Operational Security
Operational security is the systematic process of denying adversaries information that could be used against an organisation, its staff, or the people it serves. The discipline originated in military intelligence but applies directly to mission-driven organisations operating in contested environments where state actors, criminal groups, or hostile parties actively seek information about staff movements, beneficiary identities, programme activities, or organisational capabilities.
- Operational Security (OPSEC)
- A risk management process that identifies critical information, analyses threats, assesses vulnerabilities in how that information might be exposed, and applies countermeasures to prevent disclosure.
- Critical Information
- Specific facts about an organisation’s activities, intentions, capabilities, or limitations that would cause harm if obtained by an adversary. Not synonymous with classified or sensitive data; criticality depends on adversary interest.
- Indicator
- An observable action, pattern, or piece of information that reveals critical information. A single indicator rarely exposes critical information directly; adversaries aggregate multiple indicators to develop intelligence.
- Adversary
- Any individual, group, or entity with the intent and capability to collect information that could harm the organisation, its staff, or the people it serves. Adversaries range from sophisticated state intelligence services to local criminal networks to individuals with personal grievances.
- Countermeasure
- An action taken to prevent an adversary from detecting indicators or exploiting vulnerabilities. Countermeasures impose costs in time, resources, or operational flexibility and require deliberate selection based on risk.
The OPSEC Process
Operational security follows a five-step analytical process that transforms intuitive security awareness into systematic protection. Each step builds on the previous, creating a feedback loop that adapts to changing threats and operational requirements.
+-----------------------------------------------------------------+| OPSEC ANALYTICAL PROCESS |+-----------------------------------------------------------------+| || +----------------+ || | 1. IDENTIFY | || | CRITICAL +---------------------------------------+ || | INFORMATION | | || +-------+--------+ | || | | || v | || +-------+--------+ | || | 2. ANALYSE | | || | THREATS +-----------------------------------+ | || | | | | || +-------+--------+ | | || | | | || v | | || +-------+--------+ | | || | 3. ANALYSE | | | || | VULNERA- +-------------------------------+ | | || | BILITIES | | | | || +-------+--------+ | | | || | | | | || v v v v || +-------+--------+ +------+---+---+--+ || | 4. ASSESS | | | || | RISKS +----------------------->| FEEDBACK AND | || | | | REASSESSMENT | || +-------+--------+ | | || | +-----------------+ || v || +-------+--------+ || | 5. APPLY | || | COUNTER- | || | MEASURES | || +----------------+ || |+-----------------------------------------------------------------+Figure 1: The five-step OPSEC process with continuous feedback
The first step identifies what information requires protection. Critical information differs from generally sensitive data because criticality depends on adversary interest and capability. Staff home addresses constitute sensitive personal data in any context, but they become critical information when the organisation operates in an area where staff face targeting based on their employer. A programme’s budget breakdown is routine administrative data until an adversary seeks to understand organisational capacity or identify funding vulnerabilities. The identification step requires understanding both what information exists and who wants it.
The second step analyses threats by examining adversary intent, capability, and collection methods. A state intelligence service with signals intelligence capability presents different risks than a local criminal group relying on physical surveillance and social engineering. Threat analysis identifies which adversaries are relevant, what collection methods they employ, and what information they seek. This analysis must be specific to operational context; threat profiles for an organisation operating in eastern Democratic Republic of Congo differ substantially from those operating in Bangladesh or Honduras.
The third step analyses vulnerabilities by examining how critical information might be exposed through indicators. Vulnerabilities exist in patterns of behaviour, communications, physical security, digital systems, and human factors. A predictable travel schedule creates vulnerability because it generates observable patterns. Unencrypted email creates vulnerability because it enables interception. Staff discussing programme activities in public venues creates vulnerability because it enables collection through proximity. Vulnerability analysis maps the pathways through which critical information could reach adversaries.
The fourth step assesses risk by combining threat capability with vulnerability exposure. High-capability adversaries combined with significant vulnerabilities produce high risk. Low-capability adversaries or minimal vulnerabilities produce lower risk. Risk assessment enables prioritisation because resources for countermeasures are finite. An organisation cannot eliminate all vulnerabilities; it must focus countermeasures where threats and vulnerabilities intersect most dangerously.
