The 2008 PhD thesis of Domenico Salvati from the Laboratory for Safety Analysis at ETH, Zurich, on the Management of Information System Risks is available online. Salvati presents a structured approach to the IT risk management process which has some novel differences as compared to the more familiar frameworks. The thesis contains a long examples on computing the risk of a brute force password attack, and the risk of phishing attacks. The work has a very practical flavour as Salvati was sponsored by Credit Suisse for the thesis, as part of ZISC.
You can find a short bio on Domenico as part of the upcoming hashdays security and risk conference in Zurich.