Security Awareness Levels

In the book, Executive’s Guide to Personal Security, Second Edition

¹, the authors cite an older book titled Principles of Personal Defense², by Colonel Jeff Copper, as the source of a color code system that defines mental awareness in relation to the implementation of personal defense. I’m not sure if the authors of the recent book have actually read Jeff Cooper’s book or if they simply borrowed the reference from other sources, but Cooper’s book makes no reference to the color code system. The system, however, is a tool taught by Cooper (so Katz and Caspi have given proper credit) for measuring alertness and can be applied to digital security awareness as well as physical security awareness.

The Color Code System: A Framework for Security Awareness

Color code systems are not new, but it is believed that Cooper was the first to apply one to mental alertness or awareness in relation to self-defense. Specifically, the code system Cooper presents is representative of your preparedness to act in relation to a threat. In his model, the levels are:

White: Relaxed and unprepared. In this state, you will be the victim, and the attacker will be the victor. The attacker is prepared to act, and you are not prepared to respond and, in fact, are not even aware that an attack is about to occur or is occurring. The only protection in the state of awareness is the inadequacy of the adversary.

Yellow: Relaxed but alert. You are aware that a problem could occur, but you are not focused on a specific threat. The protection in this state is that you are at least aware that a threat could exist because you know well that digital attacks are common, and you could be a likely target. This is the minimum state in which one should always exist when interacting with digital systems of any kind.

Orange: Specific alert. You are aware of a specific potential threat. One escalates from yellow to orange because of an identified threat or a specific likely threat. The orange state is an escalation state based on an observation in the yellow state. You immediately begin to ask what you should do in response to the threat. You will not remain in the orange state once the threat has passed but will revert to the yellow state. Orange state does not equal certain action, only that if the condition continues toward a threat as you expect, you are ready to escalate to red, which is a certain response state. This is an IF > THEN state. If the threat proves real (based on some metric), then we escalate to red and act.

Red: Controlled action. This is a state of aware action or controlled action. That is, we are not acting randomly or haphazardly, but we are acting as predetermined should the current threat materialize. For example, we may have determined in advance that if someone attempted to use social engineering to acquire information from us, we would immediately report this to the security group in our organization with all available details. We are not stressed in excess; we are simply acting in accordance with the plan.

Applying Security Awareness Levels to Digital Safety

As you can see, while these levels were defined as related to physical security and self-defense and the possible need to use force against an attacker, they apply equally well to digital security awareness. We should never be in the white state when interacting with any digital systems and should always remain in the yellow state, prepared to escalate when required.

Safeguard Your Business, Secure Your Success: Equip Yourself with AACSP’s CyberSecure Skills.