In AP Cybersecurity, a preventative control is a security measure designed to stop an attack before it happens, such as locks, fences, gates, or bollards that block an adversary from accessing systems or physical spaces.
A preventative control is any security measure that blocks an attack before it can start. The whole point is to keep the bad thing from happening in the first place, not to catch it after the fact.
In Unit 2, this shows up most clearly in physical security. When a cyber defender looks at a vulnerability, they ask three questions: how do I prevent, detect, or correct an attack (EK 2.3.B.1)? Preventative controls answer the first one. Think fencing, gates, and bollards that deter someone from getting near a building (EK 2.3.B.2), or locks on doors, server cabinets, and computers that stop devices from being accessed or stolen (EK 2.3.B.3). Each of these works ahead of time to shut the door, sometimes literally, before an adversary gets in.
This term lives in Unit 2: Securing Spaces, specifically topic 2.3 Protecting Physical Spaces. It directly supports learning objective AP Cybersecurity 2.3.B, which asks you to determine mitigation strategies for risks from physical vulnerabilities. The big idea baked into EK 2.3.B.1 is the prevent-detect-correct framework, and preventative controls are the "prevent" leg of that triad. If you can match a vulnerability to a control that stops the attack early, you're doing exactly what this objective wants.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view galleryDetective Control (Unit 2)
If a preventative control is the locked door, a detective control is the camera that records who tried to open it. Card readers that log which employee badges access an entry (EK 2.3.B.4) detect activity rather than block it. Same threat, different job in the timeline.
Corrective Control (Unit 2)
Corrective controls clean up after an attack already landed. Preventative, detective, and corrective controls are the full prevent-detect-correct set from EK 2.3.B.1, so knowing one means knowing where the other two fit on the before-during-after line.
Physical Control (Unit 2)
Most of the preventative controls in topic 2.3 are physical controls: fences, gates, bollards, and locks. "Physical" describes what the control is made of; "preventative" describes what it does. A single fence can be both.
Managerial Control (Unit 2)
Managerial controls like a workstation security policy or employee awareness training (EK 2.3.A.1, EK 2.3.A.2) are often preventative too. Teaching staff not to badge strangers into restricted areas prevents an attack the same way a lock does, just through people instead of hardware.
Expect to apply this idea rather than just define it. A multiple-choice stem might describe a physical vulnerability and ask which control best addresses it, where you pick the option that stops the attack before it starts. On free-response items tied to AP Cybersecurity 2.3.B, you may be asked to recommend a mitigation strategy and justify it, so be ready to explain why a lock or a fence is preventative rather than detective. The move you're being tested on is matching a control to a vulnerability and correctly classifying it as prevent, detect, or correct.
A preventative control stops an attack from happening; a detective control notices it happening or after it happened. A lock on a server cabinet is preventative because it blocks access. A card reader that logs badge use is detective because it records the activity instead of stopping it (EK 2.3.B.4). Ask yourself: does this control block the attack, or just reveal it?
A preventative control stops an attack before it can start, which is the "prevent" leg of the prevent-detect-correct framework in EK 2.3.B.1.
Classic physical examples are fencing, gates, and bollards (EK 2.3.B.2) plus locks on doors, server cabinets, and computers (EK 2.3.B.3).
Preventative is about timing and purpose; physical, managerial, and technical describe what kind of control it is, so a control can be both at once.
Card readers that log badge access are detective, not preventative, because they record activity instead of blocking it.
On AP Cybersecurity 2.3.B questions, your job is to match a vulnerability to the right control and correctly label it prevent, detect, or correct.
It's a security measure that blocks an attack before it happens, like locks, fences, gates, or bollards. It maps to learning objective AP Cybersecurity 2.3.B and the prevent-detect-correct framework in EK 2.3.B.1.
A lock is preventative. Locks on doors, server cabinets, and computers prevent devices from being accessed or stolen (EK 2.3.B.3), which means they stop the attack rather than just record it.
A preventative control blocks an attack from happening, while a detective control notices or records it. A locked cabinet prevents theft; a card reader logging badge use (EK 2.3.B.4) detects who came through the door.
No. Many physical controls like fences and locks are preventative, but managerial controls can be too. Employee awareness training that teaches staff not to badge strangers into restricted areas (EK 2.3.A.1) prevents attacks through people, not hardware.
Read the vulnerability, then ask whether the control stops, catches, or fixes the attack. If it shuts the door before the adversary acts, it's preventative, which is exactly what AP Cybersecurity 2.3.B wants you to identify.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.