Security Control Types Explained (Part 1) (Domain 1)
In this episode, we will begin exploring the different types of security controls. Security controls can be categorized not only by who manages them or where they are applied, but also by what they are designed to do. This is where control types come in. Each type of control serves a specific role in reducing risk and improving security. Today we will focus on two of the most proactive types: preventive controls and deterrent controls.
Let’s begin with preventive controls. As the name suggests, these controls are put in place to stop security incidents before they can happen. They are designed to close off opportunities for attackers, block unauthorized access, and keep vulnerabilities from being exploited in the first place. Preventive controls act like barriers—they exist to make sure a problem never starts.
Access control lists are a good example of a preventive control. These lists define exactly which users or systems can access specific resources. For instance, a network administrator might use an access control list to allow only the human resources department to access payroll files. Anyone else who tries to reach those files would be denied. The list is a clear rule, and it stops unauthorized access from happening at all.
Another preventive control is encryption. When data is encrypted, it is transformed into a coded format that only authorized users can decode. This makes it much harder for attackers to steal usable information. Even if someone manages to intercept the data, they cannot make sense of it without the correct decryption key. Encryption protects both stored data and data in transit, making it one of the most widely used preventive tools in cybersecurity.
Security awareness training is also considered a preventive control. While it may not involve technology, it prepares users to avoid risky behavior. For example, a well-trained employee is more likely to recognize a phishing email and delete it instead of clicking on a malicious link. By educating users about threats and safe practices, training reduces the chance that human error will lead to a security breach.
To evaluate how effective a preventive control is, organizations often run scenario-based tests. For instance, they might simulate a phishing attempt to see how many employees report it versus how many fall for it. They might also audit access control settings to confirm that no unauthorized accounts have privileges they should not have. These tests help confirm that the preventive controls are doing their job and identify any areas where improvement is needed.
Now let’s turn to deterrent controls. These controls do not physically stop a threat, but they influence decisions by making the threat seem more difficult or risky to carry out. Deterrent controls work by changing the attacker’s perception. If an attacker thinks a target is too hard to reach or too likely to trigger a response, they may choose to walk away and find an easier victim.
One common deterrent is signage. Warning signs that say “area under surveillance” or “restricted access—authorized personnel only” are meant to create hesitation. Even if there is no visible security guard or alarm, the sign alone can be enough to cause an intruder to reconsider. Signs work by increasing the attacker’s awareness of potential consequences.
Lighting is another effective deterrent. Well-lit areas are harder to approach without being seen. For example, if the back entrance of a data center is brightly illuminated at all hours, it is less likely that someone will attempt to sneak in. Darkness offers cover, but lighting removes that advantage. Good lighting reduces hiding spots and increases the likelihood that unusual behavior will be noticed by security staff or surveillance systems.
Speaking of surveillance, the visibility of cameras can also be a deterrent. A camera that is easy to spot signals that the area is being monitored. Whether or not someone is watching live, just the presence of the camera can make a person think twice. This is different from hidden cameras, which are used for evidence gathering. Visible cameras are about changing behavior before something happens.
There are real-world examples of deterrent controls making a measurable difference. In one case study, a retail company was experiencing frequent break-ins through the rear doors of its stores. After installing visible cameras and warning signs near those entrances, the incidents dropped significantly. The company did not change the locks or hire more guards—they simply made it clear that surveillance was in place and the area was being monitored. The presence of deterrent controls helped reduce criminal activity by shifting the risk calculation for potential intruders.
In another example, a university campus was dealing with laptop thefts in a quiet study area. Administrators installed motion-activated lighting and signs that reminded students to secure their belongings. While the lighting did not physically stop anyone from taking a laptop, the combination of increased visibility and reminders was enough to discourage the behavior. Theft incidents declined, showing how deterrent controls can improve security outcomes by influencing choices.
As you get ready for the Security Plus exam, make sure you understand what makes preventive and deterrent controls different. Preventive controls actively block or stop something from happening. Deterrent controls do not stop events directly—they work by discouraging them. You may be asked to match controls to their type or select the best control for a particular scenario. Pay attention to context clues in the questions. If the goal is to prevent a user from accessing a file, look for controls like encryption or access control lists. If the goal is to make someone think twice before attempting something, consider lighting, signage, or visible surveillance.
