Operations security: the missing link

Abstract

Operations Security (OPSEC) comprises a rational approach, complementary to physical, personnel, and information security disciplines, to the identification and protection of critically important technology and information. OPSEC incorporates elements of operations and decision analysis, and draws on the skills of intelligence and security specialists to provide managers with a realistic basis for directing security activities. OPSEC is concerned with identifying and protecting information which adversaries could otherwise exploit to the agency or corporate detriment. For the first time in literature, we describe the means to quantify and evaluate the effectiveness of an OPSEC system and introduce the concept of a "window of ambiguity." Through this approach we show that the higher the degree of uncertainty about the validity of available information, the more effective the OPSEC program. OPSEC is unique in that it places the responsibility for critical security decisions firmly in the hands of senior management, arming them with the information they need to make those decisions and the techniques essential to implementing them. OPSEC thus represents the missing link among management's objectives, a complex physical and information security system, and a totally effective, integrated security program.