Intrusion alerts produced by intrusion detection systems signal the intrusions occurred or proceeding. When the amount of alerts is huge, a manager watching over a complicated environment may have to spend a lot of time and effort before alerts of high priority and emergency are finally identified. In order to provide timely response to security events, an automatic intrusion alert ranking utility which based on environmental information is important. It would help the manager to take applicable action in time. Considering that different network sites have different characteristics, alerts of highly concerned in one environment may be irrelevant if it occurs in another environment. In order to rank alerts properly, we propose an alert ranking method based on environmental risk analysis. Through a detailed study of the information carried by alerts generated from an NIDS, we discovered several essential elements a ranking method should considered. By applying the OCTAVE risk analysis process we are able to obtain qualitative descriptions about the assets, threats, and possible damage an arbitrary environment may face. Then, we devise a scheme based on fuzzy logic to transform qualitative descriptions in to quantitative indices. Thus, when an alert is generated, it can be evaluated quantitatively. The method has been implemented as an add-on module to the snort system to perform on-line alert ranking.