A compensating control is an alternative measure implemented when a primary, preferred control is not feasible due to legitimate technical, operational, or financial constraints. Its purpose is to mitigate the same risk that the preferred control was intended to address, thereby reducing the residual risk to an acceptable level. The scenario describes exactly this situation: the "most preferred" control cannot be used, so a "second-best" alternative is proposed to fill the gap. This alternative is, by definition, a compensating control.

A. Deterrent: This type of control is intended to discourage a potential attacker from acting, not to serve as an alternative for an infeasible control.

C. Detective control: This control functions by identifying and reporting an incident after it has occurred; it does not describe its role as a substitute for another control.

D. Corrective control: This control is used to remediate or fix a system after an incident has been detected, not to act as a replacement for a primary control.

---

1. National Institute of Standards and Technology (NIST). (2020). Security and Privacy Controls for Information Systems and Organizations. NIST Special Publication (SP) 800-53, Revision 5.

Reference: Appendix F, Glossary, page F-5.

Quote: "Compensating Control: A control that is employed by an organization in lieu of a recommended control in circumstances where the recommended control cannot be employed due to a legitimate technical or business constraint and is intended to provide a comparable level of protection for an information system."

DOI: https://doi.org/10.6028/NIST.SP.800-53r5

2. PCI Security Standards Council. (2022). Payment Card Industry Data Security Standard (PCI DSS) v4.0.

Reference: Appendix D: Compensating Controls, Section D1.0, page 189.

Quote: "Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls."

3. University of California, Berkeley. Information Security Office Glossary.

Reference: The official glossary provides a definition consistent with academic and industry standards.

Quote: "Compensating Control: A control that is an alternative to a primary control. It is put into place to satisfy the requirement for a primary control when it is too difficult or impractical to implement the primary control." (Accessed from the UC Berkeley Information Security Office website).