Following the terrorism events of September 11, 2001, there was a national feeling of being caught off guard and underprepared for this new type of adversary and the upcoming conflicts. There was panic and hysteria amongst the American people, in particular who suddenly felt very vulnerable as their illusion of impenetrable saftey was shattered in the blink of an eye by these attacks. In response, the Bush administration took drastic and decisive action to elevate domestic security to combat this new threat and protect the American people. These actions included the creation of the Department of Homeland Security (“DHS”), which consolidated existing federal agencies under one synergistic umbrella to enhance domestic security coordination. This new agency subsequently took operational control of the Homeland Security Advisory System (“HSAS”). This system was a color-coded threat advisory scale used to warn the public of the perceived risk of terrorism and trigger a standard response and elevation or relaxing of public security measures. While an excellent bureaucratic control, this system faced criticism for its negative impacts on the American public and counterproductive operational security (“OPSEC”) signal to a threat actor. HSAS was ultimately shuttered and replaced by the National Terrorism Advisory system in 2011.
The colors used in the Threat Advisory System are rooted in cultural associations and reflect the perceived risk of an act of terrorism.
The HSAS threat advisory scale was used by DHS to communicate the perceived risk of terrorist attacks in the United States to governmental agencies and the public. Like the colorful flags used by sailing ships to coordinate specific actions by a fleet, the HSAS employed five colors, each reflecting a different threat level from low to severe, to signal the threat risk and trigger specific actions and security posture amongst the public and domestic security agencies. The five colors are, 1) Green – Low, 2) Blue – Guarded, 3) Yellow – Elevated, 4) Orange – High, and 5) Red – Severe. The DHS likely selected these colors because they are easily understood based on existing cultural associations in the United States and aligned with common psychological links to safety and danger.
First, when the perceived threat level is low, the DHS will set the HSAS scale green. This indicates that there are no known threats requiring security measures beyond routine and the American public would feel its safest. When signaling blue, the DHS is communicating that there is a general risk of terrorism with no specific threats detected. Standard security measures remain sufficient, and the American public is advised to be aware of their surroundings, but they should still feel very safe. Yellow signals a significant risk of terrorist attacks and domestic security posture is heightened and enhanced with extra security measures. The public is encouraged to report suspicious activities. Orange signals a high risk of terrorist attacks and both domestic security agencies and the general public are encouraged to implement protective measures. Red is the highest level and signals that a severe risk of terrorist attacks exists, and domestic security measures are maximumly enhanced. The public will face significant restrictions and interruptions.
Next, the specific colors were matched to their corresponding threat level because of cultural associations and alignment with psychological connections to safety and danger. This nexus and rational was designed to be simple and easily understood by the public and domestic security agencies. A green light, for example, means “go” in federally regulated traffic signal lights in the United States. The public perceives this green signal to mean they are safe to drive through the intersection and will not get in a car accident. Red means the opposite, “stop”. A driver is not safe to travel through the intersection and a sever risk of a collision exists. The federally regulated color standard in traffic lights has proliferated into society which makes it logical that the DHS, a federal agency, would align the HSAS color scheme in a traffic light framework. This increases the effectiveness of DHS communication amongst the general public, one of the HSAS purposes.
The HSAS’s color signals, though ambiguously defined by DHS, each have a distinct meaning and practical application.
The DHS selection of these colors was not arbitrary, as described above. In addition to its purpose of communicating and alerting the public, the HSAS was used to trigger standard security posture escalation actions by federal agencies, like the TSA, and private organizations, particularly in the critical infrastructure sectors. These range from conducting routine security measures at its lowest, green, to the implementation of significant security enhancements like travel restrictions and the domestic deployment of the military at its highest level, red.
Like strict password requirements in information systems, whereby when a user creates a password, they must use at least ten characters and they are restricted from using a simple four-character password, there is a distinct balance between security and individual freedom. In order to participate productively in using the information system, the user must comply with security requirements. The more security measures implemented the more of a negative impact on the public’s sense of individual freedom. When DHS communicates high threat colors, they are effectively ordering more security which naturally creates more restrictions on individual liberties, but to participate productively in society, citizens must comply with the security enhancements triggered by the DHS assessed HSAS color level.
