Forget the Rubik’s Cube, Meet the McCumber Cube

I can solve a 3x3 Rubik's Cube, but I know plenty of people who cannot. In fact, it is estimated that fewer than 6% of adults know how to solve one, leaving the vast majority staring at a colourful mess and hoping for the best. Fortunately, the McCumber Cube is much easier to understand than its colourful cousin.

Instead of memorizing algorithms and making impossible-looking twists, it offers a simple framework for understanding how organizations can protect information from different angles.

Developed by John McCumber in 1991, the McCumber Cube is a framework that helps organizations understand information security from different angles. Rather than asking, "How do we protect our data?" it asks:

"What are we protecting, when are we protecting it and how are we protecting it?"

Looking at all three questions together gives a much clearer picture of an organization's security.

Security Principles

The first side of the cube focuses on the three main goals of information security.

Confidentiality is all about keeping secrets… well, secret. Sensitive information should only be available to authorized users.

Techniques such as encryption, identity verification and multi-factor authentication help make sure curious eyes stay curious.

Integrity ensures that information stays accurate and unchanged unless someone is actually supposed to change it. If your bank balance suddenly gained or lost a few zeros overnight, you would appreciate why integrity matters.

Hash functions and checksums are commonly used to detect unauthorized changes.

Availability means authorized users can access systems and data whenever they need them. After all, even the most secure system is not very useful if it is constantly offline.

Regular maintenance, software updates and backups help keep systems available.

States of Data

Data is not always sitting quietly in one place. It moves around and each stage comes with its own security challenges.

Data in process is information that is actively being used, such as updating a customer record or processing a payment. Since it is in action, it needs protection from unauthorized changes.

Data at rest refers to information stored on devices such as hard drives, solid-state drives or USB drives. Just because data is taking a nap does not mean attackers are.

Data in transit is information traveling between systems across a network. Without proper protection, it is a bit like sending a postcard instead of a sealed envelope. Encryption helps keep the contents private while they are on the move.

Security Controls

The final side of the cube explains how organizations protect their information.

Awareness, training and education ensure that employees understand security risks and know how to avoid them. Even the strongest security system can struggle if someone clicks on every suspicious email promising a free phone.

Technology includes the hardware and software used to protect systems, such as firewalls, encryption tools and other security solutions that monitor and defend networks.

Policies and procedures provide the rules that guide how security should be managed. They establish best practices and explain what to do when something goes wrong, which is much better than everyone making it up as they go.

Conclusion

Unlike a Rubik's Cube, the goal of the McCumber Cube is not to get all the colours on one side before your patience runs out. Its purpose is to remind organizations that good security is achieved by looking at every angle. When confidentiality, integrity and availability are protected across processing, storage and transmission using the right people, technology and policies, information becomes much harder to compromise. If only every cube in life came with a solution this practical.

- Tee