This thesis attempts to draw the pictorial blueprint of risk analysis for IS manager. Although contingency model remains at a conceptual level, we believe that our integrative framework will be fueling the enhancement of the managerial insights. As the proverbs goes as “A person is known by the company he keeps", we can obtain the necessary information about IS-risk itself, if we comprehensively see over the related IS environment such as IS characteristics, business process, and human. First, we make a start in finding IS-risk factors on the analogy of this concept. Here, we focus attention on the relationship among the IS-related components. Then, we determine two factors for assessing IS-risk: business-impact intensity of IS and IS-vulnerability index. IS-vulnerability index also consists of openness degree and preparedness degree to the threats. Second, we built a contingency model based on two IS-risk factors. This approach consists of four cells: emergency care, life insurance, out-patient treatment, and a periodical inspection. Here, "emergency care" cell has the highest priority for IS-risk management and "a periodical inspection" lowest. Finally, we built the integrative framework for risk analysis and management. This framework includes uncertainty avoidance index and maturity level of IS. This thesis also used the LISREL package(Ver.7.16) as the statistical tool in order to validate our research hypotheses. Results of this study indicate that there is inconsistency between the level of IS use and IS security activity.