How should security metrics be defined and applied in evaluating an architecture?

Security metrics work best when they are tied to business objectives and risk management, and when they show how the architecture reduces risk, supports resilience, and uses resources efficiently. This means metrics should be specific, measurable, and actionable, providing insight into both the effectiveness of controls and their efficiency in operation. When metrics are aligned with strategic goals, they guide decision-making, prioritization, and continual improvement of the architecture over time. Regularly collecting and reviewing these metrics helps stakeholders understand security posture, justify investments, and drive changes that reduce risk. Choosing metrics at random or focusing on IT staff satisfaction and meetings fails to tell you how well the architecture actually protects assets or lowers risk, and it doesn't translate into improvements to controls or architecture. Measuring only cost ignores whether security objectives are being met. Redacting metrics and not sharing them with stakeholders undermines governance and accountability, making it hard to track progress or make informed decisions.