The fifth step applies countermeasures to reduce risk to acceptable levels. Countermeasures fall into categories: elimination removes the vulnerability entirely; control reduces vulnerability through procedural or technical measures; acceptance acknowledges residual risk when countermeasure costs exceed benefits. Countermeasure selection requires balancing security against operational effectiveness, staff wellbeing, and resource constraints.
Critical Information Identification
Critical information identification begins with understanding what an adversary needs to know to cause harm. The question is not “what information do we have?” but “what information would help an adversary achieve their objectives against us?” This adversary-focused perspective distinguishes OPSEC from general information security.
Critical information categories for mission-driven organisations typically include personnel information such as staff identities, roles, locations, and travel patterns; programme information such as activities, locations, beneficiary identities, and operational timelines; organisational information such as capabilities, limitations, funding sources, and strategic plans; security information such as protective measures, incident responses, and security vulnerabilities; and relationship information such as partners, sources, and protected contacts.
The specificity of critical information matters. “Staff locations” is too broad to be actionable. “The identity of the Country Director and their residential address in Juba” is specific enough to enable vulnerability analysis and countermeasure development. Critical information lists should contain 15 to 25 specific items for a typical country operation; fewer suggests incomplete analysis, while more suggests insufficient prioritisation.
A worked example illustrates the identification process. An organisation providing legal assistance to refugees in a country with hostile government attitudes toward the refugee population identifies the following critical information: identities of staff providing direct legal services; identities and case details of clients with pending asylum claims; locations of client meetings and legal consultations; organisational capacity to handle case volume; relationships with international protection bodies; and internal assessments of government policy and enforcement patterns. Each item represents information that, if obtained by government security services, could enable targeting of clients, harassment of staff, or interference with operations.
Threat Modelling
Threat modelling structures adversary analysis into a framework that enables systematic countermeasure development. The process examines who might target the organisation, what they want to achieve, what capabilities they possess, and what methods they employ for collection.
+------------------------------------------------------------------+| THREAT MODEL COMPONENTS |+------------------------------------------------------------------+| || +---------------------------+ +---------------------------+ || | ADVERSARY | | OBJECTIVE | || +---------------------------+ +---------------------------+ || | | | | || | - State intelligence | | - Identify staff | || | - Security services | | - Locate beneficiaries | || | - Armed groups | | - Disrupt operations | || | - Criminal networks | | - Discredit organisation | || | - Hostile individuals | | - Extort resources | || | - Competitors | | - Gather intelligence | || | | | | || +-------------+-------------+ +-------------+-------------+ || | | || +----------------+---------------+ || | || v || +--------------+--------------+ || | CAPABILITY | || +-----------------------------+ || | | || | Technical: | || | - SIGINT (signals intel) | || | - Cyber intrusion | || | - Surveillance equipment | || | | || | Human: | || | - Informant networks | || | - Social engineering | || | - Physical surveillance | || | | || | Access: | || | - Legal authority | || | - Border control | || | - Infrastructure control | || | | || +--------------+--------------+ || | || v || +--------------+--------------+ || | COLLECTION METHODS | || +-----------------------------+ || | | || | - Communications intercept | || | - Device compromise | || | - Physical surveillance | || | - Human source recruitment | || | - Open source monitoring | || | - Coerced disclosure | || | | || +-----------------------------+ || |+------------------------------------------------------------------+Figure 2: Threat model structure showing adversary-objective-capability-method relationships
State intelligence services represent the most capable adversary category. They possess signals intelligence capabilities to intercept communications, cyber capabilities to compromise devices and networks, legal authority to compel disclosure from local service providers, and extensive human intelligence networks. State services typically have strategic objectives such as monitoring foreign NGO activities, identifying regime opponents, or tracking refugee and diaspora populations. The sophistication of state capabilities varies significantly; services in countries like Russia, China, Iran, and Israel operate at the highest capability tier, while services in many other countries possess substantial but less comprehensive capabilities.
Security and police services may operate distinctly from intelligence services or may overlap substantially depending on national structure. These services often focus on tactical objectives such as identifying specific individuals, disrupting particular activities, or supporting prosecution. They possess legal authority for arrest, detention, and property seizure. In some contexts, security services operate with minimal legal constraint, employing extrajudicial methods including physical coercion.
