"(U)pon Secrecy, Success depends in Most Enterprises and for want of it, they are generally defeated." -George Washington, on OPSEC

OPSEC Ratings Definitions


Two sample ratings standards are provided. The first is a six-point scale, the second a five point scale. The associated math is provided with each scale. Choose the one that best suits your purpose, and adjust the definitions to coincide with your organization.

This information is provided by IOSS

ANALYSIS RATINGS CRITERIA
Six-point scale, Low to Critical

Threat

Critical

An adversary has demonstrated both strong intent and high capability to act aggressively against friendly objectives.

High

An adversary has demonstrated both intent and capability to act against friendly objectives.

Medium High

An adversary has demonstrated intent or capability to act against friendly objectives.

Medium

An adversary has demonstrated intent and capability to act against similar friendly objectives.

Medium Low

An adversary has demonstrated intent or capability to act against similar friendly objectives.

Low

Adversary is not assessed to have intent, or adversary is not assessed to have the capability to act against friendly or similar objectives


Vulnerability

Critical

Proven exploitable by multiple collection disciplines requiring virtually no corroboration.

High

Potentially exploitable by multiple collection disciplines requiring virtually no corroboration.

Medium High

Potentially exploitable by multiple collection disciplines requiring only limited corroboration.

Medium

Potentially exploitable by multiple collection disciplines requiring significant corroboration.

Medium Low

Potentially exploitable by only limited collection disciplines.

Low

Potential for exploitation is negligible.


Impact

Critical

Deaths or other events which cause postponement of mission events lasting longer than 72 hours, loss of critical or classified information that results in the cancellation of a mission or causes catastrophic degradation of mission success, or compromise of intelligence sources and methods, property loss greater than $1,000,000, catastrophic embarrassment or harm to the reputation of [ORGANIZATION] or the Nation.

High

Serious injuries or other events which cause postponement of mission events lasting longer than 25 hours but less than 72 hours, loss of critical or classified information that results in postponement of the mission for more than 25 hours but less than 72 hours or seriously degrades mission success, property loss greater than $450,000 but less than $1,000,000, serious embarrassment or harm to the reputation of [ORGANIZATION] or the Nation.

Medium High

Injuries or other events which cause postponement of mission events lasting longer than 4 hours but less than 24 hours, loss of critical or classified information that results in the delay of a mission for 4 to 24 hours or causes unacceptable degradation of mission success, property loss greater than $10,000 but less than $1,000,000, major harm to the reputation of [ORGANIZATION] or the Nation.

Medium

Injuries or other events which cause postponement of mission events lasting longer than 1 hour but less than 4 hours, loss of critical information (with no loss of classified information) that causes delay of mission for more than 1 but less than 4 hours or causes some degradation of mission success within acceptable levels, property loss greater than $5,000 but less than $10,000, manageable embarrassment or harm to the reputation of [ORGANIZATION] or the Nation.

Medium Low

Injuries or other events which cause postponement of mission events lasting longer than 15 minutes but less than 1 hour, loss of critical information (with no loss of classified information) that delays the mission for less than one hour or causes minimal degradation of mission success, property loss greater than $1,000 but less than $5,000, moderate embarrassment or harm to the reputation of [ORGANIZATION] or the Nation.

Low

No personal injury, no events which cause postponement of mission events, no loss of critical or classified information, no degradation of mission success, property loss less than $1,000, delays to mission less than 15 minutes, no affect on government or public services, no embarrassment or harm to the reputation of [ORGANIZATION] or the Nation.


Risk

Critical

An adversary has demonstrated their ability to exploit an existing vulnerability and the resulting impact would be irreparable; hazard consequence would be catastrophic.

High

There is no doubt an adversary could exploit an existing vulnerability and the resulting impact would be serious enough to consider cancellation of a mission; hazard consequence would be major.

Medium High

It is probable an adversary could exploit an existing vulnerability and the resulting impact would be damaging; hazard consequence would be no higher than major.

