The Electronic Frontiers Foundation (of which I’m a member) has a new Surveillance Self-Defense Guide which includes a Risk Management Primer. They define Risk Management as:

Security Means Making Trade-Offs to Manage Risks

Security isn’t having the strongest lock or the best anti-virus software — security is about making trade-offs to manage risk, something we do in many contexts throughout the day. When you consider crossing the street in the middle of the block rather than at a cross-walk, you are making a security trade-off: you consider the threat of getting run over versus the trouble of walking to the corner, and assess the risk of that threat happening by looking for oncoming cars. Your bodily safety is the asset you’re trying to protect. How high is the risk of getting run over and are you in such a rush that you’re willing to tolerate it, even though the threat is to your most valuable asset?

That’s a security decision. Not so hard, is it? It’s just the language that takes getting used to. Security professionals use four distinct but interrelated concepts when considering security decisions: assets, threats, risks and adversaries.

They go on to explain the rest of the relevant concepts as well as how to put them all together effectively and appropriately. I might have a few quibbles with a bit here or there, but I still highly recommend this as an accessible overview of Information Risk Management.