Well, I certainly hope I’m that one who doesn’t agree. You are absolutely right in the first paragraph about you having a responsibility to report a potential Info Security program violation like the one you saw, but that does not make it OPSEC and your responsibility ends there.

IMHO, this is the downfall of many an OPSEC program, and one of the main reasons why there is such a dearth of in-depth risk analysis going on out there. Too many people have been trained to keep themselves busy picking the ‘low hanging’ fruit, identifying obvious violations to other security programs and calling it OPSEC. This is exactly why so many items in an OPSEC assessment report can be traced back to other programs while saying that was an OPSEC job well done. The problem is, there is often little OPSEC analysis going into the process.

As OPSEC professionals we absolutely MUST consider the capabilities and intent of the threat along with the magnitude of impact to our mission or operation should they gain critical information or observe operations indicators. But that’s not all. We also have to consider the probability of the threat gaining, processing, and exploiting that information in time to affect the mission.

So many times I see the worst case scenario identified. That’s like saying if you and I were in a room, I could punch you in the nose. Put that in your OPSEC report and recomment the protective measure of you wearing a full face helmet when I’m around. Well, the probability of me punching you in the nose is not very high so that would be a waste of your money besides being a huge incovenience… Now the probability of me goading you into buying me a drink at the bar is very high, so be sure to leave your cash and credit cards at home. /me winks….