Applying Coopers' Colour Code to Cybersecurity
Introduction
This is a topic that has been on my mind for years which wondering how can present this idea across. With my area of expertise forcing on the human factors in cybersecurity often I find for certain topics covering the mindset that is needed to for people to avoid making security failures (clinking links in emails without thinking the most common) how do you give them a system to set their behaviour to identify and avoid security threats. I believe the Coopers Code has the potential to form part of a toolkit to achieving this though as with all things in security it is not a silver bullet and needs to used complimentarily with other tools.
In the 1980s, handgun expert Jeff Cooper invented something called the Color Code to describe what he called the "combat mindset." Here is his summary:
Applying Coopers' Colour Code to Cybersecurity
Condition White: Is a state of complete unawareness. Here the users are not aware of what’s going on around them or anticipating what could happen next. This is the state that social engineering and phishing attacks are going to be successful.
Condition Yellow: Is a state of relaxed alertness with the user is engaged that can they can identify when something is not right. Here, people are not aware of anything that is wrong and are on the lookout for indicators of a threat. For example, here a user should be able to identify when a phishing email appears and what actions to take (report/block/delete) or if find a storage device in the car-park instead of plugging it into a computer they take it and report to the security department who then deal it.
Condition Orange: Is a state determined upon a specific adversary type of threat or attack that could be about to happen and are prepared to take action to prevent or mitigate against it. This is an area moving beyond a single user. For example, a threat actor has threatened to DDOS a companies website if they do not pay a ransom, therefore, the company takes actions to mitigate against such an attack that doesn't involve paying out as that highlights a company as an easy target.
Condition Red: Is a state where an attack has been successful in whatever degree and the affected organisation has to take action to minimise the damage that has been caused. For example, a ransomware attack they would be taking steps to minimise the number of affected systems and files. Removing the malware from their systems and networks. Ensuring that back-ups are unaffected so they continue operating with minimal disruption. Again there different reactions for an individual user being affected and a company.
Condition Black: Is the aftermath period of a cybersecurity incident. This where mistakes are identified and ideally resolved. Measures are put on place to fix or patch vulnerabilities. Also, how and why the attack happened and needs' to be examined so that such an incident can become less likely to happen again in the future. For example, ensuring that education and training material are not generic but include examples and use cases which reflect the roles and situations that the users will be exposed to and periodic update of those materials to include past incidents that affected the organisation they are at so ideally they do not make the same mistakes of those who came before them.
This is a topic that has been on my mind for years which wondering how can present this idea across. With my area of expertise forcing on the human factors in cybersecurity often I find for certain topics covering the mindset that is needed to for people to avoid making security failures (clinking links in emails without thinking the most common) how do you give them a system to set their behaviour to identify and avoid security threats. I believe the Coopers Code has the potential to form part of a toolkit to achieving this though as with all things in security it is not a silver bullet and needs to used complimentarily with other tools.
In the 1980s, handgun expert Jeff Cooper invented something called the Color Code to describe what he called the "combat mindset." Here is his summary:
In this post, I am going to examine how the idea behind the colour code can be applied to the area of cybersecurity. It is also worth reading Bruce Schneier takes on the Colour and the potential pitfalls of applying the code outside combat situations. There are limits and to the area of applications of cybersecurity where the colour could be effectively applied but the areas of Human Factors, Situational Awareness, Threat Awareness, Education and Training are where I believe the colour code can be adapted to it.In White you are unprepared and unready to take lethal action. If you are attacked in White you will probably die unless your adversary is totally inept.In Yellow you bring yourself to the understanding that your life may be in danger and that you may have to do something about it.In Orange you have determined upon a specific adversary and are prepared to take action which may result in his death, but you are not in a lethal mode.In Red you are in a lethal mode and will shoot if circumstances warrant.
Exploring the Colour Code
It is worth noting the Colour Code stems from the USA and they have different attitude and culture which makes the concept behind the makes sense there but when applying outside that culture it does run into pitfalls.
Cooper broke down situational awareness into four levels of escalating degrees of preparation for police use of deadly force. This system is a mental process, not a physical one, and should be utilised whether or not you are armed – though being armed is always preferred. Being alert may help you to avoid a deadly threat in the first place, which is always the preferred outcome.
Some individuals try to improve on Cooper’s colour code by adding more stages, like “black” for dealing with the aftermath of an incident. Or using “black” to describe someone totally immobilised with panic, a condition the colour code is designed to prevent. For cybersecurity having a stage to reflect on an incident would be a natural addition since a good cybersecurity policy would have that mechanism in place anyway.
As Schneier says living in condition yellow is psychologically unhealthy for a long period of time. A partial solution is to have accurate threat profiles. When people give their mind a short, simple list of criteria to compare potential threats to, it helps them identify threats quicker and more accurately, it helps them avoid false alarms, and helps stay live safer and calmer at the same time.
