The current methods of risk evaluation on information security are basically related to qualitative or semi-quantitative ones. So, in this paper, by using a method of probability risk analysis, analyzing the fundamental reasons why network systems are attacked through fault tree, making a serious study of the essence of network composition and of the different types of system vulnerabilities, and classifying the consequences of network attacks, a quantitative model of information security risk assessment is proposed.