To assess the security risk of network information systems, this paper proposes a risk propagation model including a risk network and a risk propagation algorithm. A representative example is given to illustrate the application of this model to network risk assessment and validate the correctness of the propagation algorithm. The analysis of the example indicates that the evaluating method using the risk propagation model is superior to the traditional methods in the accuracy of evaluating conclusions and making cost-effective security advices.