June 13, 2019

What Are Security Controls?

An overview of the types of countermeasures security practitioners use to reduce risk.
By Debbie Walkowski

F5 Labs Level 101 articles help you understand basic threat-related security topics. 

At the most fundamental level, IT security is about protecting things that are of value to an organization. That generally includes people, property, and data—in other words, the organization’s assets.

Security controls exist to reduce or mitigate the risk to those assets. They include any type of policy, procedure, technique, method, solution, plan, action, or device designed to help accomplish that goal. Organizations typically assess security controls as part of their Risk Management process, a primary objective being to determine the most beneficial and cost-effective ways to lower risk to an acceptable level.

Security controls are generally defined and enumerated based on industry and regulatory requirements—there isn’t one model that spans all industries. However, one of the most fundamental models describes security controls from two different perspectives. The first looks at controls by type—physical, technical, and administrative. The second looks at controls in terms of function or objective. These include preventative, detective, and corrective.

Ultimately, security practitioners implement a combination of security controls—tailored to their organization’s needs and regulatory requirements—in an effort to uphold the three foundational principles of security: confidentiality, integrity, and availability.

Control Types

  • Physical controls describe anything tangible that’s used to prevent or detect unauthorized access to physical areas, systems, or assets. This includes things like fences, gates, guards, security badges and access cards, biometric access controls, security lighting, CCTVs, surveillance cameras, motion sensors, fire suppression, as well as environmental controls like HVAC and humidity controls.

  • Technical controls (also known as logical controls) include hardware or software mechanisms used to protect assets. Some common examples are authentication solutions, firewalls, antivirus software, intrusion detection systems (IDSs), intrusion protection systems (IPSs), constrained interfaces, as well as access control lists (ACLs) and encryption measures.

  • Administrative controls refer to policies, procedures, or guidelines that define personnel or business practices in accordance with the organization's security goals. These can apply to employee hiring and termination, equipment and Internet usage, physical access to facilities, separation of duties, data classification, and auditing. Security awareness training for employees also falls under the umbrella of administrative controls.

Control Objectives

  • Preventative controls describe any security measure that’s designed to stop unwanted or unauthorized activity from occurring. Examples include physical controls such as fences, locks, and alarm systems; technical controls such as antivirus software, firewalls, and IPSs; and administrative controls like separation of duties, data classification, and auditing.

  • Detective controls describe any security measure taken or solution that’s implemented to detect unwanted or unauthorized activity in progress or after it has occurred. Physical examples include alarms or notifications from physical sensor (door alarms, fire alarms) that alert guards, police, or system administrators. Honeypots and IDSs are examples of technical detective controls.

  • Corrective controls include any measures taken to repair damage or restore resources and capabilities to their prior state following an unauthorized or unwanted activity. Examples of technical corrective controls include patching a system, quarantining a virus, terminating a process, or rebooting a system. Putting an incident response plan into action is an example of an administrative corrective control.

The table below shows how just a few of the examples mentioned above would be classified by control type and control objective.

Preventative Detective Corrective
CONTROL TYPES Physical Fences, gates, locks CCTV and surveillance camera logs Repair physical damage, re-issue access cards
Technical Firewall, IPS, MFA solution, antivirus software IDSs, honeypots Terminate a process, reboot a system, quarantine a virus
Administrative Hiring and termination policies, separation of duties, data classification Review access rights, audit logs, and unauthorized changes Implement a business continuity plan or incident response plan


F5 Labs Security Controls Guidance

To provide threat intelligence that’s actionable, F5 Labs content, where applicable, concludes with recommended security controls as shown in the following example.

These are written in the form of action statements and are labeled with control type and control objective icons. They’re meant to be a quick, at-a-glance reference for mitigation strategies discussed in more detail in each article.

Related Content

June 05, 2019
What is a DDoS Attack?
November 02, 2018
Build Defense in Depth with Dissimilar Protections
5 min. read
June 05, 2018
The Little Mistake That Causes a Breach
6 min. read

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.


9 hrs

a critical vulnerability—with the potential for remote code execution—is released.