Many controls will be implemented in layers of defense so that
            one control augments or supports the other controls and so that a
            failure of one control is covered by subsequent controls.



            Cost of Controls

            Since the choice of control is based on cost versus benefit, it is
            important to understand the true cost of the control. The cost of
            control is based on many factors, ranging from the initial
            purchase and implementation cost, licensing costs, maintenance
            costs, impact on productivity, impact on insurance premiums
            (which may be either a benefit or a cost), and impact on
            resources. Often, risk will be mitigated through a series of
            controls that work together in a defense-in-depth approach.
            However, the "Law of Diminishing Returns" applies here. The
            more money spent on implementing controls, the less value each
            successive control will provide until it can be said that a lot of
            money could be spent for almost no tangible benefit.


            Risk Transference

            In many cases, an organization may choose to reduce their level
            of risk through the purchase of insurance or some other form of
            risk transference. This shares the cost with another organization
            and can protect the organization from some of the financial
            liability associated with an adverse event.



            Risk Avoidance
            There are risk-laden situations where there is no suitable way to
            address the risk or reduce the level of risk to an acceptable level.
            In this case, the organization may choose to avoid the risk