An artificial immunity principle based model for information system security risk evaluation is proposed. Recognition of harmful antigen by immunocytes is simulated. Immature, mature and memory detectors are defined. Evolution process of the detector is derived with math method. The math model in which the detectors recognize threats is constructed. The intensity of a threat and the vulnerability in the information system are recognized. The quantitative computation equation of security risk is deduced through the threats and vulnerabilities. The theoretical analysis shows that the proposed model provides a new approach for the information system security risk evaluation in real-time and quantity.