Armed groups including insurgent organisations, militias, and criminal enterprises present threats in many operational contexts. Their capabilities tend toward human intelligence and physical methods rather than technical sophistication, though some groups have developed or acquired technical capabilities. Armed groups may target organisations for extortion, to gather intelligence on rival groups or government forces, to prevent interference with their activities, or to target beneficiary populations under organisational protection.
Hostile individuals including disgruntled former staff, rejected beneficiaries, or ideological opponents present targeted rather than systematic threats. Their capabilities are usually limited but their access and knowledge may be substantial. A former staff member knows internal procedures, personnel, and vulnerabilities in ways external adversaries do not.
Digital Footprint Management
Digital footprint encompasses all information about an organisation and its personnel that exists in digital form across the internet, commercial databases, social media platforms, and leaked data repositories. Adversaries systematically collect and analyse digital footprints to develop targeting information, often before any direct collection activity.
The organisation’s own digital presence includes its website, social media accounts, published reports, press releases, and public communications. Each publication potentially reveals information about activities, locations, staff, and capabilities. A photograph posted to social media may contain location metadata. A published report may identify programme areas and partner organisations. A job advertisement reveals organisational structure and capability gaps. Annual reports may detail funding sources and budget allocations.
Staff personal digital footprints compound organisational exposure. Personal social media accounts may reveal relationships with the organisation, travel patterns, family information exploitable for targeting, and opinions or associations that create vulnerability. Professional networking sites like LinkedIn provide detailed employment histories, skill sets, and professional networks. Registration databases for conferences, webinars, and publications link individuals to organisations and topics.
Third-party data aggregators compile information from public records, commercial transactions, and data breaches into comprehensive profiles. These aggregators operate legally in most jurisdictions and sell data to any purchaser. An adversary can obtain detailed profiles on staff members, including residential addresses, family members, vehicle registrations, and property records, through commercial purchase.
Leaked data from security breaches at other organisations creates exposure. If a staff member’s personal email account was compromised in a breach at an unrelated service, and that email account was used to register for work-related services, the breach exposes work credentials and potentially work communications. The HaveIBeenPwned database alone indexes over 12 billion compromised accounts.
Footprint management requires both reduction and monitoring. Reduction involves minimising unnecessary digital presence: removing location metadata from published images, limiting staff identification in public materials, configuring social media privacy settings, and removing unnecessary information from websites. Monitoring involves regularly checking what information is discoverable: searching for the organisation and key staff names, monitoring data breach notifications, and using reconnaissance tools to assess the organisation’s digital exposure.
A footprint audit procedure begins with identifying the scope: the organisation itself, key personnel, sensitive programmes, and critical locations. The audit then systematically searches for information across web search engines (including non-English language engines relevant to operational contexts), social media platforms, commercial data aggregators, domain registration records, public records databases, leaked credential repositories, and pastebins and code repositories where information is sometimes accidentally or maliciously published.
Indicator Analysis
Indicators are observable pieces of information that adversaries can collect and aggregate to reveal critical information. A single indicator rarely exposes critical information directly, but multiple indicators combined through analysis can expose even carefully protected information. Understanding indicator types enables both vulnerability assessment and countermeasure development.
Communications indicators include the content of communications, the metadata about communications (who communicates with whom, when, and how often), and the methods used for communication. Encrypted communication protects content but typically does not protect metadata. A pattern of encrypted communications between an organisation and a particular individual may indicate a protected relationship even if the content remains unknown.
Travel indicators include flight bookings, visa applications, border crossings, vehicle movements, and accommodation records. A staff member’s repeated travel to a particular location indicates organisational interest in that location. Commercial travel booking systems share data widely; an adversary with access to airline reservation systems or border control databases can track travel patterns comprehensively.
Financial indicators include bank transactions, wire transfers, procurement records, and spending patterns. A sudden increase in fuel purchases may indicate expanded field operations. Regular payments to a particular vendor reveal supply chain relationships. Financial indicators are particularly exposing because they are systematically recorded and often accessible to state actors through financial system oversight.
