[Editor's note: The following is a response to a post by Joe Weiss on the "Unfettered" blog, wherein he discussed control system cybersecurity and the appropriate metrics to use to measure its effectiveness. (See "What Is Control System Cybersecurity and What Are the Appropriate Metrics?" )]
I think the ISA99 members would agree that it is hard to quantify security from their security access level (SAL) work. We're still hoping we can do it along with quantifying risk in the future.
A small nit on your IT security comments. IT security is much more than data protection. There are e-commerce systems where the cost of a minute of downtime is known and very high. There are many corporate systems were integrity is extremely important.
Both IT and operations cybersecurity are about applying technical and administrative security controls to meet the security objectives. Both also fail if you replace judgement with checklists. You will hear very similar complaints about PCI, as you do with NERC CIP.