O'Reilly logo
  • Carrollynn Brown thinks this is interesting:

Law #6: The efficacy of a control deteriorates with time. Once put in place, security controls tend to remain static—while the environment in which they operate is dynamic. As a result, a control’s ability to produce the intended effect diminishes over time, and the effectiveness of the controls progressively degrades.

From

Cover of Managing Risk and Information Security: Protect to Enable

Note

good consideration when "scoring" control effectiveness in risk assessment process for calculating residual risk