Episode 7 — Control Categories and Control Types (1.1)
In this episode, we start with security controls, which are the safeguards that help reduce risk. If you are new to cybersecurity, the word control can sound a little vague at first. It may sound like a button, a setting, or a technical feature, but it is broader than that. A control can be a technology, a policy, a process, a person’s action, a physical barrier, or a rule that guides behavior. The reason this matters is that Security Plus expects you to recognize not only what a control does, but what kind of control it is. You will see controls described by category, such as technical, managerial, operational, and physical. You will also see controls described by type, such as preventive, detective, corrective, deterrent, compensating, and directive. Once you understand those two ways of sorting controls, many exam scenarios become much easier to read.
Before we continue, a quick note. This audio course is part of our companion study series. The first book is a detailed study guide that explains the exam and helps you prepare for it with confidence. The second is a Kindle-only eBook with one thousand flashcards you can use on your mobile device or Kindle for quick review. You can find both at Cyber Author dot me in the Bare Metal Study Guides series.
A security control exists because something could go wrong. That something might be an attacker stealing data, a user making a mistake, a system becoming unavailable, a file being changed without permission, or a person entering a restricted area. The control is the safeguard placed between the risk and the damage. A lock reduces the chance of unauthorized entry. A password reduces the chance of unauthorized account access. A backup reduces the damage if data is deleted or encrypted by ransomware. A policy reduces confusion by telling people what is allowed and what is not allowed. You should not think of controls only as things that stop attacks. Some controls detect problems. Some guide behavior. Some help recover after failure. Some discourage people from trying something risky in the first place.
Control categories tell you what form the control takes or where it lives in the security program. Technical controls are built into systems and technology. Managerial controls guide decisions and oversight. Operational controls are the human-driven processes that keep security working day by day. Physical controls protect spaces, equipment, and people in the real world. These categories are useful because security does not happen in only one place. If you protect a server with strong access permissions but leave the server room unlocked, you still have a problem. If you write a strong policy but never train anyone or monitor anything, the policy may not change behavior. If you buy a security tool but no one reviews the alerts, the tool may not help much. Good security uses several categories together.
Technical controls are usually the easiest to picture because they are built into hardware, software, networks, applications, or cloud systems. A firewall is a technical control because it filters traffic based on rules. Encryption is a technical control because it protects information by making it unreadable without the right key. Multi-Factor Authentication (M F A) is a technical control because it strengthens the sign-in process by requiring more than one form of proof. Antivirus or endpoint protection is also technical because it runs on systems and looks for harmful activity. Technical controls matter because they can enforce decisions consistently and at scale. But they are not perfect by themselves. A technical control can be misconfigured, ignored, outdated, or placed in the wrong part of the environment. You still need people and processes around it.
Managerial controls focus on governance, planning, oversight, and decision-making. These controls help define what the organization expects and how security should be managed. Policies, standards, risk assessments, security plans, audits, and governance processes can all be managerial controls. They may not block an attacker directly, but they shape the security program that chooses and maintains the controls. If a policy says sensitive data must be encrypted, that policy guides technical and operational work. If a risk assessment identifies a serious weakness, leadership can decide what resources are needed to reduce the risk. Managerial controls help answer questions like who owns the risk, what rules apply, what level of protection is required, and how success will be measured. Without this layer, security can become a set of disconnected tools with no clear direction.
Operational controls are the everyday actions and processes that help security actually work. These are often performed by people, sometimes with support from technology. Security awareness training is an operational control because it helps you recognize phishing, suspicious activity, and unsafe behavior. Change management is operational because it guides how updates and changes are reviewed before they affect production systems. Incident response procedures are operational because they help people respond in a consistent way when something goes wrong. Account reviews, backup testing, log review, visitor check-in, and separation of duties can also fit here. Operational controls matter because many security failures happen during normal work. A rushed change, skipped review, forgotten account, or untested recovery process can create real risk even when strong technical tools exist.
Physical controls protect the real-world side of security. Cybersecurity may sound digital, but physical access still matters. If someone can walk into a server room, remove a hard drive, plug in an unauthorized device, or access a workstation left unattended, digital protections may be weakened. Door locks, fences, badge readers, guards, cameras, lighting, mantraps, cable locks, safes, and secure server rooms are physical controls. These controls help prevent, detect, or discourage unauthorized physical access. They also protect equipment from theft, tampering, and environmental damage. A strong password does not help much if an attacker can steal the whole laptop and the drive is not encrypted. A secure network design does not help much if critical equipment is sitting in an unlocked closet. Physical security supports digital security.
