What would NOT typically be considered a type of security control?

In the context of security controls, informal communication about security practices does not constitute a formal security control. Security controls are typically categorized into three categories: physical, technical, and administrative.

Physical barriers, such as locks and access controls, directly prevent unauthorized access to facilities or equipment, thus forming a critical layer of security. Technical measures, including firewalls and encryption, protect data integrity and confidentiality using technology, which is a fundamental aspect of cybersecurity. Administrative policies and procedures establish guidelines and protocols that govern the security posture of an organization, helping to define roles, responsibilities, and responses to security incidents.

While informal communication might aid in enhancing awareness and promoting security practices among employees, it lacks the formalization and structure necessary to be recognized as a security control. Effective security relies on well-defined, established controls that are systematically implemented, measured, and monitored for effectiveness.