This study attempts to draw a blueprint of risk analysis for Information Systems (IS). We introduce two main variables for measuring IS risk - business-impact intensity and IS-vulnerability index -through the investigaiona of information characteristics, business processes and human-related factors. IS-vulnerability index consists of two factors such as degree of openness and degree of preparedness to the threats. Based on these factor, we bulit two integrative frameworks for risk analysis and management:One is a conceptual framework to enhance the understandablilty of IS risk itself; the other is an intergrative framework to improve the managerial insight of overall IS risk. We then conducted a filed study to empirically validate the proposed framework using a structural equations modeling method. We found that IS maturity and business-impact intensity were postively correlated to degree of openness to the threats, while IS maturity was negatively correlated to degree of preparedness to the threats.