How would you assess a protection implementation to determine whether it was effective?

Journal: Protection: All or None?
Matt Bishop, a computer security expert, says that the results of poorly implemented protection strategy can be worse than the effects of no protection at all.

In your view, in what ways might a poor protection strategy be worse than nothing?

How would you assess a protection implementation to determine whether it was effective?