The invention discloses an asset dependence relation-based information security risk evaluation method and system. The method comprises the following steps of acquiring an asset range in a to-be-evaluated information system, and dividing the asset into blocks; identifying threats, vulnerability and asset significance of the to-be-evaluated information system, and acquiring significance value of the asset, threat value of the threat, and a vulnerability value of the vulnerability; calculating to build a security dependence relation matrix of assets by using a dependence structure matrix, determining a risk conduction coefficient of the assets by using a Delphi method and building a risk conduction relation; and calculating interior risk value and an exterior risk value of each block and overall risk value of the to-be-evaluated information system according to the risk conduction relation and asset significance, threat value and vulnerability value. The method can acquire a weak link ofthe system more accurately, and acquire more reliable information security risk evaluation results.