Security controls are safeguards, countermeasures, or mechanisms organizations use to detect, prevent, and mitigate security threats and attacks. Examples of security controls include firewalls, security cameras, antivirus software, and intrusion detection and prevention systems (IDPS). There are various types of security controls in cybersecurity, each serving different purposes.

This article will explore the different types of security controls, their examples, and the categories they fall under. Let’s begin with the six types of security controls based on their functions.

1. Preventive Control

Preventive security controls, as the name suggests, protect your IT infrastructure from threats and attacks by preventing security threats from occurring. Some people call them preventative controls, but both terms mean the same thing. 

Here are key examples of preventive controls.

  • Hardening: Application hardening involves enhancing security beyond the default settings. This process includes actions like changing default passwords to strong ones, enabling multi-factor authentication, blocking open ports, and deactivating unnecessary accounts. Reducing the attack surface by hardening limits opportunities for hackers to exploit vulnerabilities in the application.
  • Firewall: A firewall monitors and controls incoming and outgoing traffic based on predetermined security rules. By filtering malicious data packets, a firewall can block unauthorized access while allowing legitimate traffic. This prevents hackers from reaching internal systems, thereby acting as an effective preventive security control. You can explore these managed firewalls to find the best solution for your company.
  • Intrusion Prevention System (IPS): An Intrusion Prevention System (IPS) actively detects and blocks security threats before they can reach your network, preventing potential security incidents. We have prepared a list of the best IPS software to help you make an informed decision based on your needs.
  • Antivirus Software: An Antivirus program protects systems from various types of malware, including viruses, ransomware, spyware, and more. You can check these antivirus software to pick the right program for your business.
  • Regular Software Updates: Keeping your systems’ software and operating systems up-to-date prevents threat actors from exploiting known vulnerabilities to enter your network.
  • Account Disablement Policy: An account disablement policy makes sure that all accounts associated with an employee are disabled when they leave your organization. This prevents them from accessing confidential data after their departure. Failing to deactivate ex-employee accounts poses a severe security risk, as they could leak sensitive information to competitors or post it online out of resentment, causing a data breach.

Conducting security awareness training regularly also acts as a preventive security control. Regular training sessions encourage your staff to follow cybersecurity best practices, which can prevent many common security threats, like social engineering attacks.

2. Deterrent Controls

Deterrent controls reduce the likelihood of attacks by discouraging bad actors from attacking. They can also dissuade your staff from taking a casual approach to cybersecurity.

Here are a few widely used examples of deterrent controls.

  • Warning Signs: Warning signs stating that the facility is under surveillance cameras can discourage many intruders from entering.
  • Login Banners: Displaying login banners that declare unauthorized access a crime can deter your staff members from attempting to access accounts they don’t own, even if they know the login credentials.
  • Security Guards: The presence of security guards in your facility can discourage many unauthorized individuals from entering your premises.
  • Lighting: Proper lighting that eliminates dark spots in your facility can deter intruders who use darkness to gain unauthorized entry into a building.
  • Security Policies: Security policies that clearly outline the disciplinary consequences of violating cybersecurity best practices can discourage employees from showing a lax attitude towards cybersecurity.

You can often find that many deterrent controls can also work as preventive security controls.

Security guards, for instance, act as both a deterrent and a preventive measure. Their presence discourages unauthorized individuals from attempting to enter, and they can physically stop anyone who tries, actively preventing unauthorized access.

3. Detective Controls

Detective security controls help you identify when vulnerabilities were exploited, paving the way for hackers to intrude into your systems. You need to understand that detectives can identify an event once it has occurred.

Here are key examples of detective security controls.

  • Security Incident Event Management Tools (SIEM): SIEM systems collect and analyze data from multiple networking sources, such as router, firewall, and endpoints to detect security threats in real time. They help identify suspicious activities and provide alerts for possible incidents.
  • Intrusion Detection System: An IDS monitors network traffic or system activities to detect any unusual or unauthorized actions. When it detects potential threats or intrusions, it generates alerts, allowing security teams to respond promptly.
  • Motion Detectors: These devices detect movements in areas where there shouldn’t be any activity, such as restricted areas. Motion detectors alert security personnel to investigate any detected motion that could indicate an intrusion.
  • Video Surveillance Camera: These cameras record activities in various areas of your facility, allowing your security teams to use this footage to detect suspicious behavior or review incidents after they occur to understand how they happened.

Some detective security controls can also be defined as deterrent security controls.

For example, video surveillance cameras work as a detective control by recording activities to identify suspicious behavior. However, they also serve as a deterrent control because the visible presence of cameras can discourage people from attempting unauthorized actions, knowing they are being monitored.

