The purpose of this study was to develop a hospital information security risk framework, improve sensitivity toward organizational risk, and improve decision making. This study adopted the ISO17799, which has ten controls items, for risk management. To ensure that the proposed framework was feasible, we conducted a field study to investigate the risk to identification, analyses, measurement and control, respectively. We found that the analysis was in agreement with previous studies and that there was a great diversity in human decision behavior and uncertainty in risky environments. Thus, the proposed framework was able to elicit the real risk attitude of each stakeholder more accurately than the Riskit model. A review of risk experience was able to show clearly the potential incident through its investigation into the risk cognition of stakeholders more in detail. Furthermore, using this study, we were not only able to identify potential risk incident utilizing a non-parameter method, but also were also able to access risk and control losses. We concluded that the proposed framework can reduce information security risk about by considering stakeholders' decision positions and behavior attribute and providing decision makers the effective support need for quality decision making. Finally, the implications of the research findings can be used to investigate similar at risk decision making issues.