- SurvivalBlog.com - https://survivalblog.com -

The Art and Practice of OPSEC, by T.H.

What is it? We often hear the term OPSEC, also know as Operations Security (not Operational Security), but few people actually know what it really means. When asked they often say, “It means not talking about what you are doing.” Or, they may say, “It means staying gray.” This is an extremely simplistic view of the program and fails to incorporate the nuances and methodology of the process.

The concept is nothing new. In the fifth century BCE, Sun Tzu wrote, “If I am able to determine the enemy’s dispositions while at the same time I conceal my own, then I can concentrate and he must divide.” The idea of keeping military information closely held has been practiced by the U.S. military in every war and conflict.

opsec1 [1]

Being that OPSEC is a military program, let’s look at the official definition:

“An analytical process used to deny an adversary critical information about our planning process and operations.”

That is all well and good, but what does that really mean and where did it come from? OPSEC, as a formalized security program, came from a Vietnam era NSA effort called “Purple Dragon”.

purpledragonorg [2]

In 1965, LBJ ordered bombing missions against Viet Cong (VC) and North Vietnamese Army (NVA) targets in SE Asia. These missions operated under the code names ARC LIGHT and ROLLING THUNDER. By 1966 it was becoming obvious that the bombing missions were not having the desired effects. U.S. ground units and bomb damage assessments were showing there were far fewer VC and NVA personnel and equipment in the targeted areas that intelligence reports had predicted. After a year of heavy bombing and the expenditure of millions of dollars, ARC LIGHT and ROLLING THUNDER appeared to be a failure.

Why was our intelligence so faulty? There must be a reason. As U.S. intelligence dug deeper, they noticed an increase of CHICOM message traffic during these bombing missions. Somehow the Chinese, and thus the NVA, were aware of the U.S. missions before they were launched! These messages even contained extremely detailed target information and warned VC and NVA units up to eight hours in advance.

DoD established a team to investigate this situation. The investigation was codenamed PURPLE DRAGON. PURPLE DRAGON discovered several items of interest, but one stood out. Under International Civil Aviation Organization (CAO) rules, any time that an aircraft moved out of one Air Traffic Control (ATC) jurisdiction into another it was mandated that it file a flight plan with the local ATC and let the new ATC know when and where it would be entering the new ATC’s jurisdiction. The new ATC would release a Notice to Airmen (NOTAM) listing flight path, altitude, times of arrival, and other details of the specific aircraft’s itinerary. NOTAMs were available to all civil aviation authorities. This information was sent to all adjacent ATCs, so they would also be aware of the aircraft.

B-52 missions flying out of Guam and Thailand were required to file flight plans as required with the local ATC and thus to the world in the form of a NOTAM. North Vietnam was receiving these NOTAMs via the CAO and were able to extrapolate target data from the documents. This gave ample time to warn potential targeted units and locations with up to eight hours to vacate the area and make defensive preparations.

The Purple Dragon team were able to identify the vulnerability in this process. Using this example the team developed a process to review, analyze, and protect unclassified information that could be exploited by our enemies. They focused on indicators, patterns, and signatures of upcoming operations. This process became Operations Security or as we know it today: OPSEC.

The process is pretty straightforward in a military setting but not so clear in our private lives. We talk about not standing out but how do we accomplish this. What are we trying to protect, and who are our adversaries? Should these issues be addressed in our dealings on the Internet?

Let’s look at that definition again: “An analytical process used to deny an adversary critical information about our planning process and operations.”

It really is as simple as this:

The OPSEC process consists of five steps. The text book answer is that they are not in any particular order, but personally I like the following:

  1. Analyze the Threat.
  2. Identify Critical Information
  3. Analyze Your Vulnerabilities.
  4. Assess the Risk.
  5. Apply OPSEC Countermeasures.

opsec2 [3]

Analyze the Threat

Who are our enemies and what are they capable of? Are your enemies street criminals, identity theft scam artists, the Mafia, burglars, armed robbers, and/or terrorists? A person living in Atlanta would have a different set of threats (street criminals, et cetera) than a rancher in Arizona (drug runners from Mexico, et cetera). An owner of a logging company may be threatened by eco-terrorists, like Earth Liberation Front, where a butcher may be targeted by the Animal Liberation Front. Conduct research in your area, and determine what the local threats are to you! These may be drastically different than that of your neighbor or local friend.

When analyzing the threat, look at the group’s existence, capability, intent, history, and targeting.

Identify Critical Information

Put yourself in the mind of the adversary. As yourself, “If I were going to attack this person, what info would I need to execute the assault?” For our purposes, we will use an example of identify theft. I would want to know: name, SSN, DOB, account numbers, address, credit card numbers, POB, phone numbers, computer pass words, and other personal information. These questions are called Essential Elements of Friendly Information (EEFI). The answers to these questions are called your Critical Information List (CIL). Try to have no more than 12 items in your CIL.

Analyze Your Vulnerabilities

All of your CILs may not be vulnerable for exploitation. For example, I don’t write my passwords down, but my SSN is on my DL, even though I have the option to opt out by request (in my state). Let’s say I don’t shred my mail and I use my real name on the Internet. Are there any indicators or signatures of my operations?

Assess Risk

Not everything is at risk. We must address only those things that could affect us if compromised. This is called Risk Management vs. Risk Avoidance. A simple formula to help us with this is Threat x Vulnerability x Impact = Risk (T x V x I=R). If any one of these factors is zero, then your have no risk. Let’s say I live on a restricted high security military compound. In this situation, the threat (T) of street criminals is non-existent and is thus a “0”. Factor this in with the fact that I carry large amounts of cash and would be impacted by its loss. Use a scale of 1-5 for each element with 1 being the lowest and 5 being the highest. The carrying of cash (V) would be a 5 and the impact (I) would also be a 5. With the risk formula T x V x I=R, in this case we’d have a risk of 0 x 5 x 5=0; thus, there would be no risk. Use this formula for each of your threats and vulnerabilities to determine your unique overall risk. This also helps you to rate your risk from highest to lowest and allows you to prioritize the expenditure of your limited resources.

Apply Countermeasures

Whatever vulnerability is left after being bumped against threat and impact should be eliminated with a countermeasure. Be open minded when going through the process and try to truly take the role of the adversary.

The thing to keep in mind is that every person, group, company, or operation has a unique set of threats, EEFIs, CILs, vulnerabilities, risks, and countermeasures. There is no one size fits all.

Let’s look at an example of how this comes together for a fictitious tactical training group called the Baytown Training Group (BTG).


The CIL for BTG is:


The indicators are:


The threat is:


The ways that information is vulnerable for BTG:


The following vulnerabilities are acceptable risks:

The following vulnerabilities will be countered:


purpledragon [4]

As we have learned, OPSEC is a methodological, continuous process that protects your critical information. Each person, organization, or operation will have a different CIL. OPSEC focuses on the utilization of precious time and resources to protect only that information that is critical, vulnerable, and worthwhile. Once you prioritize your information and decide what is important, it will be much easier to manage from an OPSEC perspective. OPSEC doesn’t involve protecting all information from all potential advisories.

The proper utilization of OPSEC for unique situations and day-to-day life will help create desirable outcomes, pave the way to success, and help minimize difficulties. Become familiar with the process, and get used to using it for every activity. Soon, it will become second nature, and you will have tamed the Purple Dragon!