A common perception in the infosec community is that there can never be too much security, but it is understood that “too much” security is expensive and sometimes, prohibitively so from a business perspective. So, where is that fine line that defines “just enough” security?