A control is appropriate if :
1) it will keep hackers out of sensitive systems.
2) it costs less than the asset it protects.
3) it is recommended by at least one security consultant.
4) the result of a cost-benefit analysis is positive.