The risk analysis supported by technical assets can be more expensive and not enough to analyze information security requirements. The old method adaptation depend mostly on the calculations estimatations of probabilities and financial loss during a security breach. The purpose of this paper is to propose alternative ways to conduct risk analysis for small companies. Risk analysis defined in the paper is an analysis to identify such comprehensive risks set by concentrating by equal to the information and technology also not undermine the people and process area too. This method considers the essential business processes that focus for the relevance of the analysis. Crucial items for this practice consist of business-driven studies for identify relevant IT assets and risk method scenarios for capturing procedure details, and security. People involvement and tools selected for the analysis will be expected for result from set of risks that identified more comprehensively also for high increase of the security awareness to all of the organization.