First, green, or “low”, represented a baseline condition and meant that no credible terrorist threat was known. Under this condition, domestic security operations include standard security measures like routine and passive monitoring. This level means normalcy and safety to the American public, with no need for heightened vigilance or any disruption to their daily routine. The balance between security and freedom weighs heavily in a perceived sense of individual freedom by the public.
Next, blue, or “guarded”, indicated that a general risk of terrorist activities exists. Domestic security agencies, local law enforcement, and critical infrastructure organizations increase monitoring and refresh emergency plans and procedures. When the DHS assesses the risk as guarded, the public generally will not experience interruptions and is merely advised to remain aware of their surroundings. No specific guidance or actions are required.
The next escalation was yellow, or “elevated”. DHS used this color and level to denote a significant risk of terrorist attacks. At this level, enhanced domestic security measures are less subtle. Agencies increase surveillance around potential targets and security checks at transportation hubs and public events become more intense and thorough. The public trades some freedom for security at this level in the form of airport delays caused by heightened security and growing media coverage that reinforced a sense of unease.
Orange is one step up from yellow and signified a high risk of terrorist attacks as assessed by the DHS. Domestic security enhancements triggered by this level included deploying additional security personnel at sensitive sites, restricting access to critical infrastructure locations, and even the cancelling of public events, like concerts. For the public, this level represented a significant disruption to daily life including much longer waiting times at security checkpoints and increased law enforcement visibility in the form of number of officers and type of equipment (more police patrolling inside an airport carrying rifles and submachine guns rather than just a sidearm for example). This level also represents a sense of heightened anxiety due to the perceived imminent threat.
Finally, red, or “severe”, is the highest threat level and reflects an imminent or ongoing threat of terrorist attack. Security measures at this level were extraordinary and included closing government facilities, evacuating buildings, imposing travel restrictions, and deploying the military within the boarders of the United States.[1] During this level, the public experiences significant restriction of movement, interruption to public services, and even the suspension of civil liberties under emergency powers, like the suspension of habeas corpus.
The HSAS color coded labels were not an effective way to communicate threat information to the public.
Following the terrorist attacks of September 11, 2001, the United States government faced intense pressure to act decisively and reassure the public. In this environment, the creation of the HSAS reflected the maxim that “an 80% solution now is better than a 100% solution when it is too late.” The system was designed to offer a simple immediately recognizable framework for conveying threat levels. However, despite its intuitive design, the HSAS ultimately proved ineffective as a communication tool. Its limitation stemmed from its ambiguity, frequent use that dulled impact, and its counterintuitive effect on operational security (“OPSEC”).
Ambiguity and Overuse.
One of the most significant shortcomings of HSAS was the ambiguity inherent in its threat level descriptions. Each color was intended to convey a specific degree of risk, yet the criteria distinguishing these levels were vague and difficult for the public to meaningfully interpret. For example, the system’s highest threat level is red and signified a “severe risk of terrorist attacks” and was used in cases of an “imminent threat”. However, those terms are not clearly defined for the public. Many citizens may believe imminent to mean an attack is already underway and about to happen rather than a period of heightened vulnerability for an undetermined period of time. Similarly, the transition from yellow to orange lacked clear criteria to help the public see the changes in the threat environment that triggered the escalation. This imprecision fostered confusion, leading to either complacency or unnecessary alarm, and ultimately reduced the system’s effectiveness in motivation an appropriate public response.
Overuse of elevated threat levels was another flaw of HSAS. Between its introduction in 2002 and its eventual replacement in 2011, the system remained yellow or orange for nearly its entire duration. This constant state of alert created threat fatigue, where the public becomes desensitized to warnings that do not correspond to observable events or actionable guidance. Rather than triggering preparedness and enhanced public vigilance, the frequent use of higher threat levels contributed to the perception that the system was more political than practical. Threat fatigue also was experienced by local law enforcement agencies as their resources were strained to maintain enhanced security measures for indefinite periods of time.
