Since the vast majority of business decisions is based on data, reliable information technology is a prerequisite for business continuity and, therefore, crucial for the entire economy. Legal and regulative frameworks demand decision makers to define mitigation strategies for their operational IT risks, but existing approaches fall short of meeting their needs. Recent studies have shown that the lack of IS knowledge at the management level is one reason for inadequate or nonexistent IS risk management strategies. This project pursues to close this essential research gap by providing a new approach to support decision makers in interactively defining the optimal set of security controls according to common regulations and standards. The proposed project addresses three essential yet unsolved research problems, namely (i) the formal representation of IS standards and domain knowledge, (ii) the reliable determination of the risk, (iii) and the (semi-) automatic countermeasure definition.