As in any complex endeavor, it is important to understand the concepts of information systems security before you start making changes and placing controls. Poorly placed security controls can often do more harm than good. A control that is too permissive to be effective does not increase security. Likewise, a control that is too stringent can often reduce availability and increase user frustration. It is important to always keep security goals in mind as you design and implement controls.
I want to comment on above statement.