A protective system is evaluated on the cost effectiveness of its individual measures in countering threats, reducing vulnerabilities, and:

Return on investment (ROI) measures the profitability of an investment relative to its cost but does not directly address the core goal of a protective system, which is to minimize risks. While understanding ROI can be part of a broader evaluation, it does not specifically focus on the effectiveness of measures in reducing vulnerabilities or countering threats.

Denying access is a tactic that may be employed as part of a protective strategy, but it is not a comprehensive measure of effectiveness. It focuses solely on preventing intrusion rather than addressing the broader goal of reducing overall risk exposure from various threats.

While increasing employee awareness is beneficial for enhancing security culture and responsiveness, it does not directly measure the effectiveness of protective measures against threats and vulnerabilities. Awareness can help in risk management but it is not a standalone metric for evaluating the cost effectiveness of protective systems.