Government computer systems and networks are under increasing attack from foreign governments, organized crime, and other malicious attackers. Security best practice checklists are commonly used to ensure the protection of government computer systems. However, experimental validation of the recommended security measures is lacking. Additionally, administrators have no way to compare the effectiveness of the many recommended security measures, and they have no way to decide which security measures should be implemented first. We present a model of security measures that describes their overall effectiveness, and their effectiveness relative to how soon the security measure is implemented. Our analysis reveals important principals for implementing security measures and highlights the need for improved user interfaces and administrative tools.