Types of Security Controls
Not sure you’re ready?
Take the ~3-minute readiness diagnostic and see where you stand.
When securing an enterprise environment, a single point of failure is an invitation to disaster. An engineer might configure the most mathematically sound encryption protocol on the network, yet if an employee willingly holds the server room door open for a stranger carrying a clipboard, the entire system is compromised. Security is not a product you install; it is a complex, overlapping fabric of measures designed to anticipate, withstand, and recover from hostility.

To build this fabric systematically, we must classify our defenses along two distinct axes: how the control is implemented, and what specific action it is intended to perform. If you only focus on firewalls and software patches, you are ignoring the human and physical elements of your network. If you only focus on locking doors, you leave your digital borders wide open. Understanding the taxonomy of security controls allows an IT administrator to identify blind spots and design a resilient, defense-in-depth architecture.

Security controls are divided into categories based on how the controls are implemented within an organization.
When we talk about categories, we are asking a simple question: What is the mechanism doing the work? Is it a piece of software? Is it a human being? Is it a piece of paper? Is it a block of concrete?
Technical Controls (Logical Controls)
Technical controls use technology and automated processes to reduce vulnerabilities and protect digital assets. In the daily life of a systems administrator, these are the tools you spend the most time configuring and monitoring. Because they exist in the digital realm, technical controls are frequently referred to as logical controls.
These mechanisms do not rely on human memory or goodwill; they are enforced by code and silicon. Examples of technical controls include network firewalls, data encryption algorithms, and antivirus software. If a user tries to access a restricted database, the technical control evaluates their credentials and either grants or denies access mathematically.

Managerial Controls (Administrative Controls)
Before a firewall can be configured, someone must decide what traffic is allowed. Managerial controls focus on the management of risk and the development of overarching organizational security policies. Because they are rooted in governance and organizational leadership, managerial controls are frequently referred to as administrative controls.
You can think of these as the "blueprint" of your security posture. They do not directly stop a hacker, but they define how the organization prepares for and responds to risk. Examples of managerial controls include acceptable use policies, risk assessments, and vulnerability management plans.
Operational Controls
If managerial controls are the policies written on paper, operational controls are the human actions that bring those policies to life. Operational controls are security measures executed by people on a day-to-day basis to support organizational security.
Technology alone cannot secure a network; humans must operate it correctly. Examples of operational controls include security awareness training, incident response procedures, and change management processes. When you sit down to review a server configuration before pushing it to production, or when an employee reports a phishing email to the helpdesk, you are actively participating in an operational control.

Physical Controls
Cyber attacks frequently begin in the physical world. Physical controls restrict physical access to physical facilities, computing hardware, and networking equipment. There is a famous axiom in cybersecurity: If an attacker has unrestricted physical access to your computer, it is no longer your computer.
If a bad actor can walk into your wiring closet and plug a laptop directly into your core switch, your logical perimeter defenses are entirely bypassed. Examples of physical controls include door locks, perimeter fences, and anti-ram bollards.

While categories describe how a control is implemented, security control types describe the functional intent or specific action of a given security control. We are now asking: When in the timeline of an attack does this control operate, and what is its goal?
Directive Controls
Directive controls are designed to mandate specific behaviors to ensure personnel compliance with security policies. They dictate the strict rules that employees and systems must follow within an organization.
If you want to ensure a baseline of behavior, you must issue a directive. Examples of directive controls include government compliance regulations, posted safety procedures, and signed acceptable use agreements. When an employee signs a document stating they will not plug personal USB drives into company computers, a directive control has been established.
Deterrent Controls
Deterrent controls are designed to discourage attackers from attempting to compromise a system. Crucially, a deterrent control relies on the psychological effect of potential consequences to prevent a malicious action.
A deterrent does not physically or technically stop an attack; it convinces the attacker that the effort is not worth the risk. Examples of deterrent controls include warning signs, highly visible security cameras, and bright exterior lighting. If a trespasser sees a sign that reads "Armed Guards on Duty," they may choose to target an easier facility.

