Information security evaluation has become an important part of information management. The methods of safety evaluation impact the veracity and objectivity of the results, and also impact the overall capacity of information management in enterprises. Based on the thought of variable fuzzy set, a novel risk evaluation model is proposed. This model can scientifically and reasonably determine the membership degrees and the relative difference function of information security indexes at level interval. And by varying its parameters and evaluating indexes the model can adapt to different actual situations. As an example, this proposed model is used to evaluate a concrete sample to describe the evaluation process. The case studies show that the evaluation results are practical, and the model is scientific and effective which provides dependable evidences for information management.