Digital indicators include IP addresses, device identifiers, location data from mobile devices, web browsing patterns, and software usage telemetry. Modern digital systems generate vast quantities of indicator data. A mobile phone continuously transmits location information to cell towers; this information is retained by telecommunications providers and accessible to entities with legal authority or network access.
Physical indicators include office locations, vehicle types and registrations, staff routines, visitor patterns, and observable equipment. Regular observation of an office can reveal staff numbers, working hours, and visitor identities. Vehicle registrations link individuals to organisations. Visible equipment like satellite dishes indicates communications capabilities.
Social indicators include relationships between individuals, organisational affiliations, meeting attendance, and social network connections. Who attends meetings together reveals relationships. Conference attendance reveals professional interests and network connections.
+-------------------------------------------------------------------+| INDICATOR AGGREGATION MODEL |+-------------------------------------------------------------------+| || INDIVIDUAL INDICATORS AGGREGATED INTELLIGENCE || (Low sensitivity alone) (High sensitivity combined) || || +--------------------+ || | Flight booking: | || | LHR to NBO +--------+ || +--------------------+ | || | || +--------------------+ | +------------------------+ || | Visa application: | +---->| | || | Kenya +------------->| Staff member X | || +--------------------+ +---->| travelling to | || | | Dadaab refugee camp | || +--------------------+ | | on 15 March | || | Mobile location: | | | for protection | || | Dadaab coordinates +--------+ | assessment mission | || +--------------------+ | | | || | +------------------------+ || +--------------------+ | || | Email metadata: | | || | Exchange with +--------+ || | UNHCR protection | || +--------------------+ || || +--------------------+ || | Calendar entry: | || | "Field visit" +--------+ || | 15-17 March | || +--------------------+ || |+-------------------------------------------------------------------+Figure 3: Individual indicators aggregating into actionable intelligence
The aggregation problem means that organisations cannot protect critical information simply by protecting individual data points. An adversary with access to multiple indicator streams can correlate data to derive protected information. Effective OPSEC must consider the aggregate exposure across all indicator categories, not just individual data protection.
Information Compartmentalisation
Compartmentalisation limits information distribution so that compromise of one area does not expose all critical information. The principle operates at multiple levels: between organisations, within organisations, between systems, and between data stores. Compartmentalisation imposes operational costs through reduced information sharing and coordination complexity; these costs must be balanced against the protection benefits.
Need-to-know is the fundamental compartmentalisation principle: individuals receive access to information required for their specific role and no more. A finance officer needs budget information but not beneficiary identities. A driver needs destination addresses but not meeting purposes. A communications officer needs activity summaries for public reporting but not operational details. Need-to-know requires explicit consideration of what information each role requires rather than defaulting to broad access.
Organisational compartmentalisation separates information between teams, departments, or functional areas. A protection programme may operate with stricter compartmentalisation than a food distribution programme because the consequences of protection information exposure are more severe. Compartmentalisation boundaries should align with both functional requirements and risk levels.
System compartmentalisation separates information across different technical systems. Highly sensitive information may reside on systems with restricted access, air-gapped networks, or specialised security controls. The goal is ensuring that compromise of general-purpose systems does not expose the most sensitive information. A case management system containing protection data should not share infrastructure or credentials with general office productivity systems.
Geographic compartmentalisation limits information sharing between locations. A country office may maintain local compartmentalisation so that compromise of one field office does not expose information held by other offices. This approach requires careful design of information architecture and access controls.
Temporal compartmentalisation limits how long information remains accessible. Completed cases may be archived or deleted. Operational plans may have access revoked after execution. Meeting notes may be destroyed after a defined period. Temporal limits reduce the exposure window and limit the historical information available to adversaries who gain access.
The compartmentalisation implementation requires documenting what information exists, who needs access, and how access is technically controlled. This documentation enables systematic review and adjustment as organisational needs change.
Counter-Surveillance Awareness
Counter-surveillance encompasses awareness of and responses to surveillance activities targeting the organisation, its staff, or its operations. Surveillance may be physical, technical, or social, and counter-surveillance addresses each domain.
Physical surveillance detection involves recognising indicators that individuals or locations are under observation. Fixed surveillance uses stationary observation posts, often in vehicles, buildings, or commercial establishments with sight lines to targets. Mobile surveillance follows targets through their movements using individuals on foot or in vehicles. Surveillance teams typically use multiple personnel to reduce detection risk and maintain coverage.
