The article discusses a methodological approach to building models for evaluating the effectiveness of programs (projects) for creating or upgrading an information security system inorder to ensure the stability and competitiveness of a company in the face of increasing threats to violate the integrity, confidentiality, availability and reliability of information that is essential for its activities. At the same time, the effectiveness of programs (projects) is understood as the degree of use of the opportunities allocated for their implementation of material, intangible and temporary resources to achieve the goals. In the mathematical formalization of the generalized performance indicator, it is taken into account that the implementation of technical, technological, organizational and other elements (activities) included in this program (project) is accompanied by the impact of many random factors affecting the achievement of their particular goals. The proposed generalized indicator provides a dominant assessment of the effectiveness of programs (projects), taking into account the risks in their implementation.