4. Corrective Controls

Once inside your network, threat actors are likely to cause severe damage, impacting your IT resources’ confidentiality, integrity, and availability. They can encrypt files, install spyware, steal data, and whatnot.

Corrective controls are used to reverse the damage caused by a security incident after it happened. The objective of corrective controls is to get things back to normal as soon as possible.

Here are key examples of corrective controls.

  • Antivirus Software: After an infection occurs, antivirus programs can scan the device, quarantine infected files, and restore the system to a secure state.
  • Restoration from Backups: If data is lost due to a cyberattack or system failure, restoring from backups helps recover the information and minimize downtime.
  • Password Resets: After a security breach occurs, you should reset all passwords to prevent unauthorized access. This process helps secure accounts and ensures that only authorized users regain access.
  • Security Training: Providing additional employee training after a security incident helps raise awareness of potential threats and proper security practices. This training reinforces the importance of following security protocols and helps prevent future incidents.

As discussed earlier, one type of security control can also serve other functions. For example, the antivirus software mentioned as a corrective security control in this section also acts as a preventive security control.

5. Compensating Security Controls

Compensating security controls are implemented when organizations cannot apply primary security controls or when those primary controls do not provide adequate protection.

Here are some examples of compensating controls.

  • Strict Access Controls: If an organization cannot segregate duties for sensitive processes, it might implement strict access controls and carry out regular security audits to monitor user activities.
  • Data Loss Prevention (DLP) Solutions: If encryption is not possible for data in transit, organizations may implement DLP solutions to monitor and control the flow of sensitive information outside the network.
  • Employee Training and Awareness: If technical controls like spam filters cannot effectively prevent phishing attacks, providing extensive staff training on recognizing and responding to phishing attacks, email spoofing, typosquatting, and other security threats can serve as a compensating control.

6. Directive Controls

Directive security controls provide guidance for users to follow in security-related situations. These controls are typically documented instructions rather than technical tools aimed at achieving security objectives. Their primary purpose is to influence and direct the behavior of individuals within an organization to meet specific security goals.

Examples of directive security controls include:

  • Acceptable Use Policy: A written document outlining the acceptable behaviors and practices for using organizational resources, such as computers, networks, and internet access.
  • Security Awareness Training: These training programs are designed to educate employees about cybersecurity threats, best practices, and their roles in protecting the organizationโ€™s assets and information.
  • Incident Response Plan: An incident response plan is a written document that guides security teams in taking the necessary steps to minimize the impact of a security incident on the confidentiality, integrity, and availability of resources. It also helps restore systems to normal operation.

As you can see, the above-mentioned security controls are defined according to their functional roles in protecting your organization from security threats. However, there is another way to classify security controlsโ€”grouping them based on their implementation methods and areas of focus.

Let’s discuss key categories of security controls below.

Technical Controls

Technical controls use hardware and software to protect your IT infrastructure. Once your IT administrators have installed and configured technical security controls, they will start protecting your systems and resources automatically.

Here are popular examples of technical security controls.

  • Firewalls: Firewalls check and control incoming and outgoing network traffic based on predetermined security rules. They act as a security barrier between trusted internal networks and untrusted external networks, effectively blocking unauthorized access and helping to prevent cyber attacks.
  • Multi-factor Authentication (MFA): If you implement Multi-Factor Authentication (MFA) in your organization, users must provide multiple forms of verification, such as a password and a text message code, before accessing systems. This practice makes it challenging for threat actors to gain unauthorized access to user accounts, even if they successfully obtain passwords using brute force attack tools.
  • Encryption: Encrypting sensitive data in your organization protects it from prying eyes. Even if hackers intercept your data during transmission or gain unauthorized access, they cannot read or understand it.
  • Intrusion Detection and Prevention System (IDPS): IDPS detect and block security threats before it can cause any harm to your IT network. It is an important technical security control used by most organizations today.
  • Endpoint Protection Platform (EPP): Endpoint protection platforms offer various security features, such as data loss protection, protection from malicious downloads, incident investigation and remediation, and more. These features help protect endpoints from security threats.

Managerial Controls

Managerial controls are security policies and procedures established by an organization’s leadership to manage and oversee the security of systems and data. These controls, which are often written documents, focus on planning, assessing, and improving the organization’s security posture.

Here are examples of managerial control.

  • Security Policies: Security policies are written documents that outline your company’s approach to cybersecurity. They define roles and responsibilities, acceptable use, access control policy, and more.
  • Incident Response Plan: An incident response plan explains the process and procedures your organization should follow to identify, manage, and respond to security threats.

