Regulatory frameworks and economic pressure demand decision makers to define mitigation strategies for their operational IT risks. However, recent studies indicate the lack of IS knowledge at the management level is one reason for inadequate or nonexistent IS risk management strategies because existing approaches fall short of meeting decision makers' needs. This paper presents the FORISK project that provides a new approach to support decision makers in interactively defining the optimal set of resilient measures and security controls according to regulations and standards. FORISK addresses three essential, yet unsolved research problems: (i) the formal representation of IS standards and domain knowledge, (ii) the reliable risk determination, (iii) and the (semi-)automated countermeasure definition.