Corporate Counterintelligence & Security

OPSEC is a national security countermeasures methodology, which can be applied to protecting industrial property and secrets. The OPSEC premise is that the accumulation of one or more elements of sensitive/unclassified information or data could damage national security by revealing classified information. It aims to deny an adversary pieces of the intelligence puzzle. The following OPSEC principles and laws were outlined in National Security Decision Direction Number 298 (NSDD 298).


Read the Full StoryOperational Security (OPSEC)

The five-step OPSEC process:

  1. Identification of the critical information to be protected
  2. Analysis of the threats
  3. Analysis of the vulnerabilities
  4. Assessment of the risks
  5. Application of the countermeasures

Identification of Critical Information

Basic to the OPSEC process is determining what information, if available to one or more adversaries, would harm an organization's ability to effectively carry out the operation or activity. This critical information constitutes the "core secrets" of the organization, i.e., the few nuggets of information that are central to the organization's mission or the specific activity. Critical information usually is, or should be, classified or least protected as sensitive unclassified information.

Analysis of Threats

Knowing who the adversaries are and what information they require to meet their objectives is essential in determining what information is truly critical to an organization's mission effectiveness. In any given situation, there is likely to be more than one adversary and each may be interested in different types of information. The adversary's ability to collect, process, analyze, and use information, i.e., the threat, must also be determined.

Analysis of the Vulnerabilities

Determining the organization's vulnerabilities involves systems analysis of how the operation or activity is actually conducted by the organization. The organization and the activity must be viewed as the adversaries will view it, thereby providing the basis for understanding how the organization really operates and what are the true, rather than the hypothetical, vulnerabilities.

Assessment of Risks

Vulnerabilities and specific threats must be matched. Where the vulnerabilities are great and the adversary threat is evident, the risk of adversary exploitation is expected. Therefore, a high priority for protection needs to be assigned and corrective action taken. Where the vulnerability is slight and the adversary has a marginal collection capability, the priority should be low.

Application of the Countermeasures

Countermeasures need to be developed that eliminate the vulnerabilities, threats, or utility of the information to the adversaries. The possible countermeasures should include alternatives that may vary in effectiveness, feasibility, and cost. Countermeasures may include anything that is likely to work in a particular situation. The decision of whether to implement countermeasures must be based on cost/benefit analysis and an evaluation of the overall program objectives.

OPSEC Laws

The First Law of OPSEC

If you don't know the threat, how do you know what to protect? Although specific threats may vary from site to site or program to program, employees must be aware of the actual and postulated threats. In any given situation, there is likely to be more than one adversary, although each may be interested in different information.

The Second Law of OPSEC

If you don't know what to protect, how do you know you are protecting it? The "what" is the critical and sensitive, or target, information that adversaries require to meet their objectives.

The Third Law of OPSEC

If you are not protecting it (the critical and sensitive information), the adversary wins! OPSEC vulnerability assessments, (referred to as "OPSEC assessments" - OA's - or sometimes as "Surveys") are conducted to determine whether or not critical information is vulnerable to exploitation. An OA is a critical analysis of "what we do" and "how we do it" from the perspective of an adversary. Internal procedures and information sources are also reviewed to determine whether there is an inadvertent release of sensitive information.