What type of controls is intended to prevent unwanted threats?

Preventive controls are designed specifically to avert potential threats and mitigate risks before they can inflict harm on an organization. These controls act as barriers or safeguards that deter unauthorized access or unwanted malicious activity, effectively reducing the likelihood of incidents occurring. For instance, implementing access controls, encryption, and security policies are all preventive measures aimed at stopping threats before they can affect the system or data.

In contrast, detective controls are focused on identifying and monitoring security breaches or incidents after they have occurred. Their purpose is to recognize when something has gone wrong rather than stopping it from happening in the first place. Corrective controls follow incidents and aim to restore systems and processes to normal operations, often dealing with the aftermath rather than prevention. Compensatory controls are alternative measures that are implemented when the primary controls cannot be employed, providing a temporary workaround. While all these control types play vital roles in a comprehensive risk management program, only preventive controls are directly aimed at stopping threats proactively.