Gunnar Peterson has a great post on security budgeting. His essential point is to apply a “flat tax” to all IT spending. The value is in its simplicity. We can get a lot more complex (and often do), but this is an excellent starting point.
Don’t forget the business and don’t forget we are “optimizing” our risk, not always minimizing it.