12 OPSEC Principles That Everyone Should Apply

by Sunny Hoi


The OPSEC principles delineated in this article is devised to prevent compromise and diminish the damage when it impacts you. Everyone should apply OPSEC principles regardless of their operational activities.

What Is OPSEC? (Operations Security)

OPSEC is an abbreviation that refers to Operations Security which is the procedure used to protect unclassified information that could be used against us. OPSEC confronts us to analyze ourselves critically through the eyes of an adversary. Substantially, anyone who can sabotage individuals, groups, resources, or objective is considered an adversary.

Operations Security is a name commencing in U.S military jargon.

Operations Security ought to be deployed for the purposes of safeguarding information, and by that renounce the adversary the capacity to act.

Most information accumulated derives from Open Sources. All information that may be acquired openly, without breaking the law, is considered Open Source. For instance, social network websites, text messages, newspaper articles, blogs, and photos that are candidly available.

Our OPSEC aspiration is to assure a prudent, reliable, and secure environment. OPSEC is ideally deployed regularly when determining choices about what kind of communications to utilize, informative postings on blogs and social networks, and what is inscribed in emails or uttered on the phone,

All information that individuals place in the public domain are always accessible to their adversaries.

1. Humans are the weakest link in security.

Humans make all kinds of mistakes, whether technical or non-technical. We’re lazy. We seek for shortcuts. In other words, we’re inherently flawed. Humans in any social organization will presumably be disloyal, leading to betrayal.

Always remember that the adversary does not feel the necessity to grasp the big picture all in one moment, particularly in the very beginning. Adversaries obtain small pieces of information and gather them together in an organized fashion to construct a bigger picture over time.

2. Employ OPSEC principles when using social media. Take for granted that anything you put on social media can be observed by the adversary.

Facebook Example

A lot of people don’t conceive the possibility that the adversary looks at social media like Facebook. Adversaries know exactly where to obtain information. They will use it to their advantage. If they notice that the Facebook user’s page isn’t locked down, they can see every friend they have, and each page that isn’t locked down, they may see everything.

One thing that pertains to OPSEC security is where the adversary doesn’t have to initiate a friend request with the individual he/she wants to retrieve information from. Rather, the enemy can become friends with one of the target’s “associates.” This results in the adversary gaining an advantage since the target’s information is now easily obtainable. I’m not just merely talking about Facebook, but also in real life as well.

Let’s use Facebook as a social media example to illustrate the weakness of being too “social” and “open” to friendly and supposedly innocuous discourses. An individual that works in a large corporate bank firm named Adam and his wife, Eve. Adam has had a week full of stress that consists of long strenuous hours and irritation. Luckily for Adam, he’s about to go on a vacation with his wife. Adam’s wife Eve perceives that she’s not supposed to talk about any of her husband’s corporate financial activities, but she believes that if she conducts her Facebook posts generic, she is permitted to engage in discourses relating to what Adam has been going through recently and their upcoming vacation.

Eve states that “My husband has been putting in a lot of strenuous work and additional hours this week. Fortunately, we’re going on vacation soon.” Now Eve’s friend Britney writes on Facebook: “Oh nice! You guys deserve a vacation. Where are you guys heading?.” Anyways, the point is they’re exchanging information and inevitably revealing the location of their vacation destination to Britney. This appears to be harmless right?

Nevertheless, a problem soon emerges. Britney has accepted a friend request from Tim. She has never met Tim in real life nor has she ever spoken to him before on the Internet. Tim states that he knew some of her esoteric Facebook friends. Feasibly, Tim conveyed to her that they went to university together and that she just didn’t remember Tim.

Now the plot twist is this: Tim isn’t really who he says he is. In fact, Tim isn’t even Tim. His claims are mere fabrications used for malicious intentions. In reality, Tim is a criminal hacker who is also collaborating with an adversary. Since he has now become friends on Facebook with Britney, he may now see what she’s talking to Eve about. Despite that Eve has her privacy settings on Facebook on minimum settings, Tim can perceive that she’s linked to Adam, and Adam’s profile picture showcases himself in a corporate suit behind a large complex institution that Tim recognizes instantly that also captures his attention.

