In article , fudog50
wrote:

Here is one for starters, I'm sure you will get all defensive about
it, I don't make the guidelines, but here are some of them.

http://www.defendamerica.mil/articles/a021202b.html


That is a Department of Energy site, and perhaps it might be more
on-point to have DoD Instructions, Air Force Regulations, etc. Yet,
here is a partial quote:

Assessment of Risks


Vulnerabilities and specific threats must be matched. Where the
vulnerabilities are great and the adversary threat is evident, the risk
of adversary exploitation is expected. Therefore, a high priority for
protection needs to be assigned and corrective action taken. Where the
vulnerability is slight and the adversary has a marginal collection
capability, the priority should be low.


Application of the Countermeasures


Countermeasures need to be developed that eliminate the vulnerabilities,
threats, or utility of the information to the adversaries. The possible
countermeasures should include alternatives that may vary in
effectiveness, feasibility, and cost. Countermeasures may include
anything that is likely to work in a particular situation. The decision
of whether to implement countermeasures must be based on cost/benefit
analysis and an evaluation of the overall program objectives.


In other words, countermeasures such as remaining completely silent are
meant to be applied when a risk can be characterized. In an earlier
posts, I described, from the standpoint of how an analyst would use this
material, that the risk is quite low.