Because of the Internet technology arise, the issues of information security become more and more important each day, bring risk assessment in practice to help enterprise examine overall information risk, and then take action to be the countermeasure, expect to reduce the residual risk in risk management. Many security risk templates adopt nonquantitative attributes to express risk, in this study using the decision-tree model to quantify risk with both quantitative (Statistical report) and qualitative (Self-Administered questionnaire) data. Although qualitative approach is easier to implement, it will difficult to trace a generalized results which is subjective and lake of actual figures. Purely quantitative data depend on statistical reports or logs, those data is limited, we employ the hybrid decision-tree model to quantify the risk of computer room security. After the empirical study and verify the residual risk with evaluators, we found those residual risk can effective help business to understand and reduce their risk.