What you need to do is provide an information asset risk inventory with dollar value, risk of loss without security
measures, and risk of loss with security measures. For example, you have an information asset that you value at $1,000,000, with 20% chance of loss without security measures and 2% chance of loss with security measures, you see the risk reduction is 18%, and the value of that reduction is $180,000 — $1,000,000 * .18. Each asset, with its value and risk factors, needs to be listed.
It’s best if you can use hard data; otherwise use good faith estimates.
So, management needs to be able to see a comparison of the VALUE of your risk mitigation measures to their COST.
I hope this helps.