How do you assess whether a security control is worth the operational cost in a critical environment?