Opsec Process Steps
29 community-sourced questions and answers. Free — no login.
Identification of critical information
- The information that an adversary would need in order to degrade services, disrupt operations, and impact the reputation of an organization.
What are the OPSEC five steps?
1. Identification 2. Analysis of threats 3. Analysis of vulnerabilities 4. Assessment of risks 5. Application of appropriate countermeasures
Identification of critical information (Step 1)
The information that an adversary would need in order to degrade services, disrupt operations, and impact the reputation of an organization.
Examples for step 1
- Core network infrastructure - Information security capability - Business information - Business critical applications - Employee information - Intellectual property
Business information
Mergers and acquistion
Business critical applications
- Manufacturing applications - Enterprise resource management platforms
Employee information
Identification of system administrators
Intellectual property
- Planning documentation - Schematics - Blueprints
Analysis of threats (Step 2)
Deals with identification the adversaries, their intent, and their capability to use the information against an organization. Once we identify the threats, we can study their Techniques, Tactics, and Procedures (TTPs) and start prioritizing how we can monitor for those specific activities.
Analysis of vulnerabilities (Step 3)
- A vulnerability is the state of being unprotected from the likelihood of being attacked, physically or emotionally. - By understanding the adversary their intent, and their capability, an organization can focus on identifying the potential vulnerabilities that exist in the enterprise.
Assessment of risks
- Once vulnerabilities are identified the vulnerabilities must go through the organizations process. This process evaluates each vulnerability and assigns it based on the sum of the probability of exploitation and impact to organization.
Examples of probability levels
- Certain - Likely - Possible - Unlikely - Rare
Examples of impact levels
- Negligible loss - Marginal Loss - Moderate Loss - Critical Loss - Catastrophic Loss
Certain
100% chance it will happen
Likely
>80% chance it will happen
Possible
60-79% chance it will happen
Unlikely
11-59% chance it will happen
Rare
Less than 10% chance it will happen
Negligible Loss
If this happens, it won't bother us to much.
Marginal Loss
If this happens, it will be an annoyance, but we can get by.
Moderate Loss
There will need to be a few projects to get us back to where we were.
Critical Loss
There will be some major projects to get us back to where we were.
Catastrophic Loss
We need to start from the beginning because there will be nothing left.
Examples of levels of risk
- High - Medium - Low
Application of appropriate countermeasures (Step 5)
After the risk assessment, organizations should be able yo prioritize resources to do - Avoid the risk - Control/mitigate the risk - Accept the risk - Transfer thee risk
Avoid the risk
Change planning to work around the problem.
Control/mitigate the risk
Isolate the problem and reduce the impact to the organizations: - Network segmentation - Access control lists - Credential management
Accept the erisk
Acknowledge that the problem exists
Transfer the risk
- Cyber insurance - Service providers
Looking for a different version?
CBTs get updated every year. Search for the exact version you're taking (e.g. "cyber awareness 2025").
Search all study materials