Hey yeah you know, it’s still a quite (too) popular thing to talk about People – Process – Technology when it comes to control(s) types in the IS risk management / audit corner of the universe.
If you think about it … keep in mind that these factors are almost always presented as nearly disjunct things. With maybe an overlap, but not too much. In terms of Venn diagrams, almost three separate circles. Sometimes three completely, and deliberately, separate circles; joined by many-point wide edges with borders, like pipes.
Because pipe dreams. Of the legal kind now, in Canada. Keeping the three corner spheres with P-P-T text on them, separate. Think PPT indeed – boring outdated graphics and useful content, not so much.
But then, when sober, one realises that in fact, such pictures don’t say much since the overlap is huge, near-complete. If one thinks of controls, utterly-most often, all three factor apply in one way or another. …
So, only when controls towards certain control objectives cover all three aspects of P-P-T, can, even theoretically, eventual effectiveness be achieved.
Edited to add: Seek to mitigate weaknesses in one aspect of any control, with controls that are stronger in others. Otherwise, Swiss cheese model [however critiquable that has become… more on that later.]
Leaving the circles idea to: