Abstract
While there have been many calls to develop effective information security strategies against malign information operations, a gap remains in the systematization of available approaches. This article proposes a framework that outlines a broad conceptualization of information security approaches, dividing them into reactive defensive, proactive defensive, and offensive measures.
Introduction
Information threats are often perceived as among the most significant to democratic states and their social stability. Revisionist states, including Russia and China, and non-state actors like ISIS, have extensively used methods of information warfare to influence target audiences and achieve political results. This escalating challenge, amplified by the growing popularity of social media, has prompted scholars and practitioners to develop numerous frameworks and toolkits to counter foreign influence operations and disinformation in the information environment. There is, however, a noticeable lack of conceptualization and taxonomy of information security methods and strategies, with most available resources outlining a variety of counter-disinformation tactics rather than developing a comprehensive framework for systematizing such tactics and approaches.
This paper proposes a three-category taxonomy of information security approaches, dividing them into reactive defensive measures, proactive defensive measures, and offensive measures. A coherent systematization of tactics would enable scholars and practitioners to better understand the risks and benefits associated with each category of approaches, establish causal links between countermeasures and their effectiveness, design robust evaluation metrics, and develop more efficient information security strategies.
Categorizing Information Security Approaches
Competition in the information environment for narrative dominance and public opinion influence has become an important component of national security. In this competition, state and non-state actors employ Operations in the Information Environment (OIEs). OIEs are defined as “state-supported and strategy-driven influence activities with the goal of inclining a state to voluntarily make a predetermined decision desired by the initiator by targeting the state’s population through the information environment.” This creates a clear initiator-target dynamic, in which OIE initiators use these operations to promote desired narratives to achieve political objectives in targeted states. Nevertheless, unlike other dimensions of national security, no comprehensive conceptualization and taxonomy of information security strategies for target states have been developed, as existing approaches resemble a collection of tactics rather than coherent strategies. This leaves a major gap for scholars and practitioners in their understanding and systematization of the full range of possible tactics and methods.
Similar to military tactics, information security strategies can be first divided into defensive approaches, designed to protect the national information environment against foreign information influence and narratives, and offensive approaches, which leverage OIEs to disseminate desired narratives. Defensive approaches can be further classified into two subtypes (reactive and proactive) based on whether they merely respond to ongoing OIEs or are designed to preempt and prepare the population to counter information threats before they materialize. In that sense, the proposed framework divides information security approaches designed to counter foreign OIEs into three categories: reactive defensive measures, proactive defensive measures, and offensive measures.
Reactive defensive measures constitute ad hoc or preplanned activities implemented to counter foreign information influence. These measures represent the initial responsive mechanism of states targeted by foreign OIEs and often involve counter-disinformation communication, restrictions and bans on information distribution channels that disseminate disinformation, and information campaigns designed to provide objective and factual information. Depending on the level of formalization and strategic development of counter-OIE measures, these measures may include activities implemented in accordance with existing policies and strategic frameworks, or those that are not pre-planned and executed outside existing guidelines. As an example, reactive defensive measures designed to address ongoing Russian disinformation operations include the EU putting forward an EUvsDisinfo project that reveals the pro-Kremlin disinformation narratives about MH17 and the Latvian decision to suspend rebroadcasting Russian government-owned TV channels.
While reactive measures are used to rapidly address the challenges posed by information warfare and mitigate the manipulative influence of foreign OIEs, they cannot serve as a long-term solution. Counter-disinformation messaging and awareness campaigns primarily target the outcomes of OIEs rather than strengthen social resilience to disinformation or deter an initiator from employing information operations. The implementation of reactive measures also often raises legal concerns in democratic states when counter-messaging is accused of politicization, or when there is a risk of media restrictions infringing freedom of speech.
Proactive defensive measures comprise long-term, comprehensive institutional, strategic, and educational initiatives designed to develop a state’s information security capacity and to prepare the population for future foreign OIEs. These initiatives contribute to building information security capacity by outlining legal foundations and guidelines for countering foreign OIEs and establishing institutions tasked with implementing the information security strategy. Media literacy training and the promotion of credible sources of information are primary methods for strengthening social resilience to malign information influence campaigns, which are considered a cornerstone of an effective counter-disinformation approach. When implemented effectively, proactive measures enable a state to develop what can be termed ‘deterrence by denial’ within its information environment, convincing OIE initiators that their actions will not succeed in achieving political objectives and raising the costs and difficulty of conducting OIEs. To achieve this, however, the approach requires extended implementation timelines, demands substantial resources, and necessitates constant adaptation and reinforcement.
It is important to distinguish between proactive defensive measures aimed at bolstering state capacity and civic resilience, and propaganda and manipulation campaigns designed to discredit narratives deemed undesirable by a state. The Finnish government’s efforts to build national media literacy and critical thinking constitute a clear example of proactive defensive measures designed to prepare the population to counter foreign OIEs that rely on disinformation and malign information influence. On the contrary, state-sponsored propaganda in the Russian Federation, while being developed to counter foreign influence and reinforce the autocratic regime’s narratives, does not fall under proactive defensive measures. It does not aim to build national resilience so that the population cannot be manipulated. Rather, it is used to manipulate the population, making citizens less receptive to information the government considers undesirable or threatening to the regime.
Offensive measures constitute OIEs initiated by a targeted state during an active competition with a malign OIE-initiator, designed to mitigate and contest the OIE-initiator’s information influence activities. Contrary to counter-disinformation communication that refutes adversarial narratives, the primary characteristic of offensive measures conducted by targeted states is that they amplify new narratives, have their own political objectives aligned with the strategic considerations of the targeted state, and may target various audiences, including populations of foreign countries as well as the targeted state’s own population.
Offensive measures undertaken by democratic states primarily rely on OIEs that invoke democratic values and international norms, employ naming-and-shaming tactics, and resemble soft-power projection, although more assertive techniques, including OIEs to demoralize adversarial populations, have also been employed. For example, the Philippines has rolled out the Transparency initiative as a strategy to confront Chinese gray-zone aggression in the West Philippine Sea. The initiative relies on OIEs to promote international norms and employ naming and shaming to highlight Chinese violations, deter further aggression, and rally international support. The success and effectiveness of offensive measures as a category of information security approaches, however, are the most challenging to assess.
Approaches of the Targeted States
Russia and China are the primary OIE-initiating revisionist states that exploit instruments of information warfare to achieve political objectives in targeted states. While Russian and Chinese methods and strategies are well studied, much less attention is paid to the targets of OIEs. There are limited studies on specific responsive approaches and even fewer comprehensive reviews of their information security strategies. To introduce the practical applicability of the three-category taxonomy and begin discussing information security strategies of targeted states, it would be helpful to provide concrete examples of targeted states that have implemented each category of information security approaches.
Taiwan serves as a prime example of the effective implementation of reactive defensive measures in response to Chinese OIEs. Its approach incorporated a variety of measures, from counter-messaging and fact-checking to sanctioning CCP-affiliated media outlets. However, the Taiwanese four-facet framework for countering disinformation, developed by the Disinformation Coordination Team (DCT), serves as a prominent example of a structured strategic outline for reactive defensive measures.
The framework includes four steps: identification, debunking, combat, and punishment. The second step of debunking outlines a series of approaches that modernize reactive strategies beyond merely providing factual information as a countermeasure to disinformation and malign narratives. The most interesting approaches include “humor over rumor,” which instructs to design debunking messages in a format that “audiences cannot resist sharing,” often by “memefying” the message. Another approach is the 2-2-2 principle, which requires the “memefied” message to have 20 or fewer characters in its title, contain no more than 200 characters in its content, and include no more than two images as illustrations to be delivered within hours. The DCT’s guidelines also called for establishing a common communication strategy among governmental agencies, facilitating fact-checking through public-private partnerships, including with civic organizations, and promoting information verification by major internet platforms. The Taiwanese approach ultimately transformed reactive defensive measures from a “menu of options” to a comprehensive, inter-agency strategy.
