To deal with the uncertainty of experts' evaluation results on information security risk assessment, this paper proposes a novel evaluation method based on D-S evidence theory and improved TOPSIS.