The disruption of operations due to IS failure becomes more important as IS has become an increasingly essential component of the organization's operations and can affect its strategic objectives. Nevertheless, traditional IS risk analysis methods do not adequately reflect the loss from disruption of operations in determining the value of IS assets. Quantitative methods do not measure the loss from disruption of operations. Qualitative methods consider the loss, but their results are subjective and not suitable for cost-benefit decision support. There is a lack of systematic methods to measure the value of IS assets from the viewpoint of operational continuity. This study presents an IS risk analysis method based on a business model. The method uses a systematic quantitative approach dealing with operational continuity: the importance of various business functions and the necessity level of various assets are first determined. The value of each asset is then determined based on these two levels. The proposed method adds the first stage, organizational investigation, to traditional risk analysis. The process of the method utilizes various methodologies such as paired comparison, asset-function assignment tables, and asset dependency diagrams. (C) 2003 Elsevier Science B.V. All rights reserved.