From social media stories and AI chatbots, today’s generation shares more online than any other demographic in history — often without realizing the potential consequences of what they’re giving away. In cybersecurity, that’s called an operational security or OPSEC risk.
Not many understand operational security better than Keith Tresh, a retired Army colonel, former chief information security officer for the states of California and Idaho and a current instructor for Boise State’s online cyber operations and resilience programs.
Tresh’s fascinating journey from the military to public cybersecurity leadership was featured in a faculty spotlight, but his current mission is to help the next generation grasp the importance of OPSEC in an era where oversharing has become second nature.
OPSEC 101: History and modern practice
When asked to define OPSEC, Tresh kept it simple:
“Operational security is really just trying to keep what’s going on within an organization protected — how you operate, what systems you use, what vulnerabilities exist — because if hackers or bad actors can figure out how you operate, they can exploit that.”
OPSEC’s origins go back to the Vietnam War, when the United States realized its enemies were intercepting small bits of unclassified information, radio communication, supply requests and soldier movements. They used this information to predict attacks before they occurred, allowing themselves time to prepare.
In response to this discovery, the Joint Chiefs of Staff launched “Operation Purple Dragon,” which studied how these leaks were happening and, in turn, set in motion a formal framework for OPSEC while the war was still ongoing.
The six-step OPSEC framework
Today, OPSEC follows a six-step universal framework that can be adjusted in practice based on the environment, integration with existing frameworks within the organization and the evolving environment of cyber threats:
- Identify critical information. What do you need to protect most? Financial information, intellectual property, research findings?
- Analysis of threats. Know who might want that information and why they would want it.
- Analysis of vulnerabilities. What safeguards do you have in place, and are there vulnerabilities in them?
- Assessment of risks. Rank and prioritize vulnerabilities.
- Apply countermeasures. Create a plan. Update systems, provide employee training and develop new policies.
- Periodic assessment of effectiveness. Never become stagnant. Always monitor to improve when and where necessary to continue to stay effective.
OPSEC is all about how human behavior and technology connect and interact, and the existing consequences of that relationship. Threat intelligence analysts attempt to anticipate how an attacker could collect and combine small pieces of public information — social media activity, job locations, known friends or family — to map vulnerabilities.
Open-source intelligence researchers use OPSEC awareness to discover what is already publicly available online and determine how an attacker could use that information to create openings.
Ultimately, OPSEC is about paying attention to how people share and connect to technology today, because even small habits can open the door to unintended consequences.
A chief information security officer’s take on the ‘era of oversharing’
“Operational security used to mean not letting the enemy know how you operate,” Tresh said. “Now, social media does that work for them.”
Tresh’s comments are a stark reminder that oversharing has turned into one of the most common and overlooked security risks. What used to require planned intelligence gathering has been replaced by searching through selfies on public accounts, location tagging and constant vlogs on life updates.
For instance, an internationally publicized heat map released by the popular Strava fitness app showed running routes around remote U.S. military bases in places like Iraq, Syria and Afghanistan. This happened because military personnel’s exercise routes were uploaded to Strava. This inadvertently mapped secure military facilities simply through the use of an everyday exercise tracking app.
“Operational security used to mean not letting the enemy know how you operate. Now, social media does that work for them.” – Keith Tresh
When asked which matters more in OPSEC, people or technology, Tresh emphasized the human factor, noting that humans remain the most crucial element in an organization’s security, regardless of the technological security layers in place. Advanced firewalls and encryption can’t stop someone from oversharing online. OPSEC isn’t just about secrecy — it’s about strategic awareness.
This is the mindset Boise State’s online cyber operations and resilience programs instill in students.
Training the next generation of cybersecurity experts
“Operational security has gone out the window — unless we start teaching people why it matters again,” Tresh said.
His experience and words serve both as a warning and a challenge for cybersecurity students. As technology continues to advance, Tresh reminds his students, the human aspect will remain the most important part of OPSEC — for both people and the organizations they represent.
Learn more about the cyber operations and resilience program
Boise State’s cyber operations and resilience program can open doors to new opportunities and a brighter future — and we’re here to support you every step of the way. Whether you’re exploring if an online program is right for you or need help transferring credits, connecting with a student success coach is the perfect first step.
Ready to learn more? Attend one of our online information sessions or contact a student success coach today.
Written by Joseph Murphy