You are here

Practical Operational Security: Government, Commercial, and Personal

A Q&A with Anglicotech's FSO, Joe Benson:

Hey FSO, the other day the team was talking about the need to consider OPSEC for our new Flying/Underwater Nuclear-powered Knowledge Emitter, Enhanced (FUNKEE) project. I was nominated to lead the OPSEC analysis team. I live acronym soup every day. I sort of understand OPSEC in general and remember seeing it mentioned in security briefs but I’m not sure I have a real good grasp of the concepts. Can you help refresh my memory on what OPSEC is and how I can apply it?
Absolutely I can help. First, congratulations on your nomination to lead this effort. All of us have heard the term Operations Security (OPSEC) at one time or another. You may have seen the formal definition; a process that identifies critical information to determine if friendly actions can be observed by adversary intelligence systems, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information.

I remember that from our security briefing and my time on active duty. But it’s pretty wordy. Can the definition be summarized a bit?
Absolutely. In simplest terms, OPSEC is a risk assessment tool. The OPSEC process is a formalized method to identify security risks and countermeasures.

Got it. Next question, where do I apply OPSEC?
The notion and practice of OPSEC dates back more than a millennium, when armies (and navies) used denial and deception to keep operations a secret from their enemies. Although the practice is an old one, the term OPSEC is relatively new. Given the history of the practice and when and where we receive OPSEC training and orientation, one would assume this almost exclusively applies to military and business operations. Military operations….Operations Security….it makes sense. But the reality is you can (and should) apply OPSEC is all aspects of both your professional and personal lives.

So what are the steps of the process?
There are five steps in the process. Here is a graphic that lays them out for you (top).

So where do I start?
As you can see, this is an iterative process so you can really pickup anywhere along the way. It’s easier to understand when put in the context of something anyone can relate to. Assume you are getting ready to take a two-week vacation. Now apply OPSEC to that scenario. From your point of view, the mission is to secure your home while you are away on a two week vacation. From the bad guy’s (burglar’s) point of view, the mission is to burglarize houses. Look at each of the steps in the process and answer the relevant questions.

  • Identify Critical Information – What is your critical information and why? What does the burglar need to know to increase his chances of accomplishing his mission of burglarizing your house? What might your house look like from the outside after 4 days? What are some indicators that you might not be home?
  • Analyze the threat – Who needs that critical information? You know that a burglar would find that critical information very useful. If you were the burglar, how would you gather information? What would be indicators to you that this was a good house to burglarize?
  • Analyze Vulnerabilities – What weaknesses can a burglar exploit? What information can the burglar collect, analyze and act upon that will increases his chances for success?
  • Assess Risks – What would be the impact of the burglar knowing you were not home? What would be your primary risk? What is the impact from the loss of your possessions? Are some things irreplaceable? Are these risks acceptable to you?
  • Apply Appropriate Countermeasures – What can you do to mitigate unacceptable risks? What OPSEC countermeasures might you choose to minimize or eliminate OPSEC indicators?

That’s easy to conceptualize and pretty straight forward.
Absolutely. It sounds somewhat complicated at first. But in practice it is very simple. In this vacation scenario you identified your OPSEC indicators and critical information. You analyzed the threat and your vulnerabilities. You looked at your operations from an adversary’s perspective. Finally, you assessed the risk and applied countermeasures. The threat of your house being burglarized is still present, but you have mitigated (reduced) your risk by applying OPSEC countermeasures to your vulnerabilities. You have made it more difficult for your adversary (Mr. Burglar) to determine your critical information (house is empty).

I think I got it now. While I can never completely eliminate risk, OPSEC is a tool I can use to help identify and minimize risk. Although OPSEC has a formal construct and was borne out of military operations, it is equally effective in the contracting world or when used informally and in day-to-day activities. I think the more I use this, the more proficient I will become.
I couldn’t have said it better myself.

By: Joe Benson, Program Manager & FSO