Which of the following is NOT a valid rule of thumb on risk control strategy selection?

A$)$ When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited.

B$)$ When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack.

C$)$ When the potential loss is substantial: Apply design principles, architectural designs, and technical and non$-$technical protections to limit the extent of the attack, thereby reducing the potential for loss.

D$)$ When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.