The efficiency evaluation of information system’s security measures is important to improve the information system security. Conventional evaluation methods did not consider the interactivity and inter-influence of the business dataflow, attack flow, and security measures factors when evaluating system’s security measures. Thus, they can not ensure the effectiveness of the evaluation process and results. An efficiency evaluating approach for information system’s security measures under the given vulnerability set is presented in this paper. It employs colored Petri-Net tools to uniform modeling and simulates the interaction among the system’s workflow, attack flow, and security measures. Based on this modeling method, the paper proposes an inter-nodes vulnerabilities exploiting graph generation algorithm and improves Dijkstra algorithm to identify shortest-attack-paths, which can cause damage to the information system’s security attributes. Next, it constructs a hierarchical model to evaluate the effectiveness of the security measures and employs a gray multiple attributes decision-making algorithm to choose the best effectiveness-improving alternatives. By using this approach, the dependency on evaluators’ subjectivity in the process of the evaluation of information system’s security measures can be alleviated. Also, it helps to ensure the consistency and traceability of the evaluation results. Finally, a practical Web business system is taken as a case study to validate the correctness and effectiveness of the evaluation model.