The article solves the problem of assessing security risks in information systems using the methods of the theory of fuzzy sets. The urgency of solving this problem is determined by the complexity of applying a number of existing methods, the possible inaccuracy of quantitative assessments of risk factors, and the possible inadequacy, uncertainty and quality of the initial information. The paper carries out formalization of the subject area "Information Security Risk" in the form of a conceptual model within the framework of the types of ER diagram, and determines the semantics of its concepts within the framework of the theory of categories and factors. The developed methods for assessing information security risks and evaluating the effectiveness of countermeasures are capable of solving problems in the indicated conditions. We have conducted the experiments on the application of the technique on a specific object of protection. The set of countermeasures recommended for implementation shows high efficiency in terms of absolute risk reduction. Recommendations on the choice of forms of membership functions of fuzzy scales used in risk assessment, as well as recommendations on the choice of fuzzy operations when performing calculations are given. The practical application of the developed methodology has a high practical value for building effective information protection systems in terms of expected damage.