In this paper, we propose a novel Cyber security assessment methodology is presented and analyzed based on the decomposition and composition mechanism. To evaluate the security of a Cyber system, we first decompose the entire system into a set of security primitives/functionalites (a decomposition procedure); and then evaluate individual implementation in the environment-based security framework (a security assessment procedure). Finally, a composition theorem is formalized and proved in the universally composable framework that supports the composition of security modules (individual functionalities composition procedure). The presented SA-framework has the following salient features: 1) it introduces the concept of the virtual ideal security (over its operation environment) serving as the benchmark, which can flexibly define sets of security attributes over various operation environments. 2) supported by the composition theory, it will result in a comprehensive multidimensional security metrics over the scope of the concerning security aspects; 3) while reducing the complexity of the security assessment for information system significantly, it captures the dynamic nature of the adversary strategies over the particular operation environment; 4) with its computational efficiency of being programmable in polynomial time toward a security attribute, it promises a foundation for the development of the future effective SA automation tools.