Applying the Cooper Color Code to information security

A throwaway comment in a convoluted machine-translated blog led me to a fascinating Wikipedia piece about Jeff Cooper, father of the "modern technique" of handgun shooting, in particular the concept of "condition white". Condition white describes the state of mind of someone who is totally oblivious to a serious threat to their personal safety. Cooper used it in relation to situations involving violent assault where the potential victims don't even appreciate that they are in danger and hence are not in the least bit alert to the signs of impending attack. The attacker therefore has the element of surprise.

The Wikipedia piece describes four levels recognized by Cooper:

• "White - Unaware and unprepared. If attacked in Condition White, the only thing that may save you is the inadequacy or ineptitude of your attacker. When confronted by something nasty, your reaction will probably be "Oh my God! This can't be happening to me."

• Yellow - Relaxed alert. No specific threat situation. Your mindset is that "today could be the day I may have to defend myself." You are simply aware that the world is a potentially unfriendly place and that you are prepared to defend yourself, if necessary. You use your eyes and ears, and realize that "I may have to SHOOT today." You don't have to be armed in this state, but if you are armed you should be in Condition Yellow. You should always be in Yellow whenever you are in unfamiliar surroundings or among people you don't know. You can remain in Yellow for long periods, as long as you are able to "Watch your six." (In aviation 12 o'clock refers to the direction in front of the aircraft's nose. Six o'clock is the blind spot behind the pilot.) In Yellow, you are "taking in" surrounding information in a relaxed but alert manner, like a continuous 360 degree radar sweep. As Cooper put it, "I might have to shoot."

• Orange - Specific alert. Something is not quite right and has gotten your attention. Your radar has picked up a specific alert. You shift your primary focus to determine if there is a threat (but you do not drop your six). Your mindset shifts to "I may have to shoot HIM today," focusing on the specific target which has caused the escalation in alert status. In Condition Orange, you set a mental trigger: "If that goblin does 'x', I will need to stop him." Your pistol usually remains holstered in this state. Staying in Orange can be a bit of a mental strain, but you can stay in it for as long as you need to. If the threat proves to be nothing, you shift back to Condition Yellow. 

• Red - Condition Red is fight. Your mental trigger (established back in Condition Orange) has been tripped. If "X" happens I will shoot that person."

It occured to me that it might be illuminating to reinterpret Cooper's color code in the information security context:

• White - Unaware and unprepared. If attacked in Condition White by, say, some malware, a social engineer or hacker, the only thing that may save you is the inadequacy or ineptitude of your attackers. When confronted by something nasty, your reaction will probably be "Oh my God! This can't be happening to me", a state psychologists call 'denial'. 

• Yellow - Relaxed alert. No specific threat situation.  You are simply aware that the virtual world is a potentially threatening place.  You use your eyes, ears and security software to look out for digital threats, realizing that "There are almost certainly threats out there." You should be in Condition Yellow whenever you are in unfamiliar surroundings, such as exploring different websites or handling email from people you don't know. You can remain in Yellow indefinitly, just as long as you are mentally able to stay sufficiently alert.  In Yellow, you are constantly "taking in" details about information flows and situations that unfold before you in a relaxed but alert manner, like a continuous 360 degree radar sweep. If you are too tired or distracted to keep up your guard, you should avoid risky behaviors, becoming more conservative in your online activities.  With practice, however, Yellow gradually becomes your default state of mind. 

• Orange - Specific alert. Something is not quite right and has gotten your attention. Your radar has picked up a specific information security risk. You adjust your primary focus, assessing the threat to determine what is going on, whether you are vulnerable, what might be the outcome if so and hence whether it is a genuine risk. Your mindset shifts to "Looks like I am being scammed and/or my information is being compromised," focusing on the specific target which has caused the escalation in alert status. In Condition Orange, you set a mental trigger: "If that goblin does 'x', I will definitely need to report a security incident and seek help." Staying in Orange requires some concentration but you can stay in it for as long as you really need to. If the threat comes to nothing, you shift down to Condition Yellow, though you may still call the Help Desk to report your suspicions. 

• Red - Condition Red is fight-or-flight. Your mental trigger (established back in Condition Orange) has been tripped. You and your information assets are definitely under attack, or have already been compromised.  You definitely need to call the Help Desk urgently to report the incident and take their advice on what to do about it.

Our security awareness materials aim to bring the whole organization up to Condition Yellow and maintain it at that minimum level, while at the same time giving people the ammunition (the knowledge, understanding and skills) to (a) appreciate when things might be turning Orange or Red, and (b) react appropriately if they do.

As an information security professional, I find myself at Orange or Red most of the time yet, despite the occasional tinges of paranoia, it's a relatively happy place for me. This phenomenon seems to set infosec pros apart from the crowd.  I guess hackers are also comfortable in Orange or Red, with the additional motivation of creating or exploiting vulnerabilities rather than just finding and fixing them. 

Oh and by the way, hackers have virtual enemies too.  There's no honor among thieves.