Risk management has become an important issue in the information security area. This study proposes a Semi-Markov chain model to manage the information security risk. When the state information is not recognized as a normal state, the model can send a warning signal to the manager. A simulated model was used to validate the semi-Markov chain model.