The OPSEC Process



1. Identify Critical Information


The first, and arguably the most important, step in the OPSEC process is to determine which information is critical to the organization. Critical information is information that would harm the organization’s ability to effectively carry out normal operation if obtained by an adversary. Usually, this information represents the core secrets of an organization, and can vary from one organization to the next.



2. Analyze The Threat


Once the critical information is identified, the next step is to determine the individuals or groups that represent a threat to that information. There may be more than one adversary, and different pieces of information may be targeted by different groups. In this stage, the capabilities, use for the information, determination and resources must also be analyzed.



3. Analyze The Vulnerabilities


In this phase, the analyst will “Think like the wolf”, and view their organization from an adversaries perspective. The vulnerabilities of the organization must be thoroughly explored, especially in terms of physical safeguards, network/electronic safeguards and personnel training will be investigated.



4. Assess The Risks


For each vulnerability, the threat must be matched. At this point, each vulnerability is assigned a risk level. This is an unmitigated risk level, meaning that any corrective factors are not included in the analysis. The risk matrix is as follows:

  • Vulnerability is critical and threat is high, risk is high
  • Vulnerability is critical and threat is medium, risk is high
  • Vulnerability is critical and threat is low, risk is medium
  • Vulnerability is medium and threat is high, risk is high
  • Vulnerability is medium and threat is medium, risk is medium
  • Vulnerability is medium and threat is low, risk is low
  • Vulnerability is low and threat is high, risk is medium
  • Vulnerability is low and threat is medium, risk is low
  • Vulnerability is low and threat is low, risk is low

The risk level assigned to a vulnerability helps to “triage” the protection of data.



5. Apply The Countermeasures


Beginning with high-risk vulnerabilities, a plan is put in place to mitigate the risk factors. All possible countermeasures are considered, and could include additional hardware, training or outside contractors. The most important element of this step is to develop a plan to lower or eliminate the risk, or remove the threat’s access to the resource.




The laws of OPSEC



  1. If you don't know the threat, how do you know what to protect? Although specific threats may vary from site to site or program to program, employees must be aware of the actual and postulated threats. In any given situation, there is likely to be more than one adversary, although each may be interested in different information.
  2. If you don't know what to protect, how do you know you are protecting it? The "what" is the critical and sensitive, or target, information that adversaries require to meet their objectives.
  3. If you are not protecting it (the critical and sensitive information), the adversary wins! OPSEC vulnerability assessments, (referred to as "OPSEC assessments" -- OA's -- or sometimes as "Surveys") are conducted to determine whether or not critical information is vulnerable to exploitation. An OA is a critical analysis of "what we do" and "how we do it" from the perspective of an adversary. Internal procedures and information sources are also reviewed to determine whether there is an inadvertent release of sensitive information


In short, Know the threat,
    know what to protect
        and protect it!



© OSPA