Which of the following is a technical control that helps protect against attacks targeting personnel but does not directly manage personnel risk?

The correct answer is email protection, which serves as a technical control aimed at preventing various forms of attacks that target personnel, such as phishing and malware distribution. Email protection mechanisms typically include filters that detect and block malicious emails, URL scanning, and various authentication methods to validate the sender. By implementing these protective measures, organizations can reduce the risk of personnel being compromised through their email accounts, thereby enhancing overall cybersecurity.

While options like least privilege and auditing requirements are vital in managing access and monitoring user behavior, they are not classified strictly as technical controls focused on mitigating direct threats to personnel. Similarly, mandatory vacation may help to reduce insider threats by making it more difficult for a potential rogue employee to hide suspicious activities, but it does not fall under the category of a technical control addressing direct cyber threats. Email protection specifically targets the vector of attack—email—making it a focused and effective measure in safeguarding personnel against specific types of cyber threats.