Sensor networks are deployed in a variety of environments for unattended operation. In a hostile terrain, sensor nodes are vulnerable to node capture and cryptographic material compromise. Compromised nodes can be used to launch wormhole and sinkhole attacks in order to prevent sensitive data from reaching intended destinations. Our objective in this paper is to mitigate the impact of undetected compromised nodes on routing. To this end, we develop metrics to quantify risk of paths in a network. We then introduce a novel routing approach: Secure-Path Routing (SPR) that uses expected path risk as a parameter in routing. Quantified path risk values are used in routing to reduce traffic flow over nodes that have high expected vulnerability. Selecting low risk routes may lead to the choice of energy-expensive routes. Thus, we develop algorithms for balancing risk with other path selection parameters, including energy consumption. We conduct simulation experiments to evaluate the effectiveness of our approach and study the tradeoff between security and energy. Simulation shows that SPR can be quite effective at increasing traffic flow over legitimate routes and that the impact of SPR on network lifetime is negligible.