Deterrent Control

From The Secure Arc Wiki

Jump to: navigation, search
Go to Asset DefinitionGo to Asset ValueGo to ExposuresGo to ExposuresGo to ExposuresGo to ExposuresGo to ExposuresGo to ExposuresGo to Asset VulnerabilitiesGo to Asset ImpactGo to ThreatsYou Are HereGo to Detective ControlGo to Preventative ControlGo to Corrective ControlGo to CountermeasuresGo to CountermeasuresGo to CountermeasuresGo to CountermeasuresGo to CountermeasuresGo to CountermeasuresGo to CountermeasuresBack up to Security Controls

Deterrent Controls are difficult to quantify. The goal of a Deterrent Control is to reduce the likelihood of a Vulnerability being exploited without actually reducing the exposure.

While this doesn't sound like an effective approach straight off the bat, it is important when combined with other types of Security Controls.

Large financial organizations typically reinforce what users should expect from them in every outbound communication. Statements like "We will never ask you for your password" and "We will never include a hyperlink in an email " will be plastered over every email, letter and message box they can put in front of their customers. The goal being to govern their customers expectations on what they should and should not expect to receive from them and therefore help customers identify phishing emails and other scams.

Ultimately the goal is to reduce the likelihood that a phishing attack, which is completely outside of the control of the target company, is successful by increasing the awareness of it's customers.

How to quantify the likelihood of something like this working is extremely difficult, particularly when the customer base is large. When the target users are actually staff, various policies and procedures can be put in place to help quantify these things and assess how successful these Deterrent Security Controls have been.

The US Department of Justice regularly sends out elaborate phishing emails to their staff to both determine the success of their internal security awareness programs and also as a means to educate their staff.

Similarly, for internal facing threats, including black lists of known malware sites and so forth can reduce the likelihood of staff being exposed to these kinds of threats.

There are many tips on the OWASP phishing page on how to address phishing type threats, where your only options are deterrent controls.

The short summary of Deterrent Controls are that they do not attempt to fix the associated Vulnerability, they just attempt to make it occur less frequently.

Up Next

As with all Countermeasures, the hard part is the assessment on the costs.


Personal tools