OPSEC (short for Operations Security) is the process of identifying and protecting critical information.
OPSEC principles were originally designed by the US military to prevent leakage of heterogeneous data chunks, which could give away a bigger piece of secret information when combined. Today, these principles are used both by infosec professionals to reduce the risk of confidential information being leaked and by cybercriminals to avoid detection.
Five steps of OPSEC
Operations security is typically divided into five steps that must be iterated on a regular basis:
- Identification of critical information. Identify which information an adversary may be interested in and which information may do the most damage to the organization if leaked.
- Analysis of threat landscape. The team then predicts who may be interested in stealing the critical information identified in step one: cybercriminals, competitors, or even employees.
- Analysis of vulnerabilities. In this next step, the list of previously identified threats is used for identifying vulnerabilities that may cause information leaks as a result of the threats being delivered on.
- Assessment of risk. After identifying vulnerabilities, infosec professionals assess the probability of each of these causing leakage of critical information and how great the damage would be. The vulnerabilities are then ranked in order of severity based on that assessment. This helps with understanding which must be eliminated first.
- Design and application of countermeasures. At this final step, the organization’s security officers design a plan for eliminating threats and mitigating data leakage risks. This may include installation of new infosec products, development of security policies, updating of employee manuals, and so forth. The measures thus planned are then implemented.