2.1.2. Control Types: Preventive Through Directive
š” First Principle: Types answer "what does this control achieve?" ā they describe the purpose of the control, not how it's implemented. The same device can serve different types depending on context: a camera that records is detective; its visible presence is deterrent.
Preventive controls stop threats before they cause harm. A firewall blocking malicious traffic, a locked door preventing unauthorized entry, encryption making stolen data unreadable ā all are preventive. They're the first choice for risk mitigation, but no single preventive control catches everything.
Deterrent controls discourage attackers from attempting an attack. A "Premises under CCTV surveillance" sign, a login banner warning of prosecution, or a barbed-wire fence all change the attacker's cost-benefit calculation. They don't physically stop anything ā they convince attackers to go elsewhere.
Detective controls identify that an attack has occurred or is in progress. Intrusion detection systems, log monitoring, security audits, and motion sensors all detect events. Detection without response is merely observation ā detective controls must feed into response procedures.
Corrective controls fix damage after an incident. Restoring from backups, applying emergency patches, re-imaging infected workstations, and executing disaster recovery plans all restore normal operations.
Compensating controls provide alternative protection when the primary control isn't feasible. If a legacy system can't support encryption, you might compensate with network segmentation and enhanced monitoring. Compensating controls aren't weaker substitutes ā they're alternative paths to equivalent risk reduction.
Directive controls instruct people on expected behavior. Acceptable use policies, security awareness training materials, posted procedures, and compliance requirements all set expectations and guide behavior without directly enforcing anything.
ā ļø Exam Trap: A single control can serve multiple types. A security camera is detective AND deterrent. An access badge is preventive AND detective (logs entry times). When the exam asks "which type," look for the primary purpose in the scenario context.
