What kind of control is the instruction that requires employees to receive security awareness training before using email?

The instruction that mandates employees to receive security awareness training before using email is categorized as an administrative control. Administrative controls are policies and procedures put in place to manage the behavior of individuals within an organization. These controls are focused on employee actions and are essential in establishing a culture of security awareness.

Implementing training as a prerequisite for email usage addresses the human factor in security, which is often the weakest link in any security framework. By informing employees about security threats, best practices, and organizational policies, the organization enhances its overall security posture and reduces the risk posed by human error, such as falling for phishing attacks or mishandling sensitive information.

In contrast, physical controls pertain to security measures that protect physical assets, such as locks and surveillance cameras, while technical controls involve systems and technologies that protect information systems, such as firewalls and encryption. Finite, although not a common classification in this context, does not align with the recognized types of controls related to security management.