Risk analysis is the basis of proactive security requirements. To effectively protect security in the web environment, analyzing risks of web sites is an essential and important process for identifying known and potential vulnerabilities, threats and its impact losses. In fact, it is relatively difficult for users to collect adequate data to estimate the full vulnerabilities and probability of threats in the Internet, due to the rapid change of the emerging malicious attack and the new computers vulnerabilities. Therefore, a new fuzzy risk assessment model was developed to evaluate the risk of web security under incomplete information. The proposed method extends Pseudo-Order Preference Model (POPM) to estimate the imprecise risk based on richness of information and to determine their ranking using weighted additive rule. Finally, a case study on security analysis for the e-commerce applications is given as illustration of our approach.