According to the problem of the uncertain information is difficult to quantify in information systems security risk analysis process, proposed an information system security risk analysis method based on information entropy. This method use information entropy to measure the risk of information systems, introduce the information entropy theory, and get the value of the risk of various risk factors with the combination of qualitative analysis and quantitative calculation, to evaluate the risk factors of concern in the system and take appropriate control measures. The paper constructs an information system security risk analysis model and through the case analysis verified the proposed method can be effectively applied to information system security risk analysis.