Countermeasures mitigate either vulnerabilities or threats to prevent loss. Like vulnerabilities, countermeasures can be categorized into operational, personnel, physical, and technical. It is however important to realize that a vulnerability does not have to be mitigated by a countermeasure in the same category. For example, poor security awareness, which is an operational vulnerability, can be mitigated with multi-factor authentication, which is a technical countermeasure.

It is also important to consider that countermeasures can provide protection, detection, and/or reaction. It may be advantageous to have multiple countermeasures address a single vulnerability. Likewise, a countermeasure might address multiple ...