The invention discloses an industrial control system information security attack risk assessment method and system. The method comprises the steps that control object state data including the liquid level of a water tank, the opening degree of an overflow valve, the opening degree of a communication valve and the speed of a water suction pump are acquired, wherein the control object state data include the proportion parameter, the integral parameter, the differential parameter and the control algorithm parameter of a proportional electromagnetic valve, and the control algorithm parameter includes the data that a main controller cannot acquire the data of a liquid level sensor, the data that the main controller modifies the control parameter to enable the liquid level to be abnormal and theattack type data of the data that the liquid level cannot be normally displayed, wherein the attack type data include the control environment state data of time, date, temperature, humidity and atmospheric pressure; whether a risk signal is generated is judged; and if the judgment result is yes, the risk value of the corresponding type is calculated according to each type of data, the informationsecurity attack risk value is calculated and the risk level is determined. Complete and effective risk assessment can be realized so that the accuracy of risk assessment can be enhanced.