The same control can sometimes be understood in more than one way, and that is where exam questions can feel tricky. A camera is a physical control because it is a physical device, but it may also be detective because it helps reveal what happened. A security policy is managerial because it sets direction, but it may also be directive because it tells people what they must do. M F A is technical because it is enforced through systems, and it is also preventive because it helps stop unauthorized sign-ins. You should not panic when a control seems to fit more than one label. Read what the question is asking. If it asks for the category, think about the form of the control. If it asks for the type, think about what the control does.
Preventive controls are designed to stop something unwanted before it succeeds. They are often the controls people notice first because they stand between the attacker and the target. A locked door helps prevent unauthorized entry. Access control helps prevent users from reaching data they should not see. M F A helps prevent a stolen password from being enough by itself. Network segmentation helps prevent a compromise in one area from spreading freely to another area. Preventive controls are important because stopping a problem early is usually less costly than cleaning it up later. Still, prevention is never guaranteed. A lock can be bypassed. A user can be tricked. A rule can be wrong. That is why preventive controls need support from other control types that detect, correct, guide, and recover.
Detective controls help you notice that something has happened or may be happening. They do not always stop the first action, but they help bring the problem into view. Logs are detective because they record activity that can be reviewed. Cameras are detective because they can show who entered an area. Intrusion detection can be detective because it looks for suspicious patterns. File integrity monitoring can be detective because it notices when important files change. Detective controls matter because you cannot respond well to what you never see. If an account signs in from an unusual location, a detective control may generate an alert. If someone changes a sensitive setting, a log may show when it happened. Detection gives you the evidence needed to investigate and make better decisions.
Corrective controls help fix or reduce the damage after something has gone wrong. A backup can be corrective because it helps restore data after deletion, corruption, or ransomware. A patch can be corrective when it fixes a known vulnerability. Reimaging a compromised computer can be corrective because it returns the device to a clean state. Disabling a compromised account is corrective because it stops further misuse after the problem is discovered. Corrective controls are a reminder that security is not only about blocking every possible incident. Things will break. People will make mistakes. Attackers will sometimes get through a layer. When that happens, the organization needs a way to recover, repair, and reduce further harm. A strong security program plans corrective controls before an emergency happens.
Deterrent controls are meant to discourage unwanted behavior. They may not physically stop someone, but they can make the action feel risky, difficult, or likely to be noticed. Warning signs, visible cameras, security guards, login banners, and announced monitoring can all act as deterrents. A person may decide not to enter a restricted area if cameras and signs make it clear that access is monitored. An employee may think twice before misusing a system if they know important actions are logged and reviewed. Directive controls are different because they tell people what they should or must do. Policies, procedures, standards, signs, and required training can be directive. A directive control gives instruction. A deterrent control discourages unwanted behavior. Both influence choices, but they do it in different ways.
Compensating controls are used when the preferred control cannot be used fully, or when another safeguard is needed to reduce risk in a different way. Imagine an older system that cannot support M F A because the application is outdated. The organization might use compensating controls such as stronger network restrictions, tighter monitoring, limited access, separate administrative approval, or a virtual private network. Virtual Private Network (V P N) access may not be the same as modern M F A, but it can still reduce exposure when paired with other safeguards. Compensating controls are not excuses to ignore risk. They are alternative protections used when reality prevents the ideal solution. On the exam, watch for situations where the best control is not available. The question may be asking what can reduce the risk another way.
The conclusion is that control categories and control types give you two different ways to understand safeguards. Categories tell you what kind of control you are looking at: technical, managerial, operational, or physical. Types tell you what the control is trying to do: prevent, detect, correct, deter, compensate, or direct. A firewall may be technical and preventive. A camera may be physical and detective. A policy may be managerial and directive. A backup may be operational and corrective. When you see a scenario, do not just memorize the name of the control. Ask what form it takes and what job it performs. That simple habit will help you reason through exam questions more calmly. Security controls are not random terms. They are the practical ways organizations reduce risk, guide behavior, notice problems, and recover when things go wrong.
