What are the 5 steps of opsec?

The OPSEC process involves five steps:

(1) identification of critical information,
(2) analysis of threats,
(3) analysis of vulnerabilities,
(4) assessment of risk, and
(5) application of appropriate countermeasures.


Indicators are sources of information that, if exploited by an adversary or competitor, could reveal critical program information. An indicator can be identified by asking the question, “If I were an adversary or competitor, where would I go to obtain critical program information?”

Indicators are detectable actions that can be heard, observed, or imaged. Obtained by an adversary, they could result in adversary knowledge or actions harmful to friendly intentions. They include such things as personnel or material actions and movements that can be observed, public release conversations or documents, and habitual procedures when conducting a given type of operation or test. All detectable indicators that convey or infer critical information must be identified and protected if determined vulnerable.

Threat Analysis:

Threat Analysis is a process in which information about a threat or potential threat is subjected to systematic and thorough examination in order to identify significant facts and derive conclusions.

Threat analysis is an examination of an adversary’s technical and operational capabilities, motivation, and intentions to detect and exploit security vulnerabilities.

When considering a threat, one must look at the CPI and the Project in general and look at that information as an adversary would. A determination will need to be made as to who would want this technology, who would want to discredit this Project, who would like to cause harm to the Project participants, or who would like to do other nefarious activities directed at the Project. Once the adversary (ies) is/are established, an analysis also needs to be done on capabilities, access, determination, etc.

Analysis of Vulnerabilities:

Analysis of vulnerabilities is a systematic evaluation process in which qualitative and/or quantitative techniques are applied to detect vulnerabilities and to arrive at an effectiveness level for a safeguards and security system to protect specific targets from specific adversaries and their acts.

Determining vulnerabilities involves a systematic analysis of how the Project is actually conducted by the primary and supporting Project team members. The Project must be viewed as an adversary might view it. Actions and things that can be observed or other data that can be interpreted or pieced together to derive critical information must be identified. These potential vulnerabilities must be matched with specific threats.

Once it is determined what an adversary needs to know and where that information is available, it is necessary to determine if it is possible for the adversary to acquire and exploit the information in time to capitalize on it. If so, vulnerability exists.

Risk Assessment:

Risk assessment is an evaluation of potential threats against a safeguard and security interest and the countermeasures necessary to address potential vulnerabilities. It is a five-step process that provides the decision-maker with a firm foundation upon which to make an informed decision. During a risk assessment, the value of the information, analysis of the threat, and determination of the information’s vulnerability are conducted. Following the completion of these three activities, a determination of the risk rating is made and countermeasures are considered and implemented, as necessary.

Risk assessment is essentially the process of balancing vulnerability against the threat, then deciding if the resultant risk warrants applications of countermeasures. The determination of risk is a demanding step in the OPSEC Process. It requires a degree of subjective decision making based on the best estimate of an adversary’s intentions and capabilities.

Included in the assessment of an adversary’s capability is not only his ability to collect the information but also his capability to process and exploit (evaluate, analyze, interpret) in time to make use of the information. In order to complete the risk assessment, it is necessary to combine this information (i.e., the possibility of the adversary exploiting the information, with the resultant impact on the Project). This process should result in a list of recommendations along with an estimate of the reduced impact upon the operation as achieved through their application. The decision maker can then weigh the cost of recommended OPSEC countermeasures in terms of resources and operational effectiveness against the impact of the loss of critical program information.

Application of Appropriate Countermeasures:

A countermeasure is anything that effectively negates an adversary’s ability to exploit vulnerabilities. The most effective countermeasures are simple, straightforward, procedural adjustments that effectively eliminate or minimize the generation of indicators. Following a cost-benefit analysis, countermeasures are implemented in priority order to protect vulnerabilities having the most impact on the Project, as determined by the appropriate decision maker.