The Five-Step Process

The diagnostic framework that produces protection

Bottom Line Up Front

The OPSEC process has five steps that must be run in sequence. Each step depends on the output of the one before it. Skipping or reversing steps is not a shortcut — it is a guarantee that your countermeasures will be aimed at the wrong targets. This lesson maps all five steps and explains why their order is not arbitrary.

The Five Steps

The Process in Sequence

Step 1

Identify Critical Information

Before you can protect anything, you need to know what you are protecting. Critical information is the specific facts that, if obtained by an adversary, would allow them to disrupt your plans, operations, or safety. The output of this step is a Critical Information List (CIL) — a short, specific, prioritized list. Longer is not better. If everything is critical, nothing is. Lesson 3 covers CIL construction in full.

Step 2

Analyze the Threat

A threat is only a threat if it has both the capability and the intent to collect your critical information and act on it. Step 2 forces you to name your actual adversaries, not imagined ones, and assess what they are capable of. Who specifically would benefit from knowing what you have on your CIL? What collection methods can they access? This is not paranoia — it is triage. Lesson 4 covers threat analysis.

Step 3

Analyze Vulnerabilities

A vulnerability is the intersection of an indicator your activities produce and a collection capability your adversary possesses. Your activities leave traces — behavioral patterns, physical evidence, digital footprints, communications. Step 3 examines those traces against the threats identified in Step 2. Not all indicators are vulnerabilities; they are only vulnerabilities if your identified adversary can actually exploit them. Lesson 5 covers indicators and vulnerabilities.

Step 4

Assess Risk

Not every vulnerability carries the same risk, and not every risk is worth equal countermeasure effort. Step 4 asks: if this adversary exploits this vulnerability, how bad is the outcome, and how likely is that exploitation? Risk = threat level x vulnerability severity x impact. The result is a prioritized list of what to address first, and what to accept. Lesson 6 covers risk assessment.

Step 5

Apply Countermeasures

Only after completing Steps 1 through 4 do you select and implement countermeasures. Countermeasures can take three forms: action control (change or stop the activity that produces the indicator), countermeasures (technical or physical measures that block collection), and counter-analysis (deception that makes your indicators misleading). The goal is not to apply all available countermeasures — it is to apply the right ones at the highest-priority vulnerabilities. Lesson 7 covers countermeasures and the continuous cycle.

Why the Sequence Matters

The Logic of the Order

Each step is impossible to execute correctly without the one before it. You cannot assess vulnerabilities (Step 3) without knowing your adversary’s collection capability (Step 2). You cannot assess your adversary’s capability (Step 2) without knowing what information they would want (Step 1). You cannot prioritize risk (Step 4) without knowing which vulnerabilities exist (Step 3). You cannot select countermeasures (Step 5) without knowing which vulnerabilities are high-priority risks (Step 4).

Most people who “do OPSEC” jump directly to Step 5 — they buy the encrypted app, they change the password, they switch to cash — without having run Steps 1 through 4. This means their countermeasures are disconnected from any analysis of actual risk. They may be protecting the wrong things while leaving real vulnerabilities open. The five-step sequence exists to prevent exactly this.

Field Example

The prepared family that skipped Step 2

A family did a serious job of identifying their critical information (Step 1) and spent months securing against digital collection — encrypted communications, no social media, privacy screen filters (Step 5). What they skipped was threat analysis (Step 2). Their actual highest-risk adversary was not a digital threat at all: it was a neighbor who had observed their vehicle patterns, visitor frequency, and delivery receipts over two years. The neighbor had no digital collection capability, but excellent observational access. All the digital countermeasures were correctly applied to the wrong threat.

Running Step 2 properly would have redirected effort toward the physical and behavioral indicators the neighbor could observe — and away from digital controls that addressed a threat that did not exist in their environment.

Drill

Without looking back at the lesson, write down the five steps in order from memory. If you miss the order or conflate any steps, re-read the step definitions above. You will need all five steps — in order — to complete the assessments later in this course.

Knowledge Check

In the OPSEC process, why must threat analysis (Step 2) precede vulnerability analysis (Step 3)?

Threat analysis takes less time and should be done first to save effort A vulnerability only exists if the adversary has the capability to collect and exploit the indicator — without knowing the adversary, you cannot determine whether an indicator is actually a vulnerability Doctrine requires threat analysis to be approved before vulnerability work can begin Vulnerabilities do not change across adversaries, so threat analysis is optional

Lesson Checkpoint

I can name all five steps of the OPSEC process in the correct sequence.

I understand that each step depends on the output of the step before it.

I understand that countermeasures (Step 5) are the last step, not the first.

I can explain why skipping steps produces misdirected protection rather than savings.

← PreviousLesson 1 of 7: What OPSEC Actually Is
Next →Lesson 3 of 7: Building Your Critical Information List

↑ All Seven Lessons

Semper Paratus, Semper Gumby