The Economist online (subscription not required in this case) has a special report on Economic Models, "We cannot live without big and ambitious economic models. But neither can we entirely trust them". This surely could apply to most IT security and risk management processes.
Economists today use computers and software not perspex and piping, but they share Phillips's itch to build models that faithfully mirror the real economy. For each of the big economic questions facing the world (What do we stand to gain from a global trade deal? By how much has expensive oil retarded growth? What might be the economic costs of an avian flu pandemic?) there is a model that will provide a big numerical answer ($520 billion, 1.5% of world GDP, and $4.4 trillion, respectively). Such figures are trotted out far and wide. But can we entirely trust them?
IT security and Risk management seek to understand the relationships between the system's threats, vulnerabilities, countermeasures and assets. Each of these areas has a set of domain specific assumptions baked into them that may reflect a) reality, b) the limitation of the data available, c) the limitations of the analyst in the space.
Economic models fall into two broad genres. Macroeconomic models, the distant descendants of Phillips's machine, belong mostly in central banks. They capture the economy's ups and downs, providing a compass for the folks with their hands on the monetary tiller. The second species, known as computable general equilibrium (CGE) models, largely ignore the vagaries of the business cycle. They concentrate instead on the underlying structure of production, shedding light on the long-term repercussions of such things as the Doha trade round, a big tax reform or climate change.
IT security and risk management has to deal with the fundamental impedance mismatch between the datasets available. Try to equate financial metrics like Annual Loss Expectancy and unpatched vulns for example. One problem in this area is hinted at above, asset-related metrics are likely to be viewed, by the business anyhow, as a macroeconomic concern. The data around countermeasures, threats, and vulnerabilities are likely to micro-focused. Both the datasets themselves and their relationships must be modeled.
Why does this matter? If you have 100 security dollars to spend, you likely want to spend them in such a way that you mitigate attacks on the most valuable assets, this requies that the macro view and the micro view work together.