Wade Baker at the Verizon Business Security Blog posted on the definition of Effectiveness in relation to Security Controls.
I like his basic definition:
"If it does what it’s supposed to, to the degree it’s supposed to"This highlights the need for a thorough analysis of what a control is supposed to do – and how well it's supposed to work. ...which I think sometimes gets missed among all the vendor sales and marketing materials that are designed to talk about the big picture (compliance, etc.) rather than actual functionality.