Operational Controls

Operational controls focus on making sure that your organisational day-to-day operations are aligned with your overall security goals. Unlike technical controls that are executed by systems, these controls are often executed by people.

Here are examples of operational controls:

  • Configuration Management: A configuration management plan ensures that all systems use secure baseline settings instead of default settings. This helps prevent hackers from exploiting vulnerabilities that result from poor configuration settings.
  • Security Awareness Training: Regular cybersecurity training helps your employees follow cybersecurity best practices, such as creating strong passwords, understanding threats of social engineering attacks, and avoiding clicking unknown links. This helps your company to meet its overall security goals.
  • User account Management: Managing user accounts involves giving the right access to individuals based on their roles and deleting accounts once employees leave the company. Use account management helps ensure that data access aligns with the least privilege principle.
  • Patch Management: Regularly updating and applying software patches is an ongoing operational task to prevent vulnerabilities, ensuring that day-to-day system management is in line with security goals. You can explore these best patch management software to automate updates in your organization.

Physical Controls

Physical security controls are security measures that you can touch. They work by discouraging potential intruders from entering your premises.

Here are key examples of physical security controls:

  • Access Control Systems: Keycards or biometric scanners help restrict entry to authorized personnel only.
  • Surveillance Cameras: Surveillance cameras monitor activities and deter crime by making potential intruders aware they are being watched. Additionally, they provide useful evidence for investigations.
  • Security Personnel: Employing trained security guards to patrol the premises can discourage unauthorized personnel from entering your premises.
  • Fencing and Barriers: Fences and barriers dissuade potential intruders from entering your premises.

Different Security Control Types and Categories: A Quick Table

We have created a quick table below, which lists examples of types of security controls and categories of different control types.

Control TypesTechnical Managerial Operational Physical
PreventiveFirewall On-boarding policyEmployee training Door lock
DeterrentAn account lockout mechanismImplementing and communicating security policyReception desk Warning signs
DetectiveSEIMReview login reportsProperty patrolsMotion sensors
CorrectiveBackup recovery Updating security policies after an incidentRetraining employees after a breachReplacing broken security camera
CompensatingBlock instead of patch Enhanced supervisory oversight Manual logging of visitorsPower generator
DirectiveFile Storage PoliciesCompliance policiesSecurity policy trainingSign: authorized personnel only

Importance of Security Controls

Security controls protect your organization from security threats by identifying, mitigating, and reducing the impact of security incidents.

Here are key reasons why it is important to implement security controls.

  • Risk Mitigation: Security controls reduce the likelihood and impact of security incidents.
  • Data Protection: Security controls protect your data from unauthorized access. They can help you ensure the confidentiality, integrity, and availability of your data resources. You can check these data security solutions to protect data in your organization.
  • Regulatory Compliance: Depending on your industry, you may be liable to some regulations like the General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPPA) that require you to implement security measures to protect your customers’ data. Implementation of various security controls strategically can help you meet regulatory compliance.
  • Trust and Reputation: Security controls reduce the frequency and impact of security incidents. This prioritization of security enhances trust and reputation among customers, vendors, stakeholders, and third parties, as they feel more secure working with organizations that take security seriously.

Frequently Asked Questions

What are technical vs physical controls?

Technical controls use hardware and software to protect IT systems and data, such as firewalls, encryption, and intrusion detection systems. On the other hand, physical controls involve tangible measures to secure a facility, such as access control systems, surveillance cameras, and security personnel.

What is the difference between directive control and deterrent control?

Directive controls provide guidance and instructions on acceptable behaviors and practices within an organization. Examples include security policies and training programs. In contrast, deterrent controls discourage unwanted behavior through visible measures, such as warning signs or the presence of security personnel.

What is the difference between preventive and detective control?

Preventive controls stop security incidents before they occur. Examples include firewalls and antivirus software, which block unauthorized access or malware. Detective controls, however, identify and alert organizations about security incidents after they happen, such as intrusion detection systems and security monitoring tools.

What is the difference between compensating controls and detective controls?

Compensating controls are alternative measures implemented when primary security controls cannot be used or are insufficient. For example, organizations may use strict access controls if encryption isn’t feasible. Detective controls, on the other hand, identify and alert security incidents after they occur, such as intrusion detection systems or security event monitoring tools.

What is the difference between deterrent and detective controls?

Deterrent controls discourage attacks through visible measures, such as warning signs and security guards. In contrast, detective controls identify security incidents after they occur, using tools like intrusion detection systems and video surveillance cameras to monitor and alert for suspicious activity.