Information security risk assessment is an important foundation work for security protection of information systems, but the assessment results of the existing risk assessment criteria and related research models and calculation methods cannot effectively reflect different security needs and risks of the confidentiality, the integrity and the availability of information system assets. In this paper, we used analytic hierarchy process (AHP) to establish a risk assessment analytic hierarchy process model first, then improved vulnerability factor quantitative methods based on the common vulnerability scoring system evaluation index system, and finally used the model's deviator judgment matrix to compute“security incident loss”,“security event possibility”and“value-at-risk”. Experiment results show the proposed method can more intuitively reflect different risks of the confidentiality, the integrity and the availability of assets than conventional methods, and it can provide more accurate and reasonable recommendations for the development of risk control measures.