology industry. The developer shall then be required to consider each state-characteristic combination fairly to achieve a comprehensive coverage for all security requirements.

The research methodology that was chosen involved the identification of information assets and identifying potential risks while putting into consideration the three vital information characteristics; integrity, confidentiality and availability. This method was able to cover a wide range of credible research information for the preparation of the findings and the whole research book.

An omission that the author made was the failure to fit the method with more specific definitions of types of attacks. The specific definitions should have been followed by specific ways to counter the attacks with the Cube methodology. The method should have also estimated the likelihood of these attacks happening and the countermeasures to be put against them. However, the lack of these countermeasures ideally suggests more risk for the information systems. McCumber also avoids the technical side of the information. He ignores the technical implications of the Cube methodology to prove the fact that it is independent of technological advances. The author has a bias on how he concentrates on the three dimensions of information characteristics, the security measures and information states.

I agree with the author’s methods and conclusions since it focuses on the provision of an information-centric methodology that concentrates on the relationship between the characteristics of communication and the security of computers. This is not affected by organizational or technological changes. I also agree with McCumber’s conclusions since they offer a simplified way of dealing with information security problems. McCumber’s research is narrowed down to the Cube, which is a three dimensional cube that focuses on the three dimensions of information on each side. One side highlights the information states, the other highlights the information characteristics while the third one highlights the security measures taken.

The three dimensional approach has three aspects of each major description and when all are coupled they provide a maximum-security base for any information system. What is a disadvantage of the method is that it avoids the major details of the implementation. However, the author discusses examples on the use of the model in organizational structures. The author introduces and offers an in-depth explanation on information system security and the Cube model.

The McCumber’s Cube offers a clear and concise understanding of information system security procedures, a topic that is highly complex. Moreover, the model’s focus on the information part of information technology alone, gives the model feasibility to be applied to other relevant topics apart from information security. Another disadvantage of the model is its lack of detailed information on implementation. This makes it difficult to use since it requires a system developer to first understand the method and then use it to develop an objective. This provides two extremes to the use of the method in an organization; it might be either a total success or a complete failure. Either outcome depends on the organization’s ability to understand the overall concept defined by the method.

The model, on the upside, can be used as a valuable tool to help assess an organizations ability to focus their resources. McCumber’s Cube offers a distinct and clear method of utilizing the three broad and important dimensions of information to mitigate the risks likely to occur in an information system. The model can be very useful to system developers and other schools of information technology interested in the topic of system risk mitigation. However, this can be the case if the parties study and clearly understand the model.