The Australian Defense Signals Directorate released a paper the prioritizes mitigation techniques by effectiveness. Even better, they provide subjective assessments of user resistance, upfront and ongoing costs for each mitigation strategy.
I think it is quite telling that the most effective control is application whitelisting.
H/T to @Lerg for finding this.