There are exist other articles about applying the colour code to other areas outside its original remit. I will provide a summary of which type which looked at applying the colour code to the corporate world.
Condition White: can be defined as a state of complete unawareness. Condition white can be a common state early on Monday mornings and when teams are distracted by something outside of work, such as the weekend ahead or the one that just passed. In condition white, you are not aware of what’s going on around you or anticipating what could happen next.
Condition Yellow: can be best described as being a state of relaxed alertness. In condition yellow, people are not aware of anything that is wrong and are on the lookout for indicators of rising conflict. When operating in condition yellow we tend to be comfortable with what is going on around us while also alert for possible changes to our environment. By building a training program around what to look for in condition yellow you can help prepare your team for what lies ahead as conditions change.
Condition Orange: can be defined as being in a state where you realise that something has gone wrong or conflict has come up and you are actively making a plan as to how to deal with it. Condition orange sometimes can be ideal because a team is aware of what’s going on and is focused on doing the work that will move the business forward. Operating in condition orange can be also ideal from the client’s standpoint because they are getting the full attention of the person they are speaking to and all of their needs are being met. Feedback from clients usually often noted three things usually occur:
Condition Red: Occurs when executing the plan. Ideally, this would be the plan you came up with in condition orange, it could also be how you are reacting to an unforeseen or unforeseeable conflict or problem. Most of the time they were problems that were hard to anticipate, such as a trading mistake, an incorrectly filled out form or a misstatement of facts and figures. In the corporate environment, as in the military, it is impossible for an organisation to sustain while always operating in condition red. The highest levels of awareness and focus are great for short periods of time, but can lead to burnout and can also cause people to make silly mistakes because they are so focused on something specific and fail to see the big picture. Again, it is impossible to completely avoid condition red, so the goal should be to reduce the time spent in condition red as you develop your own personal skill set or those of any team you lead.
Condition Black: This is when everything is going badly and in a hurry. Condition black occurs when the stress of interaction has become so overwhelming that mental and physical processes start to break down, leading to a state of overall unawareness. While most organisations rarely operate in condition black, it can be the state where the worst client experiences take place. The goal for many organisations is to quickly identify exactly what to look for to identify condition black and then have a process built within your team to help get through it as fast as possible. In their experience, the best way to develop this plan to quickly get out of condition black in the corporate world is to step back and put yourself in the shoes of the client and articulate the exact process that you would like to see. By also having your team walk through this process you can come together to outline exactly what to look for when condition black occurs and how to move forward in the best way possible.
It is worth noting the Colour Code stems from the USA and they have different attitude and culture which makes the concept behind the makes sense there but when applying outside that culture it does run into pitfalls.
Cooper broke down situational awareness into four levels of escalating degrees of preparation for police use of deadly force. This system is a mental process, not a physical one, and should be utilised whether or not you are armed – though being armed is always preferred. Being alert may help you to avoid a deadly threat in the first place, which is always the preferred outcome.
Some individuals try to improve on Cooper’s colour code by adding more stages, like “black” for dealing with the aftermath of an incident. Or using “black” to describe someone totally immobilised with panic, a condition the colour code is designed to prevent. For cybersecurity having a stage to reflect on an incident would be a natural addition since a good cybersecurity policy would have that mechanism in place anyway.
As Schneier says living in condition yellow is psychologically unhealthy for a long period of time. A partial solution is to have accurate threat profiles. When people give their mind a short, simple list of criteria to compare potential threats to, it helps them identify threats quicker and more accurately, it helps them avoid false alarms, and helps stay live safer and calmer at the same time.
There are exist other articles about applying the colour code to other areas outside its original remit. I will provide a summary of which type which looked at applying the colour code to the corporate world.
Condition White: can be defined as a state of complete unawareness. Condition white can be a common state early on Monday mornings and when teams are distracted by something outside of work, such as the weekend ahead or the one that just passed. In condition white, you are not aware of what’s going on around you or anticipating what could happen next.
Condition Yellow: can be best described as being a state of relaxed alertness. In condition yellow, people are not aware of anything that is wrong and are on the lookout for indicators of rising conflict. When operating in condition yellow we tend to be comfortable with what is going on around us while also alert for possible changes to our environment. By building a training program around what to look for in condition yellow you can help prepare your team for what lies ahead as conditions change.
Condition Orange: can be defined as being in a state where you realise that something has gone wrong or conflict has come up and you are actively making a plan as to how to deal with it. Condition orange sometimes can be ideal because a team is aware of what’s going on and is focused on doing the work that will move the business forward. Operating in condition orange can be also ideal from the client’s standpoint because they are getting the full attention of the person they are speaking to and all of their needs are being met. Feedback from clients usually often noted three things usually occur:
- The salesperson on the team was listening to understand exactly what it was the client was looking for or missing, and they weren’t nervous that they had to have the perfect response to every potential issue that could come up.
