We've been discussing Outrage Considered Useful. Alex remarked in a comment:
The term "Outrage" suggests that risk cannot or should not be discussed in a rational manner.
What I think Sandman is getting at is that often risk isn't discussed in a rational manner, because managers' (and security people's) egos, fears, ambitions, etc. get in the way. In a perfect Platonic world perhaps things wouldn't be that way, but in this one, people don't operate by reason alone, even when they think they are doing so.
Outrage x Hazard may be a means to express risk within the context of the organization, but I like probability of loss event x probable magnitude of loss better for quantitative analysis.
Indeed, quantitative analysis is good. However, once you've got that analysis, you still have to sell it to management. And there's the rub: that last part is going to require dealing with emotion.