Information Systems (IS) risk management is a challenge to every organization, in that they are exposed to cyber-attacks that bypass physical barriers. Organizations increase online business in order to remain competitive, but as a consequence their online exposure becomes greater. However their risk management practices and governance are inadequate in the face of increasing new threats and vulnerabilities. This paper presents a Multi-Objective Decision Model for assessing Information Systems Risks. The decision model is based on the values and perceptions of stakeholders. It uses the Value-Focused Thinking approach, as opposed to the predominant Alternative-Focused Thinking. The objectives serve as a basis for decision making in the context of Information Systems risk management in complex managerial situations.