Linkedin Youtube

Introduction to Security Controls

• Definition and Purpose: Security controls are measures designed to
minimize security risks to organizational assets. They can be both
technical (e.g., firewalls) and nontechnical (e.g., policies).
• Cost Consideration: It's crucial to ensure that the cost of implementing
a security control is proportional to the value of the asset being
protected. Overinvesting in lowvalue assets is not costeffective.

Return on Security Investment (ROSI)

• Indirect Benefits: Unlike IT investments aimed at enhancing
productivity, cybersecurity investments often do not yield direct
revenue. Instead, benefits are seen in customer retention, system
stability, and compliance.
• Value Demonstration: Security managers must communicate the
indirect benefits of security investments to senior management,
showcasing how these investments prevent negative outcomes like
data breaches and compliance penalties.

Categorization of Security Controls

• By Function:
• Preventive Controls: Aim to prevent security incidents from occurring.
Examples include security guards and firewalls.
• Detective Controls: Focus on detecting security incidents as they
happen. Examples include security cameras and intrusion detection
systems.
• Corrective Controls: Implemented after an incident to minimize
damage and restore systems. Examples include backup and restore
systems.

Page 1 of 3
www.cyvitrix.com [email protected]
 Linkedin Youtube

• Deterrent Controls: Reduce the likelihood of an attack by discouraging

potential attackers. Examples include warning banners and visible
security measures.
• By Timing:
• Before the Incident: Deterrent and preventive controls.
• During the Incident: Detective controls.
• After the Incident: Corrective controls.
• By Nature:
• Physical Controls: Security guards, gates, and fire suppression
systems.
• Logical/Technical Controls: Firewalls, antivirus software, and intrusion
detection systems.
• Administrative Controls: Policies, procedures, and agreements like
noncompete clauses.

Specific Examples and Case Studies

• Fire Suppression Systems: Combine both detective and corrective
functions. Sensors detect smoke or heat (detective), triggering water or
gas suppression systems (corrective).
• Antivirus Software: Functions as both a preventive and detective control
by detecting and preventing malware.
• Incident Response: Combines preventive and corrective elements by
detecting anomalies early and neutralizing threats to minimize impact.

Practical Implications and Strategic Importance

• CostBenefit Analysis: Essential to evaluate the costeffectiveness of
security controls relative to the assets they protect.
• Comprehensive Approach: Effective security strategy involves a mix of
preventive, detective, deterrent, and corrective controls, tailored to
specific organizational needs and potential threats.

Page 2 of 3
www.cyvitrix.com [email protected]
 Linkedin Youtube

• Communication with Management: Security managers should

effectively communicate the value of security investments,
emphasizing the importance of indirect benefits like system resilience
and customer trust.

Conclusion
• Summary: Security controls are essential safeguards for protecting
organizational assets and minimizing security risks. They must be
strategically implemented, considering their cost, timing, nature, and
function.
• Future Learning: Further lectures will delve deeper into specific types of
security controls and their applications in various organizational
contexts.

Thank you for attending this lecture. We look forward to seeing you in the next
session.

Page 3 of 3
www.cyvitrix.com [email protected]