While attending several cybersecurity conferences recently I noticed a lack of a common understanding of what cybersecurity is. I also noticed some confusion between cybersecurity and information assurance. I observed that many cybersecurity professionals and even NIST documents were advocating cybersecurity policy based on the 1991 McCumber model of information security (McCumber, 1991) which advocates “information awareness” programs. My experience has shown that such awareness programs are the bane of the user community and do not really work.
The McCumber model was enhanced in 2001 by the Maconachy, Schou, Ragsdale, and Welch (2001) model which argued . . .