“Whoever wishes to keep a secret must hide the fact that he possesses one.”
Definition of OPSEC
The USAWC Strategy Research Project, defines Operations security (OPSEC) as 1. A systematic process by which a government, organization, or individual can identify, control and protect generally unclassified information about an operation/activity and, thus deny or mitigate an adversary’s/competitor’s ability to compromise or interrupt said operational activity. 2. OPSEC is a process of identifying critical information and subsequently analyzing friendly actions attendant to military operations and other activities to (a) identify those actions that can be observed by adversary intelligence systems, (b) determine indicators adversary intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries,…
OPSEC simply put is a mindset and analytic process which helps us examine our world through the eyes of an adversary or competitor and develop countermeasures in order to deny them critical information.
Definition of OPSEC terms
Critical information: Specific facts about friendly intentions, capabilities, operations,
and other activities vitally needed by adversaries for them to plan and act effectively, so as to
guarantee failure or unacceptable consequences for friendly mission accomplishment.
Adversary: Anyone who contends with, opposes or acts against your interest and must be denied critical information. Each adversary has their own motivations and capabilities. Examples include: terrorist groups, criminals, organized crime groups, extremists, foreign intelligence entities, and hackers/crackers.
Threat: The capability of an adversary coupled with his intentions to undertake any actions detrimental to the success of friendly activities or operations.
Indicators: Observable or detectable activities or information that can be pieced together to reveal sensitive information regarding your operation. An indicator acts as a clue to reveal information about an activity and will be the subject of analysis. Examples include: increased training, unusual deliveries, advanced parties, increase in related personnel actions such as travel, financial preparation, etc., frequent meetings, press releases and news items.
Vulnerability: A weakness that can be exploited by an adversary to obtain your critical information, and it can be present in any facet of your operations.
Risk: The probability an adversary will compromise your critical information, and the impact this would have if the adversary is successful.
Countermeasure: Anything that effectively negates or reduces an adversary’s ability to exploit our vulnerabilities. Examples include: changing your routine and routes, awareness training, altering your schedule, using encryption/VPN, using unmarked cars when traveling in foreign countries, and training employees to avoid discussing personal/company information in public.
OPSEC at Home
OPSEC as a concept is not limited to military, criminal, and terrorist organizations, but increasingly relevant for ordinary citizens in a contemporary surveillance society. Have you ever stopped a newspaper delivery or asked a neighbor to pickup your mail prior to going on vacation? Have you left the lights or television on when you leave the house? If so you have practiced OPSEC. Observing a full mailbox or several papers in the driveway alone doesn’t necessarily indicate no one is home, however combined with other indicators gives potential burglars information needed to reach their conclusions. Eliminating as many indicators of you not being at home as possible gives you a much better chance of ensuring your home is not burglarized. The same is true of your workplace, school and community. OPSEC protects critical information and eliminates indicators available to the competitor or adversary.
The 5 step OPSEC process
1. Identify Critical Information:
2. Analyze the Threat
3. Analyze Vulnerabilities
4. Assess Risk
5. Apply Countermeasures
Identification of Critical Information
Basic to the OPSEC process is determining what information, if available to one or more adversaries, would harm an organization’s ability to effectively carry out the operation or activity. This critical information constitutes the “core secrets” of the organization, i.e., the few nuggets of information that are central to the organization’s mission or the specific activity. Critical information usually is, or should be, classified or least protected as sensitive unclassified information.
Analysis of Threats
Knowing who the adversaries are and what information they require to meet their objectives is essential in determining what information is truly critical to an organization’s mission effectiveness. In any given situation, there is likely to be more than one adversary and each may be interested in different types of information. The adversary’s ability to collect, process, analyze and use information, i.e., the threat, must also be determined. In order to analyze the threat, you need to indentify…
- What the adversary already knows.
- What the adversary needs to know to be successful.
- The adversary’s intent and capability.
- Potential adversaries to your mission, operations, or activity.
- Where the adversary is likely to look to obtain the information
Analysis of the Vulnerabilities
Determining the organization’s vulnerabilities involves systems analysis of how the operation or activity is actually conducted by the organization. The organization and the activity must be viewed as the adversaries will view it, thereby providing the basis for understanding how the organization really operates and what are the true, rather than the hypothetical, vulnerabilities. Consider the following vulnerabilities…
- Newspapers piling up could tell a burglar when to break into a home
- Untrained employees can reveal critical information while talking on the phone or in public
- Poor document control/unsecured dumpsters could allow for technical drawings, company memos and planning notes, spreadsheets, working documents to fall into the wrong hands
- Untrained employees can reveal sensitive information in online forums or chat rooms
- Predictable patterns, when changed, can reveal the occurrence of a significant event
Assessment of Risks
Risk has three components: Threat X Vulnerability X Impact = Risk. Vulnerabilities and specific threats must be matched. Where the vulnerabilities are great and the adversary threat is evident, the risk of adversary exploitation is expected. Therefore, a high priority for protection needs to be assigned and corrective action taken. Where the vulnerability is slight and the adversary has a marginal collection capability, the priority should be low. You then decide if the resultant level of risk warrants the application of a countermeasure.
Application of the Countermeasures
Countermeasures need to be developed that eliminate the vulnerabilities, threats, or utility of the information to the adversaries. The possible countermeasures should include alternatives that may vary in effectiveness, feasibility and cost. Countermeasures may include anything that is likely to work in a particular situation. The decision of whether to implement countermeasures must be based on cost/benefit analysis and an evaluation of the overall program objectives.
OPSEC can be summarized in two steps
1. Know what needs to be protected.
2. Know how to protect it.