Operational Security in the Information Age

Lesson Overview

The earlier lessons of this course protected the radio: they taught the threats to our communications, emission control and the quiet net, authentication, security without encryption, the discipline that keeps devices and accounts safe, what traffic analysis reveals, the electronic warfare an adversary wages, the physical and personnel security of our communications, and how to recover when security fails. This final lesson widens the lens from the message to the member. Operational security, or OPSEC, is the habit of seeing your own activity as an outsider would, finding the small pieces of unguarded information that together reveal what you are doing, and closing them off before they add up. It matters more, not less, in the information age, because so much of what an adversary once had to work to gather is now volunteered freely: a posted photograph, a published schedule, a routine anyone can watch, a profile anyone can read.

OPSEC is a process and a habit at the same time. The process is a short, repeatable cycle that any member or section can run over an activity. The habit is the instinct, carried into ordinary life and especially online, of not giving things away for free. This lesson teaches both. It explains the OPSEC cycle step by step, then shows how patterns of life leak intentions even when nothing secret is ever spoken, how metadata and geotags turn a harmless-looking photo into an intelligence report, and how social-media and online-footprint discipline is now an ordinary part of soldiering. The frame is defensive and lawful throughout: the work of OPSEC is protecting our own people, our members, and the people the Army serves, never watching or attacking anyone else.

This is the knowledge layer. The OPSEC cycle, the photo checks, and the social-media discipline are practised and signed off in person and on airsoft milsim exercises, where a section runs the cycle over a real task and a directing staff member plays the part of the adversary reading what is left exposed. Radio is actually transmitted only by licensed members or on licence-free or low-power sets. By the end you will be able to define OPSEC and run its five-step cycle over an activity, identify your own critical information, describe the threat realistically for a humanitarian home-defence force, find your vulnerabilities and assess the risk they carry, apply proportionate countermeasures, explain how patterns of life and online metadata leak intentions without a word of secret being spoken, and carry a disciplined, lawful, defensive online footprint as a normal part of your service.

Key Terms

• OPSEC (operational security): the process of protecting small, individually harmless pieces of information that an adversary could assemble to work out what you intend to do; and the habit of not giving such pieces away.
• Critical information: the few specific facts about your activity that you most need to keep from an adversary, such as a timing, a location, a strength, a capability, or an intention. OPSEC begins by naming these.
• Indicator: any observable sign, a transmission, a movement, a posted photo, a routine, a purchase, from which an adversary can infer a piece of critical information.
• Pattern of life: the regular routines, timings, and repeated behaviours of a person or unit, which reveal intentions and normality even when nothing secret is ever said, and against which the abnormal stands out.
• Metadata: data about data; information attached to a file that is not its obvious content, such as the time, date, camera, and location stored inside a photograph.
• Geotag: a location stamp, usually a latitude and longitude, embedded in a photo, post, or check-in, recording where it was made.
• Digital footprint: the trail of information a person leaves online through profiles, posts, photos, check-ins, connections, and the metadata behind them, which together describe far more than any single item.
• Aggregation: the way many small, open, harmless-looking pieces combine into a picture worth protecting; the central reason OPSEC guards the trivial.
• Data minimisation: holding, collecting, and sharing only what is genuinely needed, so there is less to leak, lose, or aggregate.
• Adversary: in OPSEC, anyone whose knowledge of your critical information would do harm; defined honestly and proportionately, not imagined as a film villain.

What OPSEC is, and why it is not secrecy

It is tempting to think a force keeps its secrets by classifying the important things and locking them away. That is part of security, but it is not OPSEC, and on its own it fails. The reason is aggregation. An adversary rarely needs to steal one big secret; far more often they assemble many small, open facts that no single person thought worth guarding, and the assembled picture is the secret. None of the pieces is classified. The timing comes from a published schedule, the place from a posted photo, the strength from a group picture, the intention from a routine anyone could watch. Each piece is harmless. Together they are an intelligence report you wrote for free.

OPSEC is the discipline of seeing your own activity from the outside, as an observer would, and asking what those scattered pieces add up to. It does not replace keeping genuine secrets; it guards the unclassified trivia that secrecy ignores. This is why OPSEC is everyone's job and not just the planner's. The person who keeps the real plan in a sealed envelope has done their part, and the person who posts a cheerful photo from the assembly area at the appointed hour has undone it. In a small force especially, where one careless member can expose the whole, OPSEC is a shared habit before it is a procedure.

