Although a variety of information security risk management (ISRM) approaches have been proposed, well-founded methods that provide an answer to the following question are still missing: How can the risk level of a business process be determined by taking the risk levels of the involved resources into account? This paper presents our research results regarding resource-based risk analysis methods in order to assign realistic figures concerning the business process risk level. With regard to business processes the research results allow the (semiautomatic) reasoning of the current security status of an organization. In this way we can support decision makers in selecting appropriate controls to reduce risks to an acceptable level; and also in making a reasonable trade-off between investments into security and the need for protection.