Your organization is launching a new cloud-based application to handle sensitive customer data. During the risk assessment, several high-risk vulnerabilities were identified, including data breaches, unauthorized access, and insider threats. The security team has recommended a range of security controls, but due to budget constraints, not all controls can be implemented immediately. which factors should be most critical in selecting the appropriate security controls for the new cloud-based application?