A-3. Control Functions

As pointed out earlier, controls interact with threats in different ways and the ways in which they interact help determine a control’s function. The most basic categorization of control functions consists of preventive, detective, and corrective controls,¹⁰⁹ where:

• Preventive controls act to stop a threat event from occurring,
• Detective controls act to identify when a threat event occurs, and
• Corrective controls act to limit the potential impact of a threat event once it has occurred.

Other approaches to categorizing control functions generally expand on these three.

For example, one approach splits corrective controls into two separate components:¹¹⁰

• Response Controls – Address errors or irregularities due to the detected threat event
• Recovery Controls – Restore systems back to pre-threat event conditions

Another approach adds the concept of addressing a threat by affecting the threat actor:¹¹¹

• Deterrent Controls – Discourage a threat actor from initiating a threat event

The concept of deterrent controls is somewhat similar to another approach that focuses on an organization’s workforce, whether as a positive force to enhance security or as a potential threat actor:¹¹²

• Directive Controls – Establish desired requirements or guidelines intended to produce specific outcomes based on policies and procedures.

Preventive controls are split into three separate components in yet another approach and, in addition to deterrent controls, include:¹¹³

• Avoidance Controls – Reduce the frequency with which a threat actor comes into contact with an asset
• Resistive Controls – Make a threat agent’s job more difficult (in a malicious or act-of-nature scenario) or easier (in a human error scenario)

The same approach also defines two additional ‘quality performance’ oriented control functions:

• Decision-making Controls – Improve the quality of risk-related decision-making
• Variance Controls – Reduce variability in the performance (effectiveness) of other controls
  

As the NIST Cybersecurity Framework Core Functions have a prima facia similarity with many of these control functions, select functions can be mapped as shown in the following figure.

Figure 18. Relationship Between the NIST Core Functions and Control Functions

Although the relationship of the NIST Cybersecurity Core Function, Identify, to control functions is not as clear as the other Functions, it is possible to ascertain their relationships based on the Core Categories that support the Core Functions.¹¹⁴

Figure 19. Relationship of the NIST Core Identify Function with Other NIST Core Functions¹¹⁵

Since “the activities in the Identify Function are foundational [emphasis added] for effective use of the Framework,”¹¹⁶ we can assert that controls in the Identify Function generally support controls in the other Core Functions. For example:

1. Asset management ensures the organization knows what assets to protect, monitor, and subsequently reconstitute when a threat event is detected
2. An understanding of the business environment is needed to provide a meaningful context for organizational governance and management of all controls regardless of function
3. Governance helps ensure operational decisions regarding the management of controls, regardless of function, are made in alignment with the organization’s mission and goals
4. Risk assessment is required to understand the risks that must be controlled to achieve business objectives and how to control them (vis-à-vis the specification of all necessary controls, regardless of function)
5. Risk management (strategy) is needed to actively control risk within the organization’s general appetite and specific (quantifiable) tolerances for risk (using all specified controls, regardless of function)
6. Supply chain risk management (SCRM)¹¹⁷ is needed to understand the risks posed by third parties and help ensure those risks are adequately controlled (using all relevant controls, regardless of function)

However, the question remains as to how these foundational activities interact with threats, i.e., what control functions do we assign them? Based on the managerial nature of most of the NIST Core Categories enumerated above, one might want to assign the directive control function presented earlier. However, there is more to these ‘management type’ controls than simply policy and procedure, the effect of which is generally limited to the organization’s workforce (with limited exception, such as customers, business partners, and vendors based on a legal contract or other agreement). To see why, we can look to a few relevant definitions of management.

Management may be defined as “a set of activities directed at the efficient and effective utilization of resources in the pursuit of one or more goals”¹¹⁸ or as “a problem-solving process of effectively achieving organizational objectives through the efficient use of scarce resources in a changing environment.”¹¹⁹ Inspection of these definitions indicate there are two specific aspects of management that help an organization achieve its goals and objectives: the problem-solving activities that make up related business processes and the business processes themselves.

Problem-solving is essentially a decision-making process, the desired outcome of which is a good decision. Subsequently, any control in the Identity Function Categories that support decision-making would help ensure decision-makers make good decisions about information risk.

A business process is “a collection of activities with the purpose of taking one or more business inputs and creating a specific business output.”¹²⁰ Further, a ‘good’ business process (any process actually) is one that is well-controlled—i.e., measured, managed, and continuously improved—to reduce variation in the process output.¹²¹

We subsequently use ‘decision support’ and ‘variance reduction’ as the final two control functions in our model and assign NIST Cybersecurity Framework Core Identity Categories as follows:

• Decision Support Controls: asset management, risk management, and SCRM
• Variance Reduction Controls: risk assessment, business environment, and governance

We may now update the last figure as shown below.¹²²

Figure 20. Control Function Decomposition Model

¹⁰⁹ Richards, D., Oliphant, A., and Le Grand, C. (2005, Mar), p. 3-4.

¹¹⁰ Williams, C., Donaldson, S., and Siegal, S. (2020). Building an Effective Security Program. Boston: De Gruter.

¹¹¹ Miller, L. and Gregory, P. (2012). CISSP for Dummies (4th ed.). New York: Wiley.

¹¹² Lartey, P., Kong, Y., Bah, F., Santosh, R., and Gumah, I. (2019, Aug). Determinants of Internal Control Compliance in Public Organizations; Using Preventive, Detective, Corrective and Directive Controls. In International Journal of Public Administration, p. 4.

¹¹³ Freund, J. and Jones, J. (2015).

¹¹⁴ For example, see Blum, D. (2020). Rational Cybersecurity for Business: The Security Leader’s Guide to Business Alignment. Apress: Silver Springs, MD., Figure 1.

¹¹⁵ Based on concepts provided by Blum, D. (2020), Ch. 9, as depicted in Figure 9-1.

¹¹⁶ NIST (2018, 16 Apr), p. 8.

¹¹⁷ More generally, third party risk management (TPRM).

¹¹⁸ Van Fleet, D. and Seperich, G. (2013). Agribusiness: Principles of Management (International ed.) New York: CENGAGE, p. 24.

¹¹⁹ Kreitner, R. (1995). Management (6th ed.). New York: Houghton Mifflin College Division, p. 4.

¹²⁰ Law Insider (2022). Dictionary: Business Process.

¹²¹ ASQ (2022a). Quality Resources: Six Sigma.

¹²² For more information on the QQRRA model and computational approach, refer to Cline, B. (2022).