Quantitative security risk evaluation of information systems is increasingly drawing more and more attention. The purpose of this paper is to propose a novel method integrated extension theory and unascertained method to classification for information systems (IS) security. The risks of information system are established on the basis of analyzing the factors affecting the risks of information system by applying the unascertained measure theory. Using matter-element theory, the extensibility of IS security is analyzed, and then the framework of matter-element models for IS security is formed. The matter element model of IS security risk evaluation is established using matter element model theory based on extension engineering method. Theoretical analysis and the design principle of the proposed method are described in detail. Some simulations are performed to demonstrate the effectiveness of the proposed extension and unascertained method. The result is believed to provide new means and ideas for the evaluation of IS security. The method is suitable for evaluating the risks of IS. Its evaluating results are reasonable. An example of practical application is given to show the effectiveness of this method. The model is more efficient than former models and can be easily realized in practice.