With the diversification of the risk and security requirement, the traditional modes which corresponding with security policies by text or database are hardly faced the requirement of the users. In this paper, through describing the risk with XML, its harmfulness with the qualitative and quantitative method was analysed and our analysis tool was realized. Using the tool, the security policies was selected flexibly and also the composite policies were selected flexibly corresponding with the composite risks.