Finland is often credited with achieving the highest scores on key metrics of civic resilience to disinformation, including media literacy, civic trust, transparency, education, and press freedom. Despite the inherent weaknesses of an open democratic society when facing foreign OIEs, Finland has developed one of the most effective proactive defensive approaches. Its information security strategy is based on the Comprehensive Security concept, which resembles a whole-of-society model for countering disinformation and outlines high levels of education and media literacy as the cornerstone of Finnish societal resilience. The Finnish approach integrates governmental institutions, private organizations, civic initiatives, and ordinary citizens to address Russian OIEs, teaching residents, students, journalists, and politicians to develop critical thinking skills and identify and counter false information designed to sow division within society. Finland’s comprehensive institutional, strategic, and educational initiatives allowed it to bolster its information security capacity and civic resilience to OIEs.
Despite increased Russian OIE efforts following the start of the Russo-Ukrainian War, in 2025, the Finnish Prime Minister reported that Russia had significantly reduced its information influence activities targeting Finland. Through comprehensive, proactive measures, Finland secured deterrence by denial in its information environment against Russian OIE campaigns, demonstrating that such measures not only develop social resilience to disinformation but also reduce the propensity of initiators to conduct OIEs.
Ukraine was one of the first strategic targets of Russian OIE campaigns. It has pioneered innovative approaches utilized by small democratic states that leverage the asymmetric nature of competition within the information environment. Ukraine has effectively employed OIEs since 2014 to bolster its position and influence strategic considerations of a much larger and experienced adversary.
Before the full-scale Russian invasion, Russia conducted hybrid warfare against Ukraine. It supported proxy-terrorist organizations and deployed its troops in Eastern Ukraine, while denying any involvement in the conflict. Thus, it became critical for Ukraine to showcase evidence of the Russian involvement and convince the international community that Russia had violated its sovereignty and international law. Ukraine employed OIEs to counteract Russian hybrid aggression and promote desired narratives. These OIEs relied on evidence releases conducted by the Security Service of Ukraine (SBU) and InformNapalm civic initiative that published intercepted communication of Russian state officials and proxy leaders, interrogation of Russian POWs, OSINT investigations, and hacked data. The objective of Ukrainian OIEs was to highlight Russia’s direct involvement in aggression toward Ukraine and rally domestic and international support. The campaign was relatively successful, raising awareness and support among both international and domestic audiences and contributing to a reduction in the intensity of the conflict, while not, however, dissuading Russia from employing other forms of gray-zone tactics.
Call for Action – Developing Structured Information Security Strategies
Malign OIEs constitute a significant threat to democratic states that are targeted by revisionist powers and non-state actors. While there have been many calls to develop effective and comprehensive information security strategies, a gap remains in the systematization and taxonomy of available approaches. The proposed framework outlines a broad conceptualization of information security approaches. By dividing them into reactive defensive measures, proactive defensive measures, and offensive measures, it structures the “menu of options” into a coherent taxonomy and lays the foundation for deeper classification.
Governments have already moved beyond mere counter-disinformation messaging to more complex approaches to information security, but existing methods have not yet matched the sophistication of malign OIE strategies. The integration of the proposed framework would shift the focus from select tactics to a comprehensive strategic design that guides stakeholders more holistically. By classifying approaches, policymakers will be more effective at systematizing information security proposals and linking specific tactics and policies to desired strategic outcomes. Through this, targeted states can stop playing the cat-and-mouse game with OIE initiators and develop comprehensive information security strategies that not only respond to information operations but also deter them. Such a shift in thinking should be integrated across all levels, from the development of information security approaches within national security strategies to cognitive defense within militaries.
Additionally, the proposed framework can be used to more effectively assess the information security strategies of targeted states. Although most states have not yet implemented coherent taxonomies, categorizing their approaches enables a deeper understanding of targeted states’ strategies. As illustrated by the case studies above, the proposed framework helped synthesize complex and unorganized information security approaches of Taiwan, Finland, and Ukraine. This can be used by researchers and policymakers to conduct more meaningful comparisons across states and nuanced evaluations of their successes and areas requiring reform
While incorporating the proposed framework as the initial step, policy development and research should further categorize available methods, determine evaluation metrics for each measure type, explore the strengths and limitations of these approaches, and outline policy implications based on the results. This would enable scholars and practitioners to better systematize information security strategies and identify more efficient, replicable, and testable methods for countering foreign OIEs.
