Security Control Types

6 Basic Types of Security Controls

• Preventive Controls

  • Proactive measures implemented to thwart potential security threats or breaches

• Deterrent Controls

  • Discourage potential attackers by making the effort seem less appealing or more challenging
  • Examples:
    • Let know the bad actors that somebody is monitoring them
    • Warning signs or banners can be installed on the websites to also indicate that monitoring is occurring, and this can help to deter potential attackers from targeting your website

• Detective Controls

  • Monitor and alert organizations to malicious activities as they occur or shortly thereafter
  • The primary goal here is detection and notification
  • Examples:
    • Security cameras monitoring home
    • Intrusion Detection System (IDS)

• Corrective Controls

  • Mitigate any potential damage and restore our systems to their normal state
  • Used after a detective control
  • Example:
    • Quarantine and and removal of malware after detection

• Compensating Controls

  • Alternative measures that are implemented when primary security controls are not feasible or effective
  • Ensure that protection remains intact even if the ideal control is not in place.
  • For example, you may be running a legacy system that simply can't support the latest form of wireless encryption known as WPA3, in this case you might instead use WP2 and use a VPN connection on top of that to act as a compensating control

• Directive Controls

  • Guide, inform, or mandate actions
  • Often rooted in policy or documentation and set the standards for behavior within an organization
  • Often written in policy or Documentation and they set the standards for behavior within your organization
  • Example:
    • Acceptable Use Policy (AUP)