Stolen from Schneier:
“One of the important things to consider in threat modeling is whether the attacker is looking for any victim, or is specifically targeting you. If the attacker is looking for any victim, then countermeasures that make you a less attractive target than other people are generally good enough. If the attacker is specifically targeting you, then you need to consider a greater level of security.”
More often than not you will not be the specific target of an elite group of hackers determined to infiltrate your network. You will be the victim of a user going to the wrong website and then bringing their infected machine back on to your network without knowing any better. Poor policies around user rights and access control are more likely to bring your network down than ZeroCool.