As you bring up, the core to effective security is performing a risk assessment, deciding what information is most important to protect, and then developing mitigation strategies to safe guard that information. There are books and manuals that go into this in great depth, so I won’t spend a lot of time on the details.
A risk assessment should focus on the most high impact items first. To determine this, you list your adversaries and group them by intent and capability. So the NSA would have a very high capability, but probably has a low intent of targeting you. Then you make a list of information about your secrets, what you are trying to protect, and group that based on the negative impact it would have if it were in the hands of an opponent. The most damaging information must be protected from the likely and the most capable adversaries.