You need this book by Brian Allen and Rachelle Loyear to apply Enterprise Security Risk Management (ESRM) to address fundamental risk principles and to manage your critical security risks.