Assessing and Managing Security Risk in IT Systems: A Structured Methodology

by John McCumber

Assessing and Managing Security Risk in IT Systems: A Structured Methodology builds upon the original McCumber Cube model to offer proven processes that do not change, even as technology evolves. This book enables you to assess the security attributes of any information system and implement vastly improved security environments.
Part I delivers an overview of information systems security, providing historical perspectives and explaining how to determine the value of information. This section offers the basic underpinnings of information security and concludes with an overview of the risk management process.
Part II describes the McCumber Cube, providing the original paper from 1991 and detailing ways to accurately map information flow in computer and telecom systems. It also explains how to apply the methodology to individual system components and subsystems.
Part III serves as a resource for analysts and security practitioners who want access to more detailed information on technical vulnerabilities and risk assessment analytics. McCumber details how information extracted from this resource can be applied to his assessment processes.

288 pages, Hardcover

First published June 15, 2004

About the author

John McCumber is a Distinguished Professor and Chair of the UCLA Department of Germanic Languages. He received his Ph.D. in Philosophy and Greek from the University of Toronto. Prior to his tenure at UCLA, Prof. McCumber taught at Northwestern University, The Graduate Faculty of the New School for Social Research, and the University of Michigan–Dearborn.

Reviews

[Andre · Rating 3 out of 5]

The concept of the McCumber cube does provide a useful abstraction and lense with which to decompose information security. However I think 200 pages to elaborate on it is a bit excessive. There is a lot of repetition of material, some of it verbatim from chapter to chapter. A 20-30 page paper would be all you need to really dig into the concept *and* the application of it to both assessment and architecture.

One emphasis of the book that I did appreciate was the need to consistent language in the information security profession. It's sentiment shared by me, and others who's work I respect. E.g. Jack Jones and Jack Fruend and their work on FAIR.

The other emphasis I appreciated was the need to discover the information flows. This leads to where information is stored, transmitted and processed. It is reminiscent to value stream mapping from the manufacturing/Lean/TMS school of thought.

All in all a solid idea, but it just doesn't have the legs to fill a 200 page book. But I will be taking the McCumber cube concept and backing it into my approaches to work.

[Dan · Rating 4 out of 5]

Good theory, but reminds me of this: http://xkcd.com/927/