The purpose of this paper is to implement information security risk management (ISRM) in research information systems (RIS). Appropriate identification and assessment of risks in different aspects such as software, communications, and human resources for RIS's besides providing efficient and effective preventive and corrective actions are other aims of this study. Furthermore, continual improvement of risk response processes in information technology environment is another aim of this study. In this study, potential risks of information security are identified using failure mode and effects analysis (FMEA). Also, detected failure modes are evaluated by multi-criteria decision-making method (MCDM) using a hybrid method of fuzzy logic, analytic hierarchy process (AHP), Shannon entropy scoring method, and technique for order preference by similarity to the ideal solution (TOPSIS). The result of this paper shows that information security software potential risks assessment by the proposed model is more accurate and reliable than non-fuzzy models. Unauthorized access to view or change the stored information of the server is the risk with the most important priority identified by MCDM approach. Confidentiality of information is more important than other information security criteria. Furthermore, failure modes in the category of the main server and internet have more priority in comparison to others.