Which statement best describes a preventive control?

Preventive controls are proactive measures designed to stop security incidents before they happen by reducing the chance that a threat can exploit a vulnerability. They create barriers and enforce policies so problems are prevented rather than discovered or repaired after the fact. Examples include multi-factor authentication, strict access controls, network segmentation, timely patching, secure coding practices, and ongoing security training. This is why the statement describing prevention as stopping incidents before they occur fits best. By contrast, detecting incidents after they happen points to detective controls, fixing vulnerabilities after exploitation describes corrective controls, and focusing only on physical security misses the wide range of preventive measures used across people, processes, and technology.