The OPSEC Process

The OPSEC Process


1. Identify Critical Information


The first, and arguably the most important, step in the OPSEC process is to determine which information is critical to the organization. Critical information is information that would harm the organization’s ability to effectively carry out normal operation if obtained by an adversary. Usually, this information represents the core secrets of an organization, and can vary from one organization to the next.



2. Analyze The Threat


Once the critical information is identified, the next step is to determine the individuals or groups that represent a threat to that information. There may be more than one adversary, and different pieces of information may be targeted by different groups. In this stage, the capabilities, use for the information, determination and resources must also be analyzed.



3. Analyze The Vulnerabilities


In this phase, the analyst will “Think like the wolf”, and view their organization from an adversaries perspective. The vulnerabilities of the organization must be thoroughly explored, especially in terms of physical safeguards, network/electronic safeguards and personnel training will be investigated.



4. Assess The Risks


For each vulnerability, the threat must be matched. At this point, each vulnerability is assigned a risk level. This is an unmitigated risk level, meaning that any corrective factors are not included in the analysis. The risk matrix is as follows:

  • An adversary has demonstrated their ability to exploit an existing vulnerability and the resulting impact would be irreparable; hazard consequence would be catastrophic. Critical
  • There is no doubt an adversary could exploit an existing vulnerability and the resulting impact would be serious enough to consider cancellation of a mission; hazard consequence would be major. high
  • It is probable an adversary could exploit an existing vulnerability and the resulting impact would be damaging; hazard consequence would be no higher than major. medium high
  • It is possible an adversary could exploit an existing vulnerability and the resulting impact would be manageable; hazard consequence would be no higher than moderate. medium
  • It is unlikely an adversary could exploit an existing vulnerability and the resulting impact would be negligible; hazard consequence would be no higher than minor. medium low
  • It is improbable an adversary would exploit an existing vulnerability and the resulting impact would be insignificant; hazard consequence would be no higher than insignificant. low

The risk level assigned to a vulnerability helps to “triage” the protection of data.
For additional OPSEC rating defitions, see OPSEC Ratings Definitions



5. Apply The Countermeasures


Beginning with high-risk vulnerabilities, a plan is put in place to mitigate the risk factors. All possible countermeasures are considered, and could include additional hardware, training or outside contractors. The most important element of this step is to develop a plan to lower or eliminate the risk, or remove the threat’s access to the resource.




The laws of OPSEC



  1. If you don't know the threat, how do you know what to protect? Although specific threats may vary from site to site or program to program, employees must be aware of the actual and postulated threats. In any given situation, there is likely to be more than one adversary, although each may be interested in different information.
  2. If you don't know what to protect, how do you know you are protecting it? The "what" is the critical and sensitive, or target, information that adversaries require to meet their objectives.
  3. If you are not protecting it (the critical and sensitive information), the adversary wins! OPSEC vulnerability assessments, (referred to as "OPSEC assessments" -- OA's -- or sometimes as "Surveys") are conducted to determine whether or not critical information is vulnerable to exploitation. An OA is a critical analysis of "what we do" and "how we do it" from the perspective of an adversary. Internal procedures and information sources are also reviewed to determine whether there is an inadvertent release of sensitive information


In short, Know the threat,
                  know what to protect
                                        and protect it!