A word on tone, because it matters for a humanitarian force. OPSEC can be taught as paranoia, and taught that way it does harm: it makes people fearful, secretive, and unpleasant, and it is unsustainable. That is not the aim here. The aim is a calm, proportionate awareness, the same instinct a sensible person already uses when they do not announce to strangers that their house will be empty next week. You are not hiding from the world. You are simply not handing it, for nothing, the few pieces that would let someone work out what you and the people you protect are about to do.

The OPSEC cycle

The process at the heart of OPSEC is a short cycle of five steps, run in order and then run again as things change. It is small enough to do in your head for a quick task and worth writing down for a planned one. The five steps are: identify your critical information, identify the threat, find your vulnerabilities, assess the risk, and apply countermeasures.

                  THE OPSEC CYCLE

        +-----------------------------------+
        |  1. IDENTIFY CRITICAL INFORMATION |
        |     What few facts must not get   |
        |     out? (timing, place, strength,|
        |     capability, intention)        |
        +-----------------------------------+
                        |
                        v
        +-----------------------------------+
        |  2. IDENTIFY THE THREAT           |
        |     Who would want it, and what   |
        |     can they realistically see?   |
        +-----------------------------------+
                        |
                        v
        +-----------------------------------+
        |  3. FIND YOUR VULNERABILITIES     |
        |     What indicators leak it?      |
        |     (posts, photos, routines,     |
        |     traffic, talk, metadata)      |
        +-----------------------------------+
                        |
                        v
        +-----------------------------------+
        |  4. ASSESS THE RISK               |
        |     How likely is it seen, how    |
        |     bad if it is? Worst first.    |
        +-----------------------------------+
                        |
                        v
        +-----------------------------------+
        |  5. APPLY COUNTERMEASURES         |
        |     Remove, reduce, or mask the   |
        |     worst indicators first.       |
        +-----------------------------------+
                        |
            (then run it again as the
             task and threat change) ----> back to step 1

Step one, identify your critical information. Ask what few specific facts about this activity would genuinely help an adversary if they had them. Resist the urge to list everything; OPSEC drowns when everything is critical. For a section moving to support an exercise the critical information might be only the timing of the move, the assembly point, the strength of the group, and the fact that a particular capability such as the Army's Team Awareness Kit is being used. Name those, and you know what the rest of the cycle is protecting.

Step two, identify the threat. Ask honestly who would want this information and what they can actually observe. For a humanitarian home-defence force with no enemy, the threat is not a foreign army; it is the ordinary, plausible one. It is a curious or hostile individual online who can read public profiles and posts. It is a casual observer who can watch a routine. It is the simple risk of embarrassment or of exposing a member's home, identity, or the people the Army serves. Defining the threat proportionately keeps the rest of the cycle sane; an honest small threat still deserves the discipline, but it does not justify treating every member as a spy.

Step three, find your vulnerabilities. Now look for the indicators, the observable signs through which your critical information could leak. Walk through the channels: what gets posted or photographed, what routine could be watched, what would show in radio traffic, what gets said in clear, what metadata rides along unnoticed. This is the step where you read your own activity as the adversary would. A vulnerability is any indicator that connects, even indirectly, to a piece of critical information.

Step four, assess the risk. For each vulnerability weigh two things together: how likely it is that the adversary actually sees and understands the indicator, and how much harm it would do if they did. This is the same likelihood-and-impact judgement taught across the College, kept small. Not every vulnerability is worth closing; the cycle's value is that it points your limited effort at the few that combine real exposure with real harm. Take a reasonable worst case rather than a comforting one.

Step five, apply countermeasures. Close the worst vulnerabilities first, by the cheapest means that works: remove the indicator, reduce it, or mask it. Do not post the photo. Strip the location. Vary the routine. Pass the sensitive detail in person or by a secure bearer rather than over an open net, exactly as Lesson 04 taught. Then, because nothing stays still, run the cycle again as the task and the threat change. OPSEC is not a form filled in once; it is a loop you keep turning.

Patterns of life: what routine gives away

The most underrated leak is not a secret spoken but a routine observed. A pattern of life is the regular shape of what a person or unit does: the same training night each week, the same route to the same assembly area, a quiet net that suddenly carries a surge of traffic, vehicles that gather on the same morning. None of it is secret. No one ever said a word they should not have. Yet from the pattern alone an observer learns your normality, and from a break in the pattern they learn that something is about to happen.

This connects directly to traffic analysis from Lesson 01. There the lesson was that an adversary learns from the volume, timing, and direction of radio traffic without understanding a single word. Pattern of life is the same idea carried off the radio and into everything you do. A surge of activity, a gathering, a change in routine, all signal intention as loudly as a plain-language transmission, and they do it without anyone breaking a rule.

