This article discusses a methodological approach to building models for assessing the effectiveness of a program (project) for creating or modernizing an information security system in the interests of ensuring the sustainability and competitiveness of a company in the face of increasing threats to the integrity, confidentiality, availability, and reliability of information that is important for its activities. At the same time, the effectiveness of a program (project) is understood as the degree of use of the opportunities allocated for their implementation of material, intangible, and temporary resources to achieve the set goals. When mathematically formalizing a generalized efficiency indicator, it is taken into account that the implementation of technical, technological, organizational, and other elements (events) included in this program (project) is accompanied by the influence of many random factors influencing the achievement of their particular goals. The proposed generalized indicator provides a dominant assessment of the effectiveness of programs (projects) taking into account the risks during their implementation.