Surveillance indicators include individuals or vehicles appearing repeatedly in different contexts, unusual interest in the organisation’s activities, vehicles parked with occupants for extended periods near organisational facilities, and individuals engaging in activities inconsistent with their apparent purpose. These indicators require baseline awareness of normal patterns; surveillance detection depends on recognising departures from expected behaviour.
Technical surveillance detection addresses monitoring through electronic means. This includes compromised devices, interception of communications, tracking through mobile phone signals, and covert recording devices. Detection ranges from simple measures like checking devices for tampering to sophisticated technical sweeps for radio frequency emissions. Most organisations lack capability for comprehensive technical counter-surveillance; the practical approach focuses on assuming technical surveillance may occur and implementing protective measures accordingly.
Social surveillance involves human sources within or around the organisation collecting information through relationships. Social surveillance exploits normal human interactions: conversations, observations, and access gained through trusted roles. Detection is difficult because surveillance activities appear as normal social interaction. Indicators include unusual interest in information beyond someone’s apparent need, attempts to build relationships with access to sensitive information, and information requests that seem inconsistent with stated purposes.
Counter-surveillance responses depend on context. In some environments, detecting surveillance triggers immediate evacuation and operational changes. In others, awareness without overt response allows continued operation while implementing additional protective measures. The appropriate response depends on threat assessment, operational necessity, and risk tolerance.
OPSEC Culture and Training
Technical measures and procedures cannot substitute for a security-conscious organisational culture. OPSEC effectiveness depends on staff at all levels understanding threats, recognising indicators, and habitually applying protective measures. This cultural dimension requires sustained attention rather than one-time training.
Initial training introduces OPSEC concepts, threat environment, critical information, and basic countermeasures. This training should be specific to operational context; generic security awareness training does not build OPSEC capability. Staff should understand why particular information requires protection and how their actions can create indicators. Training should include realistic scenarios based on actual threats and operational situations.
Ongoing reinforcement maintains awareness and adapts to changing circumstances. Brief security updates at staff meetings, circulation of relevant threat information, and incident reviews all reinforce OPSEC principles. Security considerations should be integrated into operational planning processes, not treated as separate concerns addressed by security specialists alone.
Scenario exercises test and develop OPSEC capability through practical application. Tabletop exercises present situations requiring security decisions and examine reasoning and responses. More elaborate exercises may simulate surveillance detection, device seizure scenarios, or information requests under pressure. Exercises reveal gaps in understanding and provide learning opportunities in low-stakes environments.
Leadership modelling shapes organisational culture more than formal training. When leaders visibly practise OPSEC measures, staff perceive security as organisationally important. When leaders bypass security procedures for convenience, staff receive implicit permission to do the same. Leadership commitment must be demonstrated through action, not just policy.
Reporting culture determines whether security concerns surface for organisational response. Staff must feel comfortable reporting potential security incidents, suspicious approaches, and observed vulnerabilities without fear of blame for security problems. A punitive response to security reports ensures that future incidents go unreported.
Implementation Considerations
OPSEC implementation varies substantially based on organisational capacity, threat environment, and operational requirements. The following guidance addresses different implementation contexts.
Organisations with Limited Security Capacity
Organisations without dedicated security staff can implement foundational OPSEC through structured risk awareness. Begin with a critical information list that identifies the 10 to 15 specific items most important to protect. Develop this list through discussion among leadership, considering what information would most benefit adversaries and what harms would result from disclosure.
Conduct basic threat analysis by documenting known and suspected adversary interest, observed surveillance or targeting incidents, and security incidents affecting peer organisations. This analysis need not be sophisticated; even informal documentation creates a foundation for systematic thinking.
Implement basic countermeasures focusing on the highest-impact, lowest-cost protections: communications encryption using end-to-end encrypted messaging for sensitive discussions, basic digital hygiene including unique passwords and two-factor authentication, minimal public exposure of staff identities and locations, and need-to-know discussion of sensitive information.
Review OPSEC status quarterly, examining whether the threat environment has changed, whether new critical information has emerged, and whether countermeasures remain appropriate.
