OPSEC- Want to know more?

Formally, OPSEC is "the process of denying potential adversaries any information about capabilities and/or intentions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive activities." (NSA)

Basically, OPSEC is understanding what information someone (an adversary, a competitor, an opponent, an enemy, etc) would need in order to do harm to you or your mission, and know how to protect that information from disclosure. This can be a difficult task, as small pieces of such information can ultimately prove to be a critical piece of the 'puzzle' that, when paired with other information, may reveal the bigger picture.

Identification or Critical Information
Identify the information that is critical to the organization or mission, and which would harm its ability to carry out normal operations if obtained by the adversary.

Analyze the Threat
Identify likely adversaries, as well as the threat they may represent. This includes their intent and capability, both of which must be present for a threat to exist.

Analyze Vulnerabilities
Examine each aspect of the operation from the perspective of the adversary, the threat identified in step 2. What would you need to do or learn in order to obtain the critical information? Identify those indicators ('puzzle pieces') that could reveal the critical information, and compare it to the capabilities of the adversaries.

Assess Risk
Match each vulnerability to a threat, and assign each one a risk level. The Interagency OPSEC Support Staff shows 'risk' the be the product of threat X vulnerability X impact, which demonstrates the true 'cost' should an adversary be successful or the overall value of the information that would be lost. This is the 'so what' factor of OPSEC, and the true selling point for a strong OPSEC program.

Apply countermeasures
Beginning with high-risk vulnerabilities, create a plan and implement countermeasures in order to mitigate the risk. The goal may be to lower or eliminate the risk, or to remove the threat's access to the resource. It's important to note that not all risks may be mitigated, depending on the resources available and likelihood of occurrence. The implied task is to validate the countermeasures for effectiveness once put in place

This process is best thought of as a repeating cycle, which is constantly re-evaluated based on the evolving and changing threat.
The 5-step process could be simplified (and more readily applied to 'everyday' scenarios) by remembering two basic concepts: Know what to protect... And protect it.