Planning Method of Information Security for Military Organizations 1 José Martins 1 , Henrique dos Santos 2 , Mendes Dias 1 , José Borges 1 1 Academia Militar – CINAMIL, Lisboa, Portugal 2 Universidade do Minho – DSI, Guimarães, Portugal jose.carloslm@gmail.com hsantos@dsi.uminho.pt mendes.dias@academiamilitar.pt jose.borges@academiamilitar.pt Abstract The main question to answer is: how to ensure the confidentiality, integrity, and availability of information within a military organization in information warfare environment, in order to minimize the risk of information security? We propose a planning method, guided by some principles of war and taking into account known modes of action of an enemy. The planning method enables the identification of: (i) the main methods of attack that can occur; (ii) the controls’ baseline applied in military organizations; (iii) the security controls applied by attack methods and validation the their effectiveness, according to the specific method of attack. In order to put into practice the designed planning method of information security, the authors followed an interpretive, qualitative, and inductive epistemological orientation, which is used as the main research method for the Analysis of Content, the Focus Group and the Case Study. The proposed method of planning is based on: (i) a model that allows the identification of possible methods of attack to information, carried out using the vectors of Physical, Human and Technological infrastructure attack; (ii) a framework of categories of information security controls (security dimensions: Organizational, Physical and Environmental, Human, and Technological); (iii) a matrix of decision support sustained by the attack vectors of an opponent, and the possible effects of information security controls (Prevent, Detect, Deter, Deflect, Recover or React). The method purposed in this work identifies the best combination of security controls to be applied against a particular method of attack, taking into account the lessons learnt. It is also based on the selection and recovery of the solutions successfully applied to past cases. This allows the military decision-maker to plan, focusing on the modes of action of an opponent, while considering the principles of war adapted to information security (Economy of Force, Maneuver, Unit of Command and Offensive). Key Words: Information Security Planning, Information Security Method, Methods of Attack, Information Security Framework. 1 This study does not reflect the vision or institutional guidelines of the Portuguese Army doctrine.