We were trying to explain the concept of OPSEC to someone foreign to most of the professional worlds in which we live. We finally came up with a comprehensible analogy in the surprise birthday party.
• The management objective we need to protect is the party itself, which you can think of as the civilian equivalent of bombing a fortification or releasing a new product.
• The adversary is the person for whom the party is being held: The child, spouse, parent, friend, or other.
• The threat is the natural curiosity or observance of the celebrant.
• The vulnerability is that the birthday celebrant will either put together what is happening from what they see and hear (why are all those caterers calling?), or that some blabby friend will tell them.
Since we know the adversary and their capabilities, we can now work on the vulnerabilities, getting friends to promise not to talk about the party when they might be overheard, putting the cake in someone else’s house, avoiding e-mail from a shared account, and doing all the other things that we need to do in order to successfully pull off a surprise birthday party.
Three things to be aware of are:
1. You are doing the same things you would need to do if you were protecting critical information in a commercial or military (rather than home) environment.
2. There is no huge cost required to protect the secrecy of the party, which is also generally the case in a commercial or military (rather than home) environment.
3. In spite of your best efforts, your cunning adversary may still figure out what is going on.