The defence is partly to vary what can be varied, routes, timings, the shape of a routine, so that there is no fixed pattern to read, and partly to manage the abnormal. The hardest signals to hide are the spikes: the sudden surge before an activity is exactly when the pattern shouts loudest. Where it matters, build up and wind down gradually rather than in a visible step, keep the routine ordinary right up to the moment, and remember that the quietest pattern of all is the activity an observer never knew began. This is the EMCON mindset of Lesson 02 applied to behaviour as well as to the radio: the indicator you never create cannot be read.

Metadata, geotags, and photographs

A photograph looks like nothing more than its picture. It is far more. Inside the file, unseen, most cameras and phones record metadata: the exact time and date the photo was taken, the device that took it, the settings, and, very often, a geotag, the precise latitude and longitude where the shutter was pressed. A member who posts a single photo from an assembly area, meaning only to share a good moment, may be publishing the place to within a few metres and the time to the minute. The picture itself adds the rest: faces that identify members, a vehicle, a piece of equipment, a building recognisable in the background, the strength of the group visible at a glance.

The diagram below shows how much one casual post can leak, and to whom.

        ONE POSTED PHOTO  ->  WHAT IT CAN LEAK

   +---------------------------------------------------------+
   |  The visible picture          The hidden metadata       |
   |  -------------------          --------------------       |
   |  * faces -> who is here        * geotag  -> exact place  |
   |  * group size -> strength      * timestamp -> exact time |
   |  * vehicle / kit -> capability * device  -> who posted   |
   |  * background -> the location  * other posts -> pattern  |
   +---------------------------------------------------------+
                          |
                          v        an observer aggregates:
        +-----------------------------------------------+
        |  WHO  was at  WHERE  at  WHEN  with  WHAT,     |
        |  doing this  HOW OFTEN  =  a pattern of life   |
        |  and an intention, built from "harmless" posts |
        +-----------------------------------------------+
                          |
                          v
        Risk to: members' identities and homes, the
        people the Army serves, and the activity itself.

The same goes for what is published in text. A roster posted to coordinate a small team tells an adversary the strength, the names, and who does what. A schedule shared for convenience tells them the timing. A check-in or a tagged location does the geotag's work in the open. None of these is wrong to hold; the error is publishing them where anyone can read them, or letting a tool attach a location you never meant to share.

The countermeasures are plain and they cost almost nothing. Turn off location services for the camera, or strip the geotag before sharing. Think before you post anything connected to Army activity, and when in doubt, do not. Do not publish rosters, schedules, or anything naming members where the public can see it; use the Army's own gated systems for coordination, and pass sensitive detail by a secure bearer or in person. Protect the identities of members and especially the safety of the people the Army serves, who did not consent to appear in your feed. And apply data minimisation to your own footprint: the less you put out, the less there is to aggregate. A good test before posting is simply to ask what an unfriendly stranger could work out from this, alone and combined with everything else already out there.

Online footprint discipline as modern soldiering

Caring about your online footprint is not separate from soldiering; it is part of it now. The same care applies whether you are in uniform or not, because an adversary does not respect the line between your service and your personal account. Carry the discipline into ordinary life: be deliberate about what your public profiles reveal, about who can see what, about announcing your movements and routines, and about photographs that place you, your home, or other members. This is not about hiding or living in fear. It is the same proportionate awareness OPSEC asks for everywhere, applied to the place where most leaks now happen.

A few habits cover most of it. Keep personal accounts private and review who can see them. Do not advertise that you are a member in ways that expose others, and never reveal a fellow member's identity, role, or home without their leave. Be wary of strangers who take an unusual interest, and of the friendly-seeming account that probes for detail; that is social engineering, and it is the human cousin of the phishing taught in Lesson 05. Separate your service life from your public posting. And remember that what you put online is effectively permanent and copyable, so the only reliable control is at the moment before you post.

This footprint discipline also protects the people the Army serves. A humanitarian force works among vulnerable people in difficult moments, and those people have a strong claim to privacy and safety. A photo that identifies someone the Army has helped, a location that exposes where assistance is being given, a detail that singles out a household, can do real harm. Protecting them is not an optional courtesy; it is a duty, and it is the clearest expression of why OPSEC for this Army is wholly defensive. We guard information to keep our own people and the people we serve safe, never to gather information on anyone else.

In Practice: A Section Runs the Cycle Before an Exercise

A section of six, led by a Corporal, is to move on a Saturday morning to support a milsim exercise, carrying a Meshtastic set and using the Army's Team Awareness Kit on the day. Before anyone packs, the Corporal runs the OPSEC cycle aloud with the section, because that is exactly how it was taught and signed off.

