Risk Assessment

Prioritizing what to protect and accepting what you cannot

Bottom Line Up Front

Risk assessment is where analysis produces priority. Every vulnerability carries some level of risk, but not every vulnerability requires equal countermeasure investment. Risk is the product of three factors: the probability of adversary collection, the severity of impact if collection occurs, and the adversary’s ability to act on what they collect in time to matter. This step tells you what to fix first — and what to accept.

The Risk Formula

Probability, Impact, and Time

The standard approach to OPSEC risk assessment evaluates each vulnerability against three variables. Probability is the likelihood that your identified adversary will actually collect this indicator given their access, interest, and collection capability. A technically capable adversary who is actively targeting you is a higher probability than a capable adversary who has no specific reason to look at you.

Impact is the severity of consequence if the adversary successfully collects the critical information and acts on it. High impact means the adversary’s action would significantly degrade your safety, plans, or operational capability. Low impact means the adversary’s action produces minimal disruption — perhaps they learn something, but cannot do much with it.

Timeliness is the factor most often ignored. Critical information has a shelf life. An adversary who learns your resupply route three months after the fact cannot interdict that specific run. An adversary who learns it six hours in advance can. Risk assessment must account for whether your adversary can convert collected information into action before the operational window has passed.

The working formula is: Risk = Threat Probability x Vulnerability Severity x Impact. Use a simple three-point scale (Low/Medium/High or 1/2/3) for each variable. The product gives you a comparative ranking. This does not need to be precise — it needs to be directionally correct enough to tell you what to prioritize.

Accept, Mitigate, or Eliminate

Three Responses to Risk

Once you have ranked your vulnerabilities by risk, you have three responses available. Mitigation means applying countermeasures to reduce probability, reduce impact, or reduce timeliness — bringing the overall risk to an acceptable level without eliminating the underlying activity. This is the most common response and the most operationally sustainable.

Elimination means stopping the activity that produces the indicator entirely. This is sometimes appropriate for high-risk vulnerabilities where mitigation is not sufficient, but it is operationally expensive — it means giving up capability or activity in exchange for security. Elimination is not always available, and forcing it where it is not warranted degrades operational effectiveness without commensurate security gain.

Acceptance means documenting that you are aware of the vulnerability, have assessed it, and have determined that the risk is tolerable given the cost of mitigation. Acceptance is not complacency — it is a deliberate, documented decision. If you cannot afford to mitigate everything, accepting lower-priority risks while concentrating on higher-priority ones is sound risk management.

Field Example

Prioritizing the vulnerability list

A group’s vulnerability analysis identified eight active vulnerabilities. They ran the risk formula against each and found that two scored High on all three variables: an identified adversary with documented collection history, access to the specific indicators, and ability to act within a relevant time window. Three scored Medium. Three scored Low.

Their countermeasure resources were limited. Instead of attempting to address all eight vulnerabilities with equal effort, they concentrated their mitigation work on the two high-risk vulnerabilities, applied lighter countermeasures to the three medium-risk items, and formally accepted the three low-risk vulnerabilities with documentation. This is exactly what risk assessment is designed to produce: a defensible, resource-efficient prioritization instead of a scattered, undifferentiated response to all potential exposures.

Drill

Take the vulnerabilities you identified in Lesson 5. Rate each one on probability (1-3), impact (1-3), and timeliness (1-3). Multiply the scores. Rank your vulnerabilities from highest to lowest total score. Identify which ones you will mitigate, which you will accept, and whether any warrant elimination of the underlying activity. Write your decision and rationale for each.

Knowledge Check

A vulnerability scores High on probability and severity, but your adversary cannot act on the information within any operationally relevant time window. How should this affect your risk assessment?

Timeliness is irrelevant — a high-probability, high-impact vulnerability is always high risk The overall risk is reduced because even if collection occurs, the adversary cannot convert it into action before the threat window closes — timeliness is a multiplying factor in the risk formula The vulnerability should be eliminated regardless of timeliness Timeliness only matters for physical threats, not information-based ones

Lesson Checkpoint

I can define the three variables in the risk formula: probability, impact, and timeliness.

I understand the difference between mitigation, elimination, and acceptance as risk responses.

I can rank my identified vulnerabilities by priority using a simple scoring system.

I understand that formal risk acceptance is a legitimate and documented decision, not complacency.

← PreviousLesson 5 of 7: Indicators and Vulnerabilities
Next →Lesson 7 of 7: Countermeasures and the Continuous Cycle

↑ All Seven Lessons

Semper Paratus, Semper Gumby