Researchers have previously looked into the problem of determining the connection between invasive events and network risk, and attack graph (AG) was proposed to seek countