Information Systems Security Management Professional Exam: First Law of OPSEC

The First Law of OPSEC: Protect Critical Information by Limiting Disclosure

Question

Which of the following statements is related with the first law of OPSEC?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

D.

The correct answer to this question is D. If you don't know the threat, how do you know what to protect?

The first law of OPSEC (Operations Security) states that you must identify critical information and analyze threats in order to determine the necessary measures to protect that information. This means that understanding the threat environment is crucial to effective security management.

If you don't know the threat, it is impossible to know what information or assets are at risk, and therefore impossible to implement appropriate security measures. For example, if you are unaware of the specific tactics and techniques used by a cyber attacker, you may not realize that a certain system vulnerability or access point is particularly susceptible to attack. Without this knowledge, you cannot take appropriate steps to protect against that threat.

Option A ("If you are not protecting it, the adversary wins!") is a general statement about the importance of protecting critical and sensitive information, but it does not directly relate to the first law of OPSEC.

Option B ("If you don't know what to protect, how do you know you are protecting it?") is also related to the first law of OPSEC, but it is not the most accurate statement. While it is true that identifying critical information is an important first step in protecting it, simply knowing what to protect does not necessarily mean that you are protecting it effectively. Effective protection requires a deep understanding of the specific threats to that information.

Option C ("If you don't know about your security resources, you could not protect your network.") is not related to the first law of OPSEC, as it focuses on the importance of understanding security resources rather than the threat environment. While understanding security resources is also important, it is not the primary focus of OPSEC.