Certified in Risk and Information Systems Control (CRISC) — Question 1211

An organization has sustained significant losses from a series of cyber events. Which of the following control types would MOST likely help reduce further losses?

Answer options

• A. Preventive controls
• B. Recovery controls
• C. Detective controls
• D. Directive controls

Correct answer: A

Explanation

Preventive controls are designed to stop security incidents before they occur, making them the most effective choice for reducing further losses. Recovery controls focus on restoring operations after an incident, while detective controls are meant to identify incidents after they have happened, and directive controls provide guidance rather than direct protection.