Annualized loss resulting from security incidents is the most appropriate metric to demonstrate the effectiveness of information security controls to senior management. This metric provides a comprehensive view of the financial impact of security incidents, which is a key concern for senior management. It helps them understand the real-world consequences of inadequate controls in monetary terms, making it easier for them to grasp the importance and efficacy of security measures.