Which type of control is concerned with avoiding occurrences of risks?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
Preventive controls are concerned with avoiding occurrences of risks while deterrent controls are concerned with discouraging violations.
Detecting controls identify occurrences and compensating controls are alternative controls, used to compensate weaknesses in other controls.
Supervision is an example of compensating control.
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
The type of control that is concerned with avoiding occurrences of risks is preventive controls. Preventive controls are proactive measures that aim to prevent risks from occurring in the first place. They are designed to stop an incident from happening, reduce the likelihood of an event occurring, or minimize the impact of an incident should it occur. Preventive controls include policies, procedures, training, and technologies that are implemented to reduce the likelihood of a threat or vulnerability being exploited.
Deterrent controls are designed to discourage individuals from attempting to exploit vulnerabilities. For example, a sign that warns of surveillance cameras in an area is a deterrent control.
Detective controls are reactive measures that are put in place to detect an incident after it has occurred. They are designed to identify security breaches and other incidents so that the appropriate action can be taken. Examples of detective controls include security cameras, intrusion detection systems, and log monitoring.
Compensating controls are implemented when the primary control is not feasible or effective. They are designed to provide an alternative way of achieving the same security objective. An example of compensating controls is a firewall that is unable to block a particular type of traffic, but compensating controls can be put in place to reduce the risk of exploitation.
In summary, preventive controls are concerned with avoiding occurrences of risks by proactively implementing measures to prevent them from happening.