to demonstrate that the protection mechanism is appropriate for
            the risk that the protection mechanism was designed to mitigate.

            A control that cannot be tracked back to a defined risk is
            unnecessary, and a chance that is not adequately addressed
            through a command is a potential liability.


            Types of Controls

            Controls  are  usually  either  preventive  or  reactive.  Preventive
            control  is  one  that  attempts  to  stop  an  adverse  event  from
            occurring, while reactive power is one that responds to a contest.



            Preventive Controls

            There are several types of preventive controls - directive,
            deterrent, and preventive.



            Directive Controls
            Directive control is a control that mandates the behavior of
            personnel. A policy that tells users what they can, or cannot do,
            is a type of directive control. An example of this would be an
            acceptable use policy. Other directive controls would be a sign
            that warns of "No Trespassing" or a warning banner shown to
            the user when accessing a computer system.



            Deterrent Controls
            A deterrent is a control that attempts to discourage a user from
            doing something wrong. An example of an obstacle would be a
            warning sign stating, "Shoplifters will be prosecuted," a clearly