What type of control is John considering when writing a procedure for password disclosure due to phishing attempts?

When John is writing a procedure for password disclosure related to phishing attempts, he is focused on a directive control. Directive controls are designed to guide the behavior of users within an organization and set expectations or requirements regarding certain actions. In this context, creating a procedure specifies how employees should respond to phishing attempts, thereby helping to establish clear protocols for managing sensitive information, such as passwords.

By writing this procedure, John is not only preventing potential misuse of passwords but also establishing a clear guideline for behavior in response to threats, which is characteristic of a directive control. This demonstrates the organization's commitment to security awareness and educates users on how to avoid falling victim to phishing schemes.

Preventive controls, while important, are more about implementing measures to stop incidents before they happen rather than creating guidelines for user behavior. Detective controls focus on identifying incidents after they occur, and corrective controls deal with responses and recovery after an incident has already taken place. Each of these other types of controls plays a role in an overall security strategy, but in this instance, the emphasis is on establishing a framework for how users should act in potential phishing situations, thus identifying it clearly as directive control.