Preventive Controls
When deterrence fails, prevention takes over. Preventive controls are designed to stop a security incident from occurring in the first place. Unlike deterrents, preventive controls do not rely on psychology; they enforce a hard barrier.
Examples of preventive controls include locked server room doors, biometric authentication systems, and firewall rules. If a firewall rule is set to drop all incoming Telnet traffic, it will silently and efficiently prevent that traffic from entering the network, regardless of the attacker's intentions.
Detective Controls
No preventive measure is flawless. When an attacker slips past your perimeter, you need to know about it. Detective controls are designed to identify and record security incidents after the incidents have occurred.
It is vital to understand that detective controls do not actively stop an ongoing cyber attack. They are the alarm bells. Examples of detective controls include security event logs, intrusion detection systems (IDS), and motion sensors. If an unauthorized user accesses a file server at 3:00 AM, the event log records the action so the security team can investigate.

Corrective Controls
Once an incident has been detected and the immediate threat neutralized, the organization must clean up the mess. Corrective controls are designed to fix or mitigate the damage caused by a successful security incident.
A corrective control aims to restore a compromised system back to a normal state of operation. If a ransomware attack encrypts a file share, examples of corrective controls include data backups, operating system patching, and fire suppression systems. You patch the vulnerability so it cannot be exploited again, and you restore the data from a backup to resume business operations.
Compensating Controls
In the real world of enterprise IT, best practices occasionally collide with unyielding business realities. Compensating controls are alternative security measures implemented when a primary security control is financially or technically unfeasible.
Suppose a hospital relies on a $2 million MRI machine that only interfaces with a computer running an obsolete, unsupported operating system like Windows 7. The primary control—an operating system patch—is technically unfeasible because it would break the proprietary medical software.
You cannot fix the vulnerability, but you cannot shut down the hospital's imaging department either. Compensating controls do not completely eliminate an underlying vulnerability, but they reduce the risk associated with a known vulnerability to a level deemed acceptable by management.
An example of a compensating control is network segmentation used to isolate an unsupported legacy operating system from the internet. By placing the vulnerable MRI computer on an isolated VLAN with no internet routing, you compensate for the missing patches.

To truly master this concept for the CompTIA Security+ (SY0-701) exam, you must realize that these two axes overlap. A single security measure can belong to multiple control categories and control types simultaneously.
Let's look at three real-world examples to see how the "How" and the "What" combine:
-
The Human Security Guard
- Category: Operational (It relies on human beings executing day-to-day security tasks).
- Type: Preventive (The guard will physically stop an unauthorized person from entering the building).
- Result: A human security guard is classified as both an operational control and a preventive control.
-
The Obvious Camera
- Category: Physical (It is a tangible piece of hardware mounted to a facility wall).
- Type: Deterrent (Its primary intent, when placed highly visibly, is to psychologically convince an attacker to walk away).
- Result: A highly visible security camera functions as both a physical control and a deterrent control. (Note: A hidden camera would be a Physical Detective control!)
-
The Automated Defender
- Category: Technical (It uses software, automation, and silicon to protect digital assets).
- Type: Preventive (Unlike an IDS which only detects, an Intrusion Prevention System actively drops malicious packets, stopping the attack).
- Result: An intrusion prevention system functions as both a technical control and a preventive control.
Summary Matrix
| Security Control | Category (The "How") | Type (The "What") |
|---|---|---|
| Acceptable Use Policy | Managerial | Directive |
| Firewall Rule | Technical | Preventive |
| Security Guard | Operational | Preventive |
| CCTV Camera (Visible) | Physical | Deterrent |
| Data Backup | Technical / Operational | Corrective |
| Network Segmentation (for Legacy OS) | Technical | Compensating |
By mastering the intersections of these categories and types, you move beyond merely memorizing vocabulary. You develop an architectural mindset, capable of looking at an enterprise environment, identifying the exact gaps in its physical, logical, or human armor, and selecting the precise functional tool required to defend it.