This study attempts to draw a blueprint of risk analysis for Information Systems (IS). We introduce two main variables for measuring IS risk - business-impact intensity and IS-vulnerability index - through the investigation of information characteristics, business processes and human-related factors. IS-vulnerability index consists of two factors such as degree of openness and degree of preparedness to the threats. Based on these factors, we built two integrative frameworks for risk analysis and management: One is a conceptual framework to enhance the understandability of IS risk itself; the other is an integrative framework to improve the managerial insight of overall IS risk. We then conducted a field study to empirically validate the proposed framework using a structural equations modeling method. We found that IS maturity and business-impact intensity were positively correlated to degree of openness to the threats, while IS maturity was negatively correlated to degree of preparedness to the threats.