Conservation of money
A while back I noted that if you find a metric for security that acts like you'd expect such a metric to act, then the metric essentially has to be information-theoretical entropy. I just read "The Physics of the Shannon Limits" by physicist Neri Merhav, a paper that shows the connection between information-theoretical entropy and thermodynamic entropy. The basis for thermodynamic entropy is conservation of energy, so I had to wonder if there's a similar conservation law that you can use to explain a metric for information security that's just entropy in disguise.
The second law of thermodynamics roughly says that entropy increases over time, but it doesn't have to. If you have energy, you can decrease entropy. Maybe there's a similar principle for security: that it tends to decrease over time. But what you need to do to increase security is to spend money. Maybe there's some conservation of money principle that you can use to create a principle that's just like the second law.