Medium

It is possible an adversary could exploit an existing vulnerability and the
resulting impact would be manageable; hazard consequence would be no
higher than moderate.

Medium Low

It is unlikely an adversary could exploit an existing vulnerability and the resulting impact would be negligible; hazard consequence would be no higher than minor.

Low

It is improbable an adversary would exploit an existing vulnerability and the resulting impact would be insignificant; hazard consequence would be no higher than insignificant.



Numerical ranges. Decimals apply to threat and vulnerability, whole numbers apply to impact and risk.

Low

Medium Low

Medium

Med High

High

Crit

.01 - .1

.11 - .35

.36 - .65

.66 - .85

.86- .95

.95 - 1

1 - 10

11 - 35

36 - 65

66-85

86-95

95 - 100



Numerical means. Decimals apply to threat and vulnerability, whole numbers apply to impact and risk.

Low

Medium Low

Medium

Med High

High

Crit

.05

.2

.5

.75

.9

.98

5

20

50

75

90

98





ANALYSIS RATINGS CRITERIA
Five-point scale, Low to High


Threat

Low

No adversary has demonstrated an intent, or no adversary is assessed to have the capability to act against friendly objectives.

Medium Low

An adversary has demonstrated an intent or capability to act against similar friendly objectives.

Medium

An adversary has demonstrated both intent and capability to act against similar friendly objectives.

Medium High

An adversary has demonstrated intent or capability to act against friendly objectives.

High

An adversary has demonstrated both intent and capability to act against friendly objectives.


Vulnerability

Low

Potential for exploition is negligible.

Medium Low

Potentially exploitable by only limited collection disciplines.

Medium

Potentially exploitable by multiple collection disciplines requiring significant corroboration of data.

Medium High

Potentially exploitable by multiple collection disciplines requiring only limited corroboration of data.

High

Potentially exploitable by multiple collection disciplines requiring virtually no corroboration of data.


Impact

Low

No personal injury, property loss less than $1,000, delays less than 15 minutes, no affect on the integrity of the system, no affect on government or public services, no embarrassment or harm to the reputation of __________, or the Nation.

Medium Low

Minor personal injury (no hospitalization), property loss greater than $1,000 but less than $5,000, delays greater than 15 but less than 30 minutes, minor embarrassment or harm to the reputation of ____________ or the Nation.

Medium

Injuries requiring hospital treatment or observation, property loss greater than $5,000 but less than $10,000, delays greater than 30 but less than 60 minutes, moderate embarrassment or harm to the reputation of ________________ or the Nation.

Medium High

Injuries requiring hospitalization for treatment for serious, substantial bodily injury, property loss greater than $10,000 but less than $1,000,000, delays greater than 1 hour but less than 24 hours, major embarrassment or harm to the reputation of _______________ or the Nation.

High

Death, property loss greater than $1,000,000, delays lasting longer than 25 hours, catestrophic embarrassment or harm to the reputation ___________________ or the Nation.




Risk

Low

It is improbable an adversary would exploit an existing vulnerability and the resulting impact would be insignificant.

Medium Low

It is unlikely an adversary could exploit an existing vulnerability and the resulting impact would be negligable.

Medium

It is possible an adversary could exploit an existing vulnerability and the resulting impact would be manageable.

Medium High

It is probable an adversary could exploit an existing vulnerability and the resulting impact would be damaging.

High

There is no doubt an adversary could exploit an existing vulnerability and the resulting impact would be irreparable.



Numerical ranges. Decimals apply to threat and vulnerability, whole numbers apply to impact and risk.

Low

Medium Low

Medium

Med High

High

.01 - .2

.21 - .4

.41 - .7

.71 - .85

.86 - 1.0

1 - 20

21 - 40

41 - 70

71 - 85

86 -100



Numerical means. Decimals apply to threat and vulnerability, whole numbers apply to impact and risk.

Low

Medium Low

Medium

Med High

High

.1

.3

.5

.8

.95

10

30

50

80

95