Each and every security oriented activity in information systems has to start with the basics, which is risk management. Although risk management is a well established and known discipline in many other areas, its direct translation to information systems is not an easy and straightforward because of specifics of contemporary information systems. Among these specifics there are the global connectivity of information systems, the large number of elements (e.g. thousands of software components), strong involvement of human factor, almost endless possible ways of interactions, etc. Thus a new methodological approach is presented in this paper that is based on business dynamics. It enables effective addressing of the above-mentioned elements, and through this it supports and improves decision making in information systems security.