Which type of control directly influences the expected loss from a threat?

Resistive control is the type of control that directly influences the expected loss from a threat. This type of control operates by reducing the impacts of a threat when it occurs. By implementing resistive controls, such as firewalls, intrusion detection systems, or physical security measures, an organization can mitigate potential losses from security incidents. These controls lower the likelihood of a successful attack and limit the extent of damage in the event that a threat materializes, effectively reducing the expected loss due to risk.

In the context of risk management and the FAIR model, the focus of resistive controls is on loss reduction. They play a critical role in calculating potential losses by providing a buffer against various threats, which helps in both risk assessment and in formulating strategies to handle potential incidents.

Other types of controls serve different purposes: operational controls relate to day-to-day processes and procedures, deterrent controls aim to discourage threats from occurring, and adaptive controls involve dynamic adjustments to respond to changing conditions. While these controls have value, their roles do not directly influence expected losses in the same way that resistive controls do.