Operational Security Concerns.
Beyond ambiguity and overuse, the HSAS also suffered from fundamental flaws in its alignment with OPSEC principles. Designated to communicate threat levels to the public, the system inadvertently provided useful intelligence to potential adversaries while doing little to equip the public with actionable guidance. In this respect, HSAS created an environment where the color-coded advisories did not merely fail to protect, they actively undermined national security efforts because it violated the basic principle of OPSEC – minimize the dissemination of sensitive information that could aid adversary planning.
One of the most problematic features of the system was the public display of threat levels, at all times. By doing so, the government effectively communicated to any observer, foreign or domestic, the current status of security in and around a target. An attacker merely needs to be patient and wait for the color to drop. This broadcasting created an infinite loop whereby if the DHS lowers the threat color, the likelihood of a patient actor to strike increases which requires escalation of the color. Given this logic, decreasing the threat level is impossible. The “Green Means Go” phenomenon captures the idea that publicly signaling a low threat level may serve as an invitation for adversaries to act because domestic security measures are at their most routine and lowest. In this instance, OPSEC was breached because the system expressly revealed US domestic security posture.
Moreover, the color-coded system’s simplicity, indented to promote clarity, instead produced confusion within both the public and private sectors regarding appropriate protective measures at each threat level. Many organizations struggled to interpret what was required of them with threat levels changed. This lack of clear linkage between color level and specific protective actions not only confused domestic audience but also signaled to adversaries that shifts in alert status might not correspond with substantial defensive changes on the ground. For example, an orange alert may appear to indicate robust security measures but might manifest in minimal observable changes from yellow.
Additionally, the persistent broadcasting of the nation’s threat status and the persistent use of high levels, allowed adversaries ample time to study US patterns of response. By observing how law enforcement and the public reacted at different advisory levels, threat actors could refine their strategies, selecting movement of perceived complacency. More time to study the security measures increases the risk of creative exploitation. In this way the HSAS unintentionally aided adversary situational awareness, contrary to OPSEC doctrine.
Finally, the systems’ tendency to oscillate between elevated threat levels without corresponding visible events promoted complacency among the public. When Americans repeated experience high alert levels without clear guidance, they become less likely to take future warnings seriously. This eroded vigilance and created conditions where a genuine threat may go unheeded, providing threat actors with an additional advantage.
Application to cyber threats of today and tomorrow.
The limitation of the HSAS in the physical security domain offer valuable lessons for addressing the cyber threats of today and tomorrow. Unlike the terrorist attacks as contemplated by the DHS following 9/11, cyberattacks often unfold invisibly and unpredictably, targeting critical infrastructure, confidential information, and financial institutions through increasingly sophisticated methods. A static, public facing alert system similar to HSAS would be unsuitable for the dynamic nature of cyber threats, where broadcasting a readiness level could expose vulnerabilities, undermine cybersecurity efforts, and otherwise provide a cyber threat actor with a framework to base their attack planning around. Publicly announcing a “low cyber threat level”, for example could invite cyber threat actors to exploit gaps in vigilance, much as HSAS’s may have unintentionally signaled a window of opportunity.
Furthermore, the rapidly changing cyber threat landscape demands continuous sharing of information between the public, industry, and government. As the nation confronts cybersecurity challenges such as ransomware, supply chain attacks, and AI driven exploits, future security systems must avoid the pitfalls of HSAS by integrating discretion, actionable guidance, and real-time adaptability.
Conclusion. The HSAS system functioned much like a traffic light to the public, domestic security agencies, and threat actors. The idea that “green means go” captures how the system, by publicly announcing threat levels may have inadvertently encouraged adversaries to act while fostering complacency in the public. As the United States faces the increasingly complex and stealthy threats of the cyber age, future security communication frameworks must guide institutions and the public without signaling opportunity to cyber threat actors.
[1] As an exception to the Posse Comitatus Act of 1873 which limited the powers of the federal government in using active duty military personnel to enforce domestic policies within the United States.
