— Managing security projects is a delicate activity due to the evolution of attacks. In this paper, we develop a new methodology for estimating security effort based on algebraic representation of security policies. This methodology is used within the SECOMO model. Two models are defined: the a priori model and the a posteriori model. Real security projects are used to prove the accuracy of the new methodology.