First, critical information. The section agrees the few facts worth protecting: the timing of the move, the assembly point, that there are six of them, and that they are fielding the TAK and mesh capability. Everything else is ordinary. Second, the threat. There is no enemy, so they name it honestly: a curious observer online, the risk of exposing a member's home or face, and the chance of revealing where the exercise is being run. Small, but real. Third, vulnerabilities. They walk their own indicators. One member usually posts a photo from the car park; another had already mentioned the Saturday plan on a public account; the group always meets at the same place at the same hour, a clear pattern; and the TAK certificates and devices, if lost, would expose the capability. Fourth, risk. They weigh each. The public post and the geotagged car-park photo are both likely to be seen and would hand over time, place, and strength together, so they rate highest. The fixed routine matters less for a one-off but is worth noting. The lost-device case is unlikely but would be serious. Fifth, countermeasures, worst first. The earlier public mention is taken down. No one posts from the assembly area; any photos wait until after, with locations stripped and no faces of members or of anyone the exercise involves. Coordination moves to the Army's gated channel rather than open chat, and the sensitive detail of the route is passed in person. Each member confirms their TAK device is locked, updated, and that they know the lost-or-stolen drill from Lesson 05. On the day, voice on the net stays brief and authenticated, the mesh carries only light position and chat, and nothing about the morning ever appears in public. The exercise runs, the directing staff member playing the adversary finds almost nothing to read, and the section has protected its activity, its members, and the people around the exercise without a single dramatic measure. It was, as OPSEC should be, calm and ordinary.

Check Your Understanding

1. Explain why OPSEC protects small, individually harmless pieces of information rather than only genuine secrets, using the idea of aggregation. Why does this make OPSEC everyone's responsibility in a small force, and how does keeping the tone proportionate rather than fearful make the habit sustainable?
2. Run the five-step OPSEC cycle over an activity of your choice. For each step, identify the critical information, define the threat honestly for a humanitarian home-defence force, find at least two vulnerabilities or indicators, assess their risk by likelihood and impact, and name a proportionate countermeasure for the worst, taking the worst case first.
3. Explain how a pattern of life and a posted photograph can each leak intentions without a single secret being spoken. In your answer, describe what metadata and geotags add beyond the visible picture, how a roster or schedule helps an adversary, and what plain countermeasures protect the identities of members and the safety of the people the Army serves.

Reflection (write a short paragraph): Look honestly at your own online footprint as an adversary would. Spend a little time reviewing what your public profiles, posts, photographs, and check-ins reveal about your routines, your connections, and any link to Army activity, and consider what someone could assemble by aggregating those small, open pieces. Then write what you would change, the privacy settings you would tighten, the locations you would stop sharing, the posts you would not make, and how you will carry that proportionate, lawful, defensive awareness into your service so that you protect not only yourself but your fellow members and the people the Army serves.

Summary

• OPSEC is both a process and a habit: it protects the small, unclassified pieces of information that an adversary could aggregate into your intentions, and it is the calm, proportionate instinct of not giving those pieces away. Because aggregation builds a picture from trivia, OPSEC is everyone's job, not only the planner's.
• The OPSEC cycle has five steps run in order and repeated as things change: identify your critical information, identify the threat honestly, find your vulnerabilities and indicators, assess the risk by likelihood and impact worst-first, and apply countermeasures to the worst first.
• Patterns of life leak intentions without a word being spoken: routines, timings, and surges of activity reveal normality and signal that something is about to happen, the same lesson as traffic analysis (Lesson 01) carried off the radio, defended by varying what can be varied and managing the abnormal in the EMCON spirit of Lesson 02.
• A single posted photograph can publish far more than its picture: the visible faces, group size, kit, and background, plus hidden metadata such as a geotag and timestamp; published rosters and schedules do the same in the open. The countermeasures are cheap: strip locations, think before posting, never publish rosters or member identities, use gated systems, and minimise your footprint.
• Online footprint discipline is now part of soldiering, in uniform or not, and it is wholly defensive and lawful: we guard information to protect our own members and the people the Army serves, never to surveil or attack others. This lesson closes SIG 220 and carries its disciplined mindset into the Information Systems and Cyber Security speciality; it draws on Lesson 01 (the threat), Lesson 02 (emission control), Lesson 04 (security without encryption), and Lesson 05 (digital discipline), and supports FLD 230 (Patrolling), PME 210 (Staff Duties), and HCR 220 (Emergency Preparedness).

Crown Copyright © 2026 | Published by Authority of H.R.H. The Prince of Kaharagia