(also operational security, procedural security)
OPSEC is an analytical security process used in business to prevent sensitive information from being exposed or getting into the wrong hands. It supplements rather than replaces other security measures in a company.
OPSEC identifies seemingly safe actions that could reveal critical and confidential information to cybercriminals. OPSEC activities may include social media monitoring, behavior monitoring, and security best practices.
Examples of OPSEC failure
In 2014, journalists proved that Russian troops were in eastern Ukraine using geotagging data on Instagram posts shared by a Russian soldier.
In 2018, confidential information about the location of secret US military bases was revealed due to military staff using tracking features on their fitness apps.
OPSEC’s five-step process
- Identifying critical information. The company identifies sensitive information that could jeopardize the organization if stolen or exposed.
- Analyzing potential threats. The company identifies Internal and external threats and motives (e.g., a rival company or a group of frustrated employees).
- Assessing vulnerabilities. What vulnerabilities could these groups abuse to access company data (e.g., loopholes, configuration weaknesses, potential data leaks, etc.)?
- Assessing the risk. After discovering vulnerabilities, the company evaluates the level of threat they pose (e.g., how bad the damage would be).
- Developing and applying security measures. At this stage, appropriate measures to protect sensitive information are developed. These may include employee training, new security practices, or software updates.