According to Ransbotham and Mitra (2009), the three types of information systems security controls differ
in their objectives. Configuration controls directly reduce the likelihood of an information security compromise
by blocking targeted reconnaissance efforts. Access controls also directly reduce the likelihood of compromise
by blocking unauthorized attempts to access the system. In contrast to the other two categories, monitoring
controls do not directly reduce the risk of an information security compromise. Instead, monitoring controls
indirectly reduce the risk of an incident by improving the effectiveness of the other two categories of controls.
For example, proper documentation reduces the risk of overlooking key systems when altering default
configurations, employing patches, deploying firewalls, and implementing other types of security controls.
Similarly, log analysis can help identify the causes of incidents; such knowledge can then be used to modify
existing controls to reduce the risk that a similar attack will succeed in the future.