The attack-defense graph is a model-based network vulnerability analysis technique. Based on the situation of electric power information network, a hierarchical network security risk assessment framework is proposed using bottom-up analysis method. The framework divided the network security risks into two parts: vulnerability security risks and attack security risks, then assessed network security risk layer by layer in accordance with the network’s hierarchy. Firstly, using vulnerability scanning tool to detect the vulnerability information in the network nodes, as well as associating the vulnerability information which attacks relying on with vulnerability information of the node itself to build the state attack-defense graph, further calculating the vulnerability reliability vector and attack reliability vector of the node. Combined with each vulnerability’s hazard index and the attack hazard index, we calculate the vulnerability security risk and the attack security risk of the node, then assess the security risk value of a single node; Secondly, we quantify the security risk from the single node to the whole network combined with the weight of each node in the network itself. In order to exclude the own uncertainties of vulnerability scanning tools and the unity of the data source, this assessment method fuses several test results of scan tool, and constitutes the data source when calculating the vulnerability reliability. Eventually, based on the Dempster-shafer theory and the European Space Vector Projection, an attack-defense graph algorithm is proposed, which makes the evaluation results more objective and credible.