OPSEC is a systematic and proven process designed to deny to potential adversaries, information about capabilities and intentions by identifying, controlling and protecting generally unclassified evidence of the planning and execution of sensitive activities. As UCAH activities are sponsored by the U.S. Department of Defense, there will be a requirement for members and participants to become familiar with the OPSEC plan which will be associated with this project. This section will contain material designed to foster awareness and recommendations related to OPSEC and UCAH activities.
Identification of Critical Information
Critical information is factual data about an organization’s intentions, capabilities, and activities that the adversary needs to plan and act effectively to degrade operational effectiveness or place the potential for organizational success at risk. The OPSEC process identifies critical information and determines when that information may cease to be critical in the life cycle of an operation, program, or activity.
Assessment of Risks
Risk assessment is the heart of the OPSEC process. In a risk assessment, threats and vulnerabilities are compared to determine the potential risk posed by adversary intelligence collection activities targeting an activity, program, or organization. When the level of vulnerability is assessed to be high and the adversary threat is evident, then adversary exploitation is expected, and risks are assessed to be high. When the vulnerability is slight, and the adversary’s collection ability is rated to be moderate or low, the risk may be determined to be low, and no protective measures may be required. Based on the assessed level of risk, cost/benefit measures can be used to compare potential countermeasures in terms of their effectiveness and cost.
Analysis of Vulnerabilities
Vulnerability analysis requires that the OPSEC analyst adopt an adversarial view of the activity requiring protection. The analyst attempts to identify weaknesses or susceptibilities that can be exploited by the adversary’s collection capabilities. The vulnerability analysis process must identify the range of activities that can be observed by the adversary, the type of information that can be collected, and the specific organizational weaknesses that the adversary can exploit. Based on this knowledge, the OPSEC analyst determines what critical information the adversary can derive based on the known threat and assessed vulnerabilities.
Analysis of Threats
Threat analysis consists of determining the adversary’s ability to collect, process, analyze, and use information. The objective of threat analysis is to know as much as possible about each adversary and their ability to target the organization. It is especially important to tailor the adversary threat to the actual activity and, to the extent possible, determine what the adversary’s capabilities are with regard to the specific operations of the activity or program.apabilities, and activities that the adversary needs to plan and act effectively to degrade operational effectiveness or place the potential for organizational success at risk. The OPSEC process identifies critical information and determines when that information may cease to be critical in the life cycle of an operation, program, or activity.
Application of Appropriate Countermeasures
In the final step, countermeasures are developed to protect the activity. Ideally, the chosen countermeasures eliminate the adversary threat, the vulnerabilities that can be exploited by the adversary, or the utility of the information. In assessing countermeasures, the impact of the loss of critical information on organizational effectiveness must be balanced against the cost of implementing corrective measures. Possible countermeasures should include alternatives that may vary in terms of feasibility, cost, and effectiveness. Based on the probability of collection, the cost effectiveness of various alternatives and the criticality of the activity countermeasures are selected by the program manager. In some cases, there may be no effective means to protect information because of cost or other factors that make countermeasure implementation impossible. In such cases, the manager must decide to accept the degradation of effectiveness or cancel the activity.