The OPSEC process is designed to determine how adversaries could collect information regarding a specific operation, activity, or project so that countermeasures can be implemented to prevent exploitation of associated critical information.
The OPSEC process is often described as having five steps. These steps do not have to be followed in a rigid, sequential order, and this provides flexibility in the process. An OPSEC planner may go from one step to another in any order and for any number of times.
Identify Critical Information
Critical information is developed from analyzing both friendly and adversary strategies to achieve their objectives.
For example, a drug smuggler needs to know when the Coast Guard patrol will be off duty. Although the patrol dates could be classified and well protected, the smuggler could still discover these dates by exploiting a potential critical piece of information such as when the ship places orders with local merchants for supplies and when they are delivered. This helps the smuggler because analysis of the supply information facilitates the determination of when the ship won’t be on patrol, thus giving the smuggler a decisive advantage. He has a window of time to conduct his operations, and reduces the patrol’s mission effectiveness to zero.
Analyze the Threat
Threat is defined as the capability of an adversary, coupled with his intentions, to acquire and exploit critical information. Threat requires both intent and capability. If one or the other is not present, there is no threat.
We are concerned with which adversaries demonstrate both the intent and capability to be a threat to our mission, operation, or activity.
The more we know about an adversary’s capability, the better we can judge how and why he may collect the information that he needs. In our smuggling example, the smuggler represents the threat. He has the intent to conduct his operations while the coast guard patrol boat is in port, and he also has the capability to analyze and exploit information and vulnerabilities associated with the ship’s supply operations.
In order to analyze the threat, you need to identify . . . .
What the adversary already knows.
What the adversary needs to know to be successful.
The adversary’s intent and capability.
Potential adversaries to your mission, operations, or activity.
Where the adversary is likely to look to obtain the information.
Identifying what the adversary already knows helps you prioritize your information and allows you to determine the collection method(s) the adversary is using against you. Also, keep in mind that the adversary may go to several different sources to collect the information he needs. Once you have assessed the adversary’s intent and capability, you can assess his potential threat to you.
It’s time for role playing. In order to analyze your vulnerabilities from both the friendly and adversary perspectives, you may have to enact a different scenario for different adversaries, because each adversary may have different intentions and capabilities.
Your knowledge of your organization’s mission, success criteria, and operations, in conjunction with the other OPSEC steps, affect your capability to analyze your vulnerabilities.
A vulnerability exists when critical information is susceptible to exploitation by an adversary. Examples of vulnerabilities include lack of training, use of non-secure communications, publishing VIP itineraries, and poor system design.
Also, remember to keep indicators in mind. Whenever an organization plans and conducts a new activity, associated administrative, physical, observable, and technical actions take place – actions which are new and could tip off the adversary to the new activity. Although indicators are not vulnerabilities by themselves, they can point to or reveal vulnerabilities or critical information.
An indicator includes any detectable activity and/or information that, when looked at by itself or in conjunction with something else, points to a vulnerability or critical information item that can be exploited by an adversary. Examples of indicators include uniforms in unusual places, cars in a parking lot, and late night meetings.
Indicators generally fall into one of three categories.
Indicators that establish a profile
These are activities which provide an adversary with patterns showing how activities within an organization are normally conducted – like daily routines.
Indicators that show a deviation
These are activities that are not part of an organization’s normal conduct – an example would be a unit deploying to the field.
These are activities that provide an adversary with information on where they should focus their collections efforts – basically giving the adversary a direction to follow.
Risk is the likelihood that an adversary will gather and exploit your critical information, thus having some level of impact on your mission, operation, or activity. Risk assessment is a decision-making step because you decide if a countermeasure needs to be assigned to a vulnerability based on the level of risk this vulnerability poses to your mission, operation, or activity.
You assess a vulnerability in conjunction with the threat’s intent and capability – is he willing to exploit your vulnerability and does he have the means to do so? Then, you determine the impact this would have on your mission if the threat was successful in exploiting the vulnerability. This determines the level of risk. You then decide if the resultant level of risk warrants the application of a countermeasure.
We use two basic means of assessing risk. The first means is the intuitive reasoning approach, which is done alone and based on personal experience. The second means is the committee approach, in which several people look at the same problem. The committee approach is the preferred method.
Risk = probability × impact
Probability = threat × vulnerability
So that risk decomposes to:
Risk = threat × vulnerability × impact
Threat – Threat comes from specific competitors or adversaries. If there is no threat, there is no risk. But the numbers tell us that there is a real threat – that a specific individual or organization has the desire, the skill, and the intent to acquire your critical information.
Vulnerability – Some targets are more vulnerable than others, generally thorough neglect because the entire espionage issue has been overlooked. If vulnerability is lowered, risk will be lowered as well.
Impact of the theft – How damaging is the loss of “smart” assets? If the impact is low, you don’t care. If it is high, there is cause to worry.
As the threat, vulnerability, and impact increase, the rings begin to overlap. The area in which all rings overlap is called the intersection.
In math, the items within the intersection are the items common to all rings. In OPSEC, the intersection would be the level of risk.
As you can see, an increase in any factor (threat, vulnerability, or impact) causes the intersection of the sets to increase – the level of risk increases.
A decrease in any factor causes the intersection of the sets to decrease – the level of risk decreases. Therefore, the level of risk is directly proportional to threat, vulnerability, and impact.
This graphic shows why there is no level of risk if one factor (threat, vulnerability, or impact) is not present. Notice in the animation that when any one factor starts shrinking to zero, the intersection of the three rings decreases.
Eventually a point will come when all three rings no longer intersect. When this occurs, the intersection of the three rings disappears – the same is true for the level of risk. Therefore, all three factors must be present for risk to exist.
A countermeasure is anything that effectively reduces an adversary’s ability to exploit vulnerabilities. Countermeasures don’t need to be exotic or expensive; they can be thought of simply as smarter ways of doing a particular task.
The development of a countermeasure focuses directly on the vulnerability it is designed to protect. Following a cost-benefit analysis, countermeasures are implemented in priority order to protect the weaknesses that represent the most significant impact on your mission, operation, or activity.
Frequently a combination of low cost countermeasures provides the best overall protection. All possibilities should be considered, and the potential effectiveness of each should be evaluated against a specific vulnerability, or against multiple vulnerabilities.
The bottom line is: always weigh the cost versus the benefit.