Information security risk assessment is an important component of information system security engineering. Adopting the combination of qualitative and quantitative to qualitative evaluation method, based on the theory of fuzzy membership, every assessment indicator can be quantized with the method of integration of the qualitative to the quantitative. And adopting the objective method of fuzzy transformation to try to eliminate the initiative judgments, thus to ensure that the information security assessment is truly reflected, and solving such problems as the data collection in the process of information security evaluation, the combination of qualitative and quantitative evaluation, which are both very difficult to deal with. Consequently, the evaluation method is more scientific, comprehensive and maneuverability.