Most organizations today pay a pretty penny protecting its information and resources from being mishandled or abused. To establish security for an organization this process could be costly. I agree that the cost should never exceed the value of an organization's information and resources because it wouldn't be beneficial to help the organization thrive. An information system control is most effective when we focus on preventative controls to prevent any potential negative unforeseen event from occurring, detective controls to verify if there was an issue, and corrective controls to lessen the impact of any issue that has occurred and restore the information system back to it's proper state. There are many security measures that an organization can use to protect such information, but biometrics is one that I feel can be too costly or it may provide a minimized benefit. "Biometrics is one of the most sophisticated forms of governing access to systems, data, and/or facilities" (Valacich, J. S., Schneider, C