There's a bit of comment discussion going on in Metricon Slides, and Viewed as PR about counting vs. selling, in which the major point of agreement seems to be that even at a metrics conference there weren't a lot of metrics presented that were strategic and business-like.
Let's assume for a moment that we have such metrics, and listen to Peter Sandman, whose website motto is Risk = Hazard + Outrage:
Sometimes, of course, senior management is as determined as you are to take safety seriously. And sometimes when it’s not, its reservations are sound: The risk is smaller than you’re claiming, or the evidence is weak, or the precautions are untested or too expensive. But what’s going on when a senior manager nixes your risk reduction recommendation even though you can prove that it’s cost-effective, a good business decision? Assume the boss isn’t too stupid to get it. If the evidence clearly supports the precautions you’re urging, and the boss isn’t dumb, why might the boss nonetheless have trouble assessing the evidence properly?
As a rule, when smart people act stupid, something emotional is usually getting in the way. I use the term “outrage” for the various emotion-laden factors that influence how we see risk. Whether or not a risk is actually dangerous, for example, we are all likely to react strongly if the risk is unfamiliar and unfair, and if the people behind it are untrustworthy and unresponsive. Factors like these, not the technical risk data, pretty much determine our response. Risk perception researchers can list the “outrage factors” that make people get upset about a risk even if it’s not very serious.
— The Boss’s Outrage (Part I): Talking with Top Management about Safety by Peter M. Sandman, The Peter Sandman Risk Communication Web Site, 7 January 2007
He goes on to outline several reasons management might get upset.
guilt/responsibility (hey, it might be managment's fault!),
ego/stature ("Let’s face it: Compared to other important management tasks, safety is low-status."),
hostility/contempt (who really cares about the cannon fodder?),
fear/denial (my favorite),
performance anxiety ("If you can think of things I ought to do that I haven’t thought of, then I must not be very good at my job.")
He goes into more detail on these items, and he has a much longer list, as well.Then he recommends some strategies for dealing with safety outrage, including:
Suppose your VP half-thinks safety is beneath her. On the other hand, she realizes that a bad safety record can really hurt the bottom line. She’s ambivalent. So she does what ambivalent people do – she goes to whichever seat on the seesaw you leave vacant. If you tell her that safety needs more of her attention, she’s likely to feel her stature/ego reservations that much more strongly. “I don’t do safety. I’m a VP.” So instead you might want to say something like this: “Look, you’re much too busy for this stuff. I figure the most I deserve is ten minutes of your time to brief you on what I want to do. You’re a VP and safety is not your main thing.” The odds are pretty good that she’ll answer: “I need much more information than that. I want to give much more attention to safety than that.”
So, can you see the average "just want to count" security professional going to a VP with that humble attitude? Or being willing to spend any time on learning such emotional management skills?
And I don't recommend that ISTJs try to become ENFPs. That way lies a manipulative cult, not a healthy company. Rather, this communication problem makes Jack Jones' elaborate risk decision making organizational structure look more attractive. Personally, I find it hard to go for quite that much bureaucracy, yet there probably does need to be a layer or two of bridging personalities between the hardcore introverted thinking counting crew and the extraverted emoting executives.
Still, the counting crew needs to come to realize this communication problem, namely that presenting a hazard without outrage won't convince anybody it's a risk. Or, that abstraction plus emotion is not the same as lying. Then they will have a chance of producing strategic and business-like metrics.
Do please read Peter Sandman: that's well worth everyone's time.