This article presents a method for selecting the types of control measures needed to address these issues. It describes various categories of security products and provides a comparative analysis of the categories using a set of objectives and requirements. This process produces a point score for each category, which is then reviewed in light of the associated risks for that alternative. The results of the simplified analysis described here indicate that a combination of firmware-based access control and physical brackets provide the most effective security control for the average desk top computer...based on the specific objectives and requirements that were defined as a starting point. This approach can easily be extended to evaluate specific products within a category, and can also be applied to many other areas where security alternatives must be considered. Its quantitative, comparative nature makes it especially useful in documenting the decisionmaking process and justifying requests and recommendations to management. (Author abstract)