UnixTime

Research Note

Control Attributes and Risk Treatment Effects

Control attributes are useful only if they help link a control to the risk treatment outcome you need.

On this page

Why this note exists

Control attributes are useful only if they help link a control to the risk treatment outcome you need.

A control should not be selected because it is popular, cheap, or easy. It should be selected because its effect on risk matches the desired outcome.

Basic mapping

Desired risk effect Better control type
Reduce likelihood Preventive control
Improve detection Detective control
Reduce impact Corrective, recovery, containment, or resilience control
Improve accountability Governance, approval, logging, segregation, review
Improve compliance Policy, procedure, evidence, monitoring, legal/contractual controls

Ransomware example

Control Type Effect
Security awareness Preventive Reduces likelihood of user-triggered compromise
Email filtering Preventive/detective Blocks or flags malicious messages
Patch management Preventive Reduces exploitability
EDR Detective/respond Detects suspicious activity and supports containment
Network segmentation Preventive/limiting Reduces spread
Immutable backups Recovery Reduces impact and supports restoration
Incident response playbook Corrective/respond Reduces confusion and response time
Disaster recovery testing Recovery/resilience Confirms ability to restore operations

Common mismatch examples

Claimed risk treatment Selected control Problem
Prevent unauthorized access Logging only Logging detects; it does not prevent access
Prevent ransomware Backup only Backup recovers; it does not prevent infection
Ensure secure development Policy only Policy needs standards, review, testing, and enforcement
Reduce supplier breach risk NDA only NDA does not prove supplier security capability
Prevent insider misuse Annual training only Need access control, monitoring, segregation, and reviews

Practical mentor takeaway

For every control, ask:

  1. What risk does this control treat?
  2. Does it reduce likelihood, detect occurrence, reduce impact, or support recovery?
  3. Is that the outcome we actually need?
  4. What evidence proves it operates?
  5. Is another control needed to cover another part of the risk?