Domain 1 · 1.1 Security Controls
1.1.2 Control Types
Preventive, Deterrent, Detective, Corrective, Compensating, Directive.
14 min
Categories say *how* a control is built. Types say *why* it exists.
The six control types
- Preventive → stops an attack before it succeeds
- Examples: MFA, firewalls, IPS, encryption, locked doors
- Keywords: *prevent, block, deny, enforce, require, restrict*
- Deterrent → discourages an attacker by raising perceived risk
- Examples: warning signs, visible guards, security lighting
- Keywords: *discourage, warning, visible, prosecution*
- Detective → identifies or records malicious activity
- Examples: IDS, SIEM alerts, audit logs, CCTV, FIM
- Keywords: *detect, monitor, log, alert, review, audit*
- Corrective → restores operations after an incident
- Examples: restoring backups, applying patches, rebuilding machines, removing malware
- Keywords: *restore, recover, remediate, repair, rebuild*
- Compensating → an alternative when the ideal control isn't possible
- Example: legacy app can't support MFA → use VPN + segmentation + monitoring
- Keywords: *alternative, workaround, legacy, substitute*
- Directive → guides user behavior through instruction
- Examples: policies, standards, acceptable use policies, training
- Keywords: *policy, procedure, standard, guideline, training*
Common exam traps
- A CCTV camera → Physical category, Detective type
- A security guard → Operational category, often a Deterrent
- IDS = Detective (alerts only) vs IPS = Preventive (blocks)
- Managerial = creating policies & risk assessments
- Operational = executing backups, IR, training
Exam shortcut
- Preventive = stop
- Deterrent = discourage
- Detective = discover
- Corrective = recover
- Compensating = alternative
- Directive = instruct