Evaluating risk effectively, selecting effective defence measures and defending information threats actively are the key points of resolving security problems of information system. Based on the actual requirements and status of risk assessment of information security, we integrated attack graph to apply it in studying risk assessment of information security. Firstly, focused on the uncertainty and complexity of risk assessment of information security, we integrated the technology of vulnerabilities associated with to apply it in studying risk assessment. On the other hand,since the attack path described by attack graph model is suited for the quantity data processing, and poor to the qualitative analysis, and risk is uncertain, we quantized the risk factors by the probability of attack path forming proposed in this dissertation, pre-treated the probability of atom attack, and proposed a risk assessment method based on attack graph model. The method takes full advantage of computing power of each host in the network,greatly shortens the attack graph generation time.