Traditional information security risk assessment emphasizes the loss of asset, but ignores the effect of the risk on business. This paper proposes a business oriented risk assessment model BoRAM. On the basis of the business security requirements, the proposed model introduces three basic security goals (i.e. confidentiality, integrity and availability) into the process of the risk assessment, and further measures the risk according to the effect on business process. In the proposed model, the asset is not only severed as a basic evaluation element as same as the role in the traditional risk assessment models, but also is served as the support of the business. The risk of the asset, the risk of the business process, and the risk of the business are analyzed hierarchically. In order to measure these risks, all the risk elements are generalized and analyzed by attribute-oriented induction (AOI) as well as cluster algorithm. Furthermore, the Markov model is also introduced into the business to describe the transfer between business processes. Finally, the model is experimented in a typical Internet-bank business. Theoretical analysis and experimental results show that the proposed model can evaluate the business risk instead of traditional asset risk on the basis of confidentiality, integrity and availability of business, which is just the goal of the business security requirements.