Threats can trigger incidents in information systems (IS) causing damage or intangible material loss to assets. A good selection of safeguards is critical for reducing risks caused by threats. This paper deals with the selection of failure transmission, preventive and palliative safeguards that minimize the maximum risk of an IS for a specified budget. We assume that all the elements in the IS are valuated using a linguistic scale, which is capable of accounting for imprecision and/or vagueness concerning the inputs. Trapezoidal fuzzy numbers are associated with these linguistic terms, and risk analysis and management is consequently based on trapezoidal fuzzy number arithmetic. We model and solve the respective fuzzy optimization problem by means of the simulated annealing metaheuristic and give an example to illustrate the safeguard selection process.