In "Business Analytics - An Introduction", Evan Stubbs describes "value architecture" in these terms: "Results need to be measurable, they need to be contextually relevant, they need to link into a strategic vision, and their successful completion needs to be demonstrable".
Breaking that down, I find that there are really only two key factors. If results are measurable, that implies to me that they can be demonstrated. Also, it's hard to see how results that are 'contextually relevant' might not 'link into a strategic vision' since that is the context, or at least a major part of it. So, in short, results need to be both relevant and measurable.
Of those two aspects, measurability is the easier. Read "How to Measure Anything" by Douglas Hubbard! Evan also talks about objectivity, and he is writing in the context of big data analytics, meaning the difficult problem of extracting useful meaning from huge and dynamic volumes of complex data. Measurability is largely a matter of mathematics, or more precisely statistics. I agree it is a major issue but, with all due respect to the statistical wizzards, fairly mechanistic and logical.
That leaves the more awkward question of relevance. What are 'contextually relevant results'? Evan pointed out the strategic element, implying that relevant results can be extrapolated from corporate strategies. Strategies typically elaborate on how the organization intends to achieve identified long-term goals and interim objectives, often using the metaphor of a journey across a landscape passing waypoints en route to a destination. That in turn suggests the idea of measuring the actual direction and speed of travel - the trajectory - relative to the planned route as well as proximity to the eventual goal. Metaphorically speaking, it's more efficient to take a direct route than to be constantly side-tracked and diverted, and perhaps get lost.
So how does this relate to information security metrics? Evan implies that we need to defined the intended results of information security in terms that are both relevant and measurable.
Again I will side-step the measurability angle in order to focus on relevance. How is information security relevant to the organization?
In strategic terms, information security can be expressed in several different ways. Usually, we talk about protecting information assets, the defensive perspective. In this frame of reference, information systems, networks and information need to be defended against all manner of threats that would harm them. Relevant metrics here tend to relate to measuring and assessing the risks (threats, vulnerabilities and impacts, including security incident and business continuity metrics) and security controls (especially control efficiency and cost-effectiveness, implying most financial security metrics). Compliance is a classic defensive objective, hence compliance-related metrics also fit into this group.
Some of us also talk in terms of information security as a business enabler - letting the organization do business, safely, that would otherwise be too risky. Here we're thinking more proactively: security has an offensive as well as a defensive strategic role. Relevant metrics in this domain include the assurance angle, giving management confidence in the security arrangements so that they can concentrate on taking the most direct route. Hence control reliability metrics, plus various test and audit results, are in this group. Proactively exploiting strengths in information security also implies going beyond mere compliance (which, it has to be said, is a low hurdle) towards good or even best practice. Security maturity, benchmarking and governance metrics are relevant to business enablement. Measures of the integration of information security into various business and IT processes and systems are an example.
What are we left with? Mmm, I'm not sure I can think of any information security metric that doesn't fit into one or other of those categories. Can you?