Information Security is a pivotal component in modern business activities without questions. Enterprise should exercise due care to perform the ongoing maintenance necessary to keep IT systems in proper working order, or to abide by what is commonly expected in a situation. IT head is responsible to implement countermeasures to provide protection from those threats. By developing and implementing security policies, procedures, and standards, shows that a company has taken responsibility for the activities that take place within the corporation and has taken the necessary steps to help protect the company, its resources, and employees from possible threats. It is especially important if the due care situation exists because of a contract, regulation, or law. However, there’s been a lack of well-defined performance evaluations indexes to understand the return of investment regarding information security operations. The thesis designs “technical management” and “operational management” performance indexes to help enterprise top management level to evlautie the return regarding the money paid for security operations. Moreover, real security incident cases are discussed and the financial losses are calculated as well to response the concerns from the top management viewpoints: 1)Am I spending the right amount of money? 2)How much should I pay for information security? 3)Am I better off than I was this time last year? The indexes designed in the thesis are evaluated to a number, percentage or time elapsed. They are contextually specific, measureable, attainable (cheap to gather) repeatable and time-dependent. In addition, all of the indexed are clear, unambiguous and can be consistently measured without subjective distortion.