Operations Security CHAPTER 6 Third Law The third and last law of operations security is "If you are not protecting it (the information), ... THE DRAGON WINS!" [5]. This law is an overall reference to the necessity of the operations security process. If we do not take steps to protect our information from the dragon (our adversaries or competitors), they win by default. The case of the "dragon" winning--from the constant appearance of security breaches reported by the news media and on Web sites that track breaches, such as www.datalossdb.org--appears to be unfortunately common. In many cases, we can examine a breach and find that it was the result of simple care- lessness and noncompliance with the most basic security measures and due diligence. We can see an example of exactly this in a breach announced by Louisiana's Tulane University in January 2011. In this case, the university exposed a database containing the names, addresses, Social Security numbers, and tax documents for every employee of the school, more than 10,000 individuals all told [6]. Although we might assume that a wily band of hackers had subverted the university's stringent security measures and managed to steal a copy of the database from a protected system on the 91