Which of the following is considered an example of a control in risk management?

A firewall configuration is considered a control in risk management because it is a specific mechanism put in place to mitigate potential security threats to a network. Firewalls are designed to monitor and filter incoming and outgoing network traffic based on predetermined security rules, thus reducing the risk of unauthorized access, data breaches, and cyberattacks.

In the context of risk management, controls are measures taken to protect assets and ensure the integrity, confidentiality, and availability of information. Technical controls, like firewalls, are essential in establishing a defensive barrier against various cyber threats.

In contrast, options such as an email marketing campaign, a customer feedback survey, and an employee training module do not fundamentally serve as controls to mitigate risks. While training modules can help improve employee awareness around cybersecurity practices, they are not a direct technical control like a firewall. Instead, they may be considered part of an overall strategy for governance and awareness, but they lack the direct risk mitigating functionality that a firewall provides.