As the use and importance of electronic information systems has increased, the security threats to such systems have also increased. Accordingly, a need exists for an improved way of determining the aggregate effectiveness of information security technologies deployed to counter such security threats.