In electronic business environment, it is critical for an enterprise to assess information systems security (ISS) risks. In this paper, we propose a hybrid approach for ISS risk assessment. Given there is a great deal of uncertainty in the ISS risk assessment, in the hybrid approach, we combine the evidence theory with fuzzy sets to deal with the uncertain evidence found in the ISS risk assessment. The proposed approach provides a new way to define the basic belief assignment in fuzzy measure. Moreover, the approach also provides a method of testing the evidential consistency, which can reduce the uncertainty derived from the conflicts of evidence. Finally, the approach is further demonstrated and validated via a case study, in which the effectiveness of the proposed approach is evaluated by comparing it with other methods.