Organisations with Dedicated Security Functions
Organisations with security officers or teams can implement comprehensive OPSEC programmes. Formal OPSEC assessments should occur at least annually and whenever significant operational changes occur. These assessments work systematically through the OPSEC process, documenting critical information, threats, vulnerabilities, risks, and countermeasures.
Integrate OPSEC into operational planning by including security review in programme design, travel authorisation, communications planning, and partnership development. Security considerations should inform decisions proactively rather than reviewing decisions after the fact.
Develop context-specific countermeasure packages for different operational environments. A countermeasure package for a high-risk field location might include specific communications protocols, travel procedures, and emergency response plans. These packages provide ready guidance without requiring individual analysis for each situation.
Maintain threat intelligence through relationships with peer organisations, security coordination bodies, and diplomatic security services where appropriate. Sector information sharing improves threat awareness beyond what any single organisation can develop.
Conduct regular training and exercises to build and maintain staff capability. Include OPSEC in onboarding, provide periodic refresher training, and conduct scenario exercises at least annually.
High-Risk Operational Contexts
Organisations operating in environments with sophisticated state adversaries or active armed conflict require enhanced OPSEC measures. These contexts justify security investments that would be disproportionate in lower-risk environments.
Assume technical surveillance of communications and implement appropriate protections as described in Secure Communications Under Surveillance. This assumption changes operational practice: sensitive discussions occur in person in secure locations rather than through any electronic medium.
Implement strict compartmentalisation so that compromise of any individual or system exposes limited information. This may require multiple identity systems, separate communications channels for different sensitivity levels, and physical separation of sensitive operations.
Establish surveillance detection procedures and train staff in recognition of surveillance indicators. Consider whether surveillance detection should trigger immediate response or quiet adaptation depending on context.
Develop duress protocols for situations where staff face coercion. These protocols might include duress words indicating that communications are compromised, procedures for device handling under threat of seizure, and escalation paths for emergency response.
Coordinate with diplomatic security, UN security coordination, or security coordination bodies for your sector. These coordination mechanisms provide threat intelligence, incident reporting, and potentially emergency support.
Balancing Security and Operations
OPSEC countermeasures impose costs on operational effectiveness. Compartmentalisation reduces collaboration. Communications security adds friction. Travel security slows movement. The appropriate balance depends on threat level and operational necessity.
Low-threat environments warrant minimal security overhead beyond basic digital hygiene and awareness. Excessive security measures in low-threat environments waste resources and create friction without commensurate benefit. The key is accurate threat assessment, not default assumption of high threat.
High-threat environments justify significant security overhead because the consequences of compromise are severe. Staff inconvenience and operational friction are acceptable costs when the alternative is exposure of protected populations or physical threat to staff.
Moderate-threat environments, where most organisations operate, require nuanced balance. Apply heightened security to genuinely sensitive activities while maintaining operational efficiency for routine functions. Differentiate between activities requiring strict OPSEC and activities where normal professional practices suffice.
The goal is proportionate security that addresses actual risks without imposing unnecessary burden. This requires ongoing calibration as threat environments change and operational needs evolve.
+------------------------------------------------------------------+| OPSEC IMPLEMENTATION BY CONTEXT |+------------------------------------------------------------------+| || THREAT LEVEL || Low Moderate High || | | | || +----------v------------------v-------------------v----------+ || | | || | COUNTERMEASURE INTENSITY | || | | || | +--------------+ +--------------+ +--------------+ | || | |Basic hygiene | |Selective | |Comprehensive | | || | |only | |OPSEC for | |OPSEC across | | || | | | |sensitive | |all operations| | || | | | |activities | | | | || | +--------------+ +--------------+ +--------------+ | || | | || +------------------------------------------------------------+ || || +------------------------------------------------------------+ || | | || | RESOURCE ALLOCATION | || | | || | Minimal Moderate Substantial | || | dedicated security security | || | security coordination programme | || | resources and oversight with dedicated | || | staff | || | | || +------------------------------------------------------------+ || || +------------------------------------------------------------+ || | | || | OPERATIONAL IMPACT | || | | || | Minimal Some friction Significant | || | impact on for sensitive constraints on | || | operations activities all operations | || | | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Figure 4: OPSEC implementation intensity calibrated to threat level