Which security control category is primarily handled by people rather than systems?

The correct choice is operational, as this category of security controls predominantly focuses on the processes, procedures, and activities that people implement to manage and operate the security of an organization. Operational controls involve day-to-day security measures, such as user training, incident response, and physical security. In many instances, the effectiveness of operational controls relies significantly on human involvement, making it distinct from other control categories that are more automated or system-driven.

While managerial controls do involve people, they are more about policy-making, governance, and oversight. Technical controls rely on software and hardware to enforce security, such as firewalls and encryption, while preventative can refer to specific measures that may be technical in nature. Therefore, operational controls stand out as the category that hinges primarily on human action and oversight in the context of maintaining and improving an organization's security posture.