The invention provides a security level determination method and device for a network information system. The method comprises the steps of acquiring the risk level of each risk point of the network information system; determining the vulnerability levels of M vulnerabilities of the network information system according to the risk level of each risk point; according to the M vulnerabilities and the vulnerability levels, determining R vulnerabilities existing in any network information system in the network information systems and vulnerability levels corresponding to the R vulnerabilities respectively, wherein R is an integer not larger than M; and determining the security level of the network information system according to the determined R vulnerabilities and the corresponding vulnerability levels. The method can evaluate the security level of the whole network information system based on the risk and the vulnerability.