Certified in Risk and Information Systems Control (CRISC) — Question 868

An organization recently implemented a cybersecurity awareness program that includes anti-phishing exercises for all employees. What type of control is being utilized?

Answer options

• A. Detective
• B. Preventive
• C. Compensating
• D. Deterrent

Correct answer: B

Explanation

The correct answer is B, as preventive controls aim to reduce the likelihood of security incidents by educating employees about threats like phishing. Options A and D are incorrect because they relate to detection and discouragement rather than prevention, while option C refers to compensating controls that serve as alternatives when primary controls are not feasible.