Controls are necessary to reduce likelihood of risks. But excessive controls shall have adverse effects:
- Degrade productivity
- Push back from user
- Circumvent control
Risk assessment is required to design optimal and effective controls. Change (behavior) management and user awareness need to be well established too. Essentially,
- Why is the control required
- What is this meant in daily works (WIIFM for the user)
- What is the consequence of violation (both organization and the offender)