In today's complex business world, managers should recognize a fundamental premise: it is not possible to have a risk-free data processing environment. Risk, therefore, must be managed. Being customers' security concern increased recently, the thesis studied risk analysis and management for information system by selecting a company having the highest sensitivity for customer's security. Consequently, the manager should decide to the countermeasure considering type, cost, state, and security level, etc. This thesis develops DSS (Decision Support System) for analyzing and selecting countermeasures, to assist manager's decision making.