NAME MARYAM KHALIL ENROLL 01-135202-037

Bahria University, Islamabad Campus

Department of Computer Sciences
Information Security
Assignment-4
(Spring-2022 Semester)

Course: Information Security Date: 15-06-2022

Summited Date: 22-06-2022
Faculty’s Name: Dr. Kashif Naseer Qureshi Max Marks: 10

Q. No. 1. Discuss the following McCumber model in detail and make a complete policy with the
help of this model for IT company. (All policies should be clear and in bullet forms)

Introduction
McComber Cube Model was reported as the further research by McComber in 1991 for Information System
Security (INFOSEC) which has becoming flourishing into Information Assurance (IA) due to rapid changing
of information environment nowadays. The model has been becoming popular as it accommodates IA
professions to develop IT and IS knowledge and it is also widely used as information system security
assessment across organizations. For instance, Canadian Trusted Computer Product Evaluation Criteria
(CTCPEC) is adopting the cube as their criteria (Macon achy et al. 2001). Hence, this report aims to
breakdown the methodology of McComber Cube that is contained of three broad scopes specifically in
NAME MARYAM KHALIL ENROLL 01-135202-037
Information State, Critical Information Characteristics, and Security Measures. Furthermore, the report will
be informed several benefits of the cube either for an individual or in a scale of an organization

Information States
The simple analogy to make it understandable easily, McComber (1991) made a simple analogy of
information as a compoundH2O which is imperative in human kind. Water can be a liquid state that gives
sustainability in the desert to drowns an individual, steam state that can help people to cook yet it also
can burn a chef and ice state that can make a drink more pleasant, whereas it can also ruin the airport
runway. Therefore, science does not deal with the perception of the compound, but with its state
(McCumbers, 1991).While H2O can be water, steam, and ice, the information can be three states as well.
At any given moment, information is being transmitted, stored, and processed (McCumbers, 1991). Those
three states exist regardless the media in which the information occurs, and the difference between those
states are paramount and fundamental to apply the model accurately. Cryptography, for example, can be
used to guard information while it is transferred through a computer network and even while it is stored
on magnetic media (McCumbers, 1991).

Critical Information Characteristics

These features of information show the comprehensive of a security interest in an automated environment.
These can be accepted within any given organizations on sharing information. Confidentiality has a pivotal
role in the safety policy for the information system. A security policy is the set of rules that, given identified
subjects and objects, determines whether a given subject can gain access to a particular purpose (DOD85,
Cited in McComber, 1991).In this case, the personal end users or a group are2 allowed to gain or access
limited data that they are controlled by the security policy. In other words, confidentiality is the assurance
that access controls are implemented

confidentiality

confidentiality has a pivotal role in the safety policy for the information system. A security policy is the set
of rules that, given identified subjects and objects, determines whether a given subject can gain access to
a particular purpose (DOD85, Cited in McCumbers, 1991).In this case, the personal end users or a group
are
NAME MARYAM KHALIL ENROLL 01-135202-037

integrity
Integrity is an assets (which) can only be modified by authorized parties (PFL89, cited in McCumbers,
1991).However, McCumbers (1991) asserts a broader definition of integrity as a quality of information
which identifies how closely the data represent reality.

Availability
Availability is the crucial as well as the other critical information characteristics. It ensures the data
information available to authorized users when it is requested or needed

Security measures
Security Measures At this stage, we attempt to make sure that the critical information characteristics are
well maintained while the data information change from one state to another.

Policy and practice

system security not only product that can up to date over the time. Concerning technology, it is highly likely
to keep up with it and always aware to its changing. Thus, the policy and practice need to be established
as checks and balances of the security solutions.

Education, Training, and Awareness

The final layer is eminent among the third dimensions. It is because the rest of the characteristic depends
on the end users who have to be educated in using the technology, understanding threats and
vulnerabilities, and also increasing their awareness to protect data information by constituted the policy
and practice. These can be reached by training regularly.

Benefits for Individuals

By examining the information security system cube or McCumbers Cube Model, one is capable of
understanding how paramount the security system is in real life. Hoax information also could be avoided
by Her in work environment because one has integrity mindful. Individuals, furthermore, are increasing
their risk awareness, thus threat, and vulnerability can be reduced
NAME MARYAM KHALIL ENROLL 01-135202-037

Benefits for Organizations

Certainly, all of the organizations are willing to keep their information well maintained and safe. Even a
small to medium business is unwilling to be a victim of data information abuse. Thus, knowing McCumbers
Cube escalate an organization’s performance to reduce IS/IT risks which can be occurred at any given time.
Regarding critical information characteristics following the confidentiality, an organization which applies
high privacy would be easy to maintain their information access, thus unwanted access risk which can
damage data information within the organization could be reduced remarkably. Data integrity also will
help an organization to ensure their reliability of information that would be shared to the internal or
external environment. Ultimately, ensuring the availability of data information to be accessed at any time
will improve its performance In the security measures view, an organization which has cutting-edge
technology within the work environment needs to concern as well to policy and practice which can help
the organization to adapt to the rapidly changing technology and information. Considering of education,
training, and awareness is imperative as well. The end users can be a champion who can improve system
security if they regularly trained in which they will obtain their awareness and knowledge about the
imperative of IS/IT risks respectively

Conclusion
As information as mentioned earlier which can be seen, there are nine distinctive interstices with three
aspects each layer. The first element gives information regarding the information states which can be
changed into three states. The second point is the critical aspect of information which should be protected.
The last is a measure which should be enhanced the data information security by considering end users
and the technology in which the data information is located