The use of instrumentation and control systems, the most essential element of which is software (SW), for facilities of critical information infrastructure, has led to increased requirements for both the quality of SW in general and its reliability. The choice of the type of software life cycle plays an essential role in the software quality assurance process. However, regardless of the life cycle choice, software verification and validation (V&V) processes are fundamental to quality assurance. The article proposes a qualitative V&V model of the security management process using the example of cybersecurity and a quantitative method for assessing the sustainability of security measures based on the entropy change model.