- The salesperson knew the concept or product inside and out, and they didn’t have to scramble to find words to make it sound better. There was conviction in the delivery, and the client could tell.
- The client said thank you. Even today, in a world where people rarely communicate with each other verbally or in person, when people have a positive experience they appreciate it and say thanks.
Condition Red: Occurs when executing the plan. Ideally, this would be the plan you came up with in condition orange, it could also be how you are reacting to an unforeseen or unforeseeable conflict or problem. Most of the time they were problems that were hard to anticipate, such as a trading mistake, an incorrectly filled out form or a misstatement of facts and figures. In the corporate environment, as in the military, it is impossible for an organisation to sustain while always operating in condition red. The highest levels of awareness and focus are great for short periods of time, but can lead to burnout and can also cause people to make silly mistakes because they are so focused on something specific and fail to see the big picture. Again, it is impossible to completely avoid condition red, so the goal should be to reduce the time spent in condition red as you develop your own personal skill set or those of any team you lead.
Condition Black: This is when everything is going badly and in a hurry. Condition black occurs when the stress of interaction has become so overwhelming that mental and physical processes start to break down, leading to a state of overall unawareness. While most organisations rarely operate in condition black, it can be the state where the worst client experiences take place. The goal for many organisations is to quickly identify exactly what to look for to identify condition black and then have a process built within your team to help get through it as fast as possible. In their experience, the best way to develop this plan to quickly get out of condition black in the corporate world is to step back and put yourself in the shoes of the client and articulate the exact process that you would like to see. By also having your team walk through this process you can come together to outline exactly what to look for when condition black occurs and how to move forward in the best way possible.
Applying Coopers' Colour Code to Cybersecurity
Condition White: Is a state of complete unawareness. Here the users are not aware of what’s going on around them or anticipating what could happen next. This is the state that social engineering and phishing attacks are going to be successful.
Condition Yellow: Is a state of relaxed alertness with the user is engaged that can they can identify when something is not right. Here, people are not aware of anything that is wrong and are on the lookout for indicators of a threat. For example, here a user should be able to identify when a phishing email appears and what actions to take (report/block/delete) or if find a storage device in the car-park instead of plugging it into a computer they take it and report to the security department who then deal it.
Condition Orange: Is a state determined upon a specific adversary type of threat or attack that could be about to happen and are prepared to take action to prevent or mitigate against it. This is an area moving beyond a single user. For example, a threat actor has threatened to DDOS a companies website if they do not pay a ransom, therefore, the company takes actions to mitigate against such an attack that doesn't involve paying out as that highlights a company as an easy target.
Condition Red: Is a state where an attack has been successful in whatever degree and the affected organisation has to take action to minimise the damage that has been caused. For example, a ransomware attack they would be taking steps to minimise the number of affected systems and files. Removing the malware from their systems and networks. Ensuring that back-ups are unaffected so they continue operating with minimal disruption. Again there different reactions for an individual user being affected and a company.
Condition Black: Is the aftermath period of a cybersecurity incident. This where mistakes are identified and ideally resolved. Measures are put on place to fix or patch vulnerabilities. Also, how and why the attack happened and needs' to be examined so that such an incident can become less likely to happen again in the future. For example, ensuring that education and training material are not generic but include examples and use cases which reflect the roles and situations that the users will be exposed to and periodic update of those materials to include past incidents that affected the organisation they are at so ideally they do not make the same mistakes of those who came before them.
Conclusion
Hopefully, this post provides some new and/or interesting information and ideas. I have kept the application of Coopers' colour code to cybersecurity fairly general but if you were to focus solely on end-user the levels of situational awareness would be different, then if you focused solely on the expected situational awareness of a company. Finally, I might explore this idea further in a couple of future posts with one looking at the end/home user and the second an organisation.
Sources
Hopefully, this post provides some new and/or interesting information and ideas. I have kept the application of Coopers' colour code to cybersecurity fairly general but if you were to focus solely on end-user the levels of situational awareness would be different, then if you focused solely on the expected situational awareness of a company. Finally, I might explore this idea further in a couple of future posts with one looking at the end/home user and the second an organisation.
Sources
https://www.policeone.com/police-trainers/articles/coopers-colors-a-simple-system-for-situational-awareness-Np1Ni2TbRj9EkGUN/
https://dryfiretrainingcards.com/blog/the-myth-of-condition-yellow-and-situational-awareness/
https://www.cp-journal.com/coopers-color-code-corporate-world/https://dryfiretrainingcards.com/blog/the-myth-of-condition-yellow-and-situational-awareness/
Comments
Post a Comment