Countermeasure is anything that effectively negates or reduces an adversary’s ability to exploit a vulnerability.
Countermeasures are not one-size-fits-all.
They are specific actions tailored to disrupt the adversary’s kill chain (the process of observing, orienting, deciding, and acting).
Types of Countermeasures
OPSEC involves a mix of different types of tactics to keep an adversary off-balance.
These generally fall into three categories:
1. Administrative Countermeasures
- Restricting information only to those who absolutely require it.
- Guidelines on what employees can post regarding their work locations or schedules.
- Ensuring that trash doesn’t become a source of intelligence.
2. Physical Countermeasures
- Fences, guards, and badge-access entries.
- Environments designed to prevent electronic eavesdropping.
- Physically hiding equipment or activities from satellite or drone surveillance.
3. Technical & Deceptive Countermeasures
- Protecting data so that even if it’s intercepted, it remains unreadable.
- Creating fake activity to distract an adversary from the real operation.
- Limiting radio or Wi-Fi signals so an adversary cannot track a unit’s location.
Characteristics
For a countermeasure to be worth the investment, it should meet several criteria:
| Characteristic | Description |
| Cost-Effective | Cost of countermeasure should not exceed cost of information being lost. |
| Targeted | It must directly address a specific vulnerability found in Step 3 of the process. |
| Simple | Overly complex security measures are often bypassed by employees looking for workarounds. |
| Variable | If a countermeasure is predictable, an adversary will eventually find a way around it. |
Risk assessment is critical before any action:-
One common mistake in security is trying to protect everything. This is impossible and leads to security fatigue.
Before applying a countermeasure, leaders must perform a Risk Assessment.
This involves calculating the probability of a threat occurring and the impact it would have.
If a countermeasure costs $10,000 to implement but protects data that has a value of $1,000, it is a poor OPSEC decision.
By systematically applying administrative, physical, and technical hurdles, an organization can transform itself from a soft target into a hard one.
The goal isn’t necessarily to become invisible, but to make the cost of looking too high for the adversary to pay.