Cybersecurity Controls Explained: The 6 Types You Need to Know

Building a layered defense beyond the CIA Triad.

In the world of information security, the CIA Triad (Confidentiality, Integrity, and Availability) serves as our goal, but Security Controls are the tools we use to reach it. Understanding how to categorize and implement these controls is critical for maintaining a strong security posture.

The Six Functional Control Types

Security controls are classified based on when they act and what they aim to achieve.

1. Preventative

Acts as the first line of defense to stop an incident (e.g., Firewalls, Encryption).

2. Detective

Identifies and alerts you to an incident in progress (e.g., IDS, Security Audits).

3. Corrective

Reduces impact and restores systems after an attack (e.g., Antivirus, Patching).

4. Deterrent

Psychologically discourages attackers (e.g., Warning banners, Security guards).

5. Recovery

Restores complex services to a safe state (e.g., Backups, DR sites).

6. Compensating

Alternative "Plan B" measures for legacy or limited systems (e.g., Isolated VLANs).

Implementation Categories

Controls are also grouped by how they are implemented within an organization:

Administrative (Managerial): Focused on people and procedures (e.g., Policies, Security Training).
Technical (Logical): Software and hardware measures (e.g., Access Controls, Firewalls).
Physical: Tangible protections for assets (e.g., Locks, Cameras, Fencing).

The Security Control Matrix

By combining types and categories, we create a "Defense in Depth" strategy.

Category	Preventative Example	Detective Example
Administrative	Security Policy	Compliance Audit
Technical	Firewall Rules	Intrusion Detection (IDS)
Physical	Door Locks	CCTV Cameras

Implementing a full breadth of coverage across these categories ensures that if one control fails, others are in place to protect the integrity of your data.