Tim now possesses knowledge after spying on Eve and Britney’s conversation that Adam and Eve are going on vacation shortly after working for many additional hours. Also, Tim discovers some other information that is beneficial to him and the adversary he has been working for. The information can be used against Adam’s corporate bank firm for illicit purposes. For example, Tim can orchestrate a well-constructed phish targeted at the bank’s employees and even may pretend to be Adam on ‘vacation.’ Spear phishing is conceivable. The possibilities are endless.

Further Implications

OPSEC always applies outside social media. When someone like Adam and Eve in our example go on vacation, they might unintentionally put personal information out there that puts them at risk at the hands of an adversary. Eve did this by revealing to Britney that she and Adam were going on vacation. One of the adversaries, Tim, noticed this and can exploit that easily over time. People should always know that they may tag themselves in different places. Therefore, people can track their movements.

The example above illustrates the significance for social media users to think about the information they share with other individuals. Consequently, if the information someone puts out there will assist their friend to gain a better picture of what’s happening, it will also aid someone that is not their friend just as much, occasionally more.

Adversaries gather small pieces of information and place them together to construct a picture of what a target’s plans are even though the target and the allies aren’t actually providing precise details. This is a well-used technique to obtain information. It usually merely takes a couple of distinct pieces of information until the adversary starts constructing and grouping pieces of the puzzle together.

3. The number of members in a group is precisely correlated to its prospect of being compromised.

The bigger your organization, the higher chance of being compromised. Every extra member the group adds results in a statistically greater chance that any member of the group will eventually be compromised.

4. Never underestimate your opponent.

Assertions typically amount to disparagement. If you ever doubt about your adversary’s capacity to deploy a particular method or plan, don’t because the enemy is likely to be able to. If not, someone else that is an ally of the adversary probably could. Continuing on making these assertions and generalizations can drastically hinder the target’s ability to function efficiently. The cost for exaggeration signifies a decline in adeptness. Less obvious is that they could render your mitigation tactics unnecessarily complicated, which potentially institutes new operational security issues. The cost for disparagement is endangerment. Always analyze your surroundings, hostile environment, and construct your mitigations appropriately.

5. Complexity can lead to failure.

While having intricate operational security methods can be advantageous, the intricacy can pose a problem since it relates precisely to the proportionality to your probability of making an error. Even when your mitigations considerably surpass the powers of your adversary, any kind of mistake made could invalidate them completely.

6. Preserve and Advance Skills.

Every skill is subject to decay and is rendered as ephemeral. Technological progression commonly alters how the game is played. Retain alertness of your operational terrain. Also, make sure to stay up-to-date with the relevant media and patch your systems.

7. Convenience ultimately leads to a compromise in security.

Convenience makes things easier, but eventually, it will easily defeat security.

8. Don’t be unconventional.

Stepping out of traditional boundaries attracts attention and curiosity.

9. Subdivision is an essential OPSEC principle.

You may curtail both the risk of being compromised and the burden a compromise holds by diminishing the sum of individuals who fully grasp operations. If compromise ever happens, subdividing is vital to confining the damage and its impact.

The process of the subdivision where one group member is divided/isolated from others ought to never be disregarded. Subdividing members’ communications during operational/non-operational movements is important to isolate the damage inflicted by contagions. Subdividing operational and personal devices is a necessity.

10. Use Further Layers To Enhance Privacy And Security, Making The Task Of The Adversary More Difficult

Be sure to use PGP encryption on emails that may potentially contain sensitive information. Apply multi-layers of encryption. Use an open-source utility deployed for on-the-fly encryption. Open source utility provides the benefits of being able to analyze source code. It attracts more scrutiny and typically contains more security fixes. The same can’t be said about closed-source (proprietary) utilities. Hence, encrypt devices using AES 256 keys.

Use BleachBit to securely delete files. This software is what Hilllary Clinton purportedly used to delete emails on her private server. Recovery of files is impossible if BleachBit is used.

Shred every document containing sensitive information.

11. Think first.

Thinking should always be your foremost priority. Clumsiness hinders you.

12. Always have backup plans.

You need to have multiple backup plans ready in case a compromise occurs.If one plan fails, you have other options. Having one backup plan is inadequate since it can also fail, leaving you hopeless.


The OPSEC principles explained in this article is extremely useful for anyone. The crux is that we may be our own worst enemy. Research yourself or organization to see how much information you can discover.

Related Posts