Determining Security Controls for Devices