In previous articles in this series, we’ve discussed three of the parts of the OPSEC process. Today we’ll discuss the fourth — assessing risk. It’s not enough to know what your critical information is, or who wants it. It’s not even enough to look at how they could get it; although all of those are important parts of the process, they’re not complete. There are two more steps to go, and the next one answers the question “What is the risk of them getting the information, and what can happen if they do?”
There is a risk matrix used to determine the answer to that question, and it’s important that you understand it, because it serves as a way to triage your many vulnerabilities. If you did the previous steps correctly, you WILL have multiple vulnerabilities, and it’s going to be nearly impossible to just fix them all immediately. As a result, it becomes necessary to triage the list and figure out which ones are critically important to handle first, and which ones can perhaps wait a bit until you have the time, skill, or even money to mitigate them.
The matrix is as follows:
- Critical – Your adversary has already proven they have the ability to exploit a specific vulnerability, and the consequences would be unrecoverable.
This could apply to information about you smuggling magazines into a state where they’re banned, or engaging in private firearm sales in a state where universal background checks are the law. Remember previous steps — your adversary doesn’t need to know that you’re smuggling in order to “discover” that you are; they could piece together unrelated information, such as bulk magazine purchases on your credit card and license plate reader data showing you cross state borders frequently for same day trips and show up at the same location on your phone every time. If your smuggling operation becomes known, the damage would be truly catastrophic. Since the government has already shown it 1) tracks purchases, 2) uses license plate reader data, and 3) tracks location data from phones, then this becomes a critical risk. Don’t come up with a plan to fix this yet; we’ll do that later.
- High – Your adversary can most assuredly exploit an existing vulnerability, and the consequences would be bad enough that you would consider cancelling an activity.
This would apply when you have not seen evidence of demonstrated capability, but you are aware that it exists. Maybe you know your neighbor has the ability to sneak onto your property and canvass your stuff without you knowing, but you haven’t seen him do it to you or anyone else. Maybe you know that your wife has a tendency to blab to her friends about things, but you don’t think she has yet — and maybe one of her friends is the wife of a federal agent or other ‘authority.’ With a high risk level, you’re considering cancelling doing something because if your adversary can exploit your spouse’s verbal diarrhea, you’re looking at some bad consequences.
- Medium High – It’s probable that your adversary could exploit your vulnerability, and it would be bad, but not catastrophic.
Maybe you’d be subject to a year in jail, instead of ten years in Bubba Harem Prison. Maybe you’re using your work resources to access things that, if caught, you could lose your job — but you already know you could get hired again somewhere else immediately.
The above constitute the higher end of the risk matrix; below that we have less disastrous consequences:
- Medium – It’s possible the vulnerability could be exploited, but even if it were, the consequences would be moderate.
- Medium Low – It’s unlikely the vulnerability could be exploited, but if it were the ramifications are minor.
- Low – It’s improbable your adversary could exploit that vulnerability, but even so it’s no big deal if they do.
Here’s where the process is subjective. Only you can determine what constitutes a major or critical consequence. Only you can look at a potential exploit ramification and decide whether it’s a big deal to you or not. For someone with 4 children and one income, for example, maybe loss of a job is a critical consequence, as opposed to someone who is single, has a bit of money in savings, and could technically stand to take a month or so to get another job.
You might realize a few things, including the fact that unless you want local folks showing up at your house in the event of a disaster or other problem affecting food/water/supplies in your locale, you might want to stop posting pics of your stash/weapons/supplies/etc. on Facebook. You might also find yourself going deeper and exploring the reasons why you feel compelled to post these things or advertise your activities — and that goes back to knowing yourself and understanding that sometimes, YOU are the vulnerability.
It’s your job to triage each vulnerability that you’ve assessed in previous steps of the process, and decide the following:
- What’s the risk level?
- What’s the consequence, specifically?
- How willing/able am I to live with that consequence happening?
In this way, you end up getting a solid picture of where the dangers actually are, and where you need to focus your countermeasure efforts — which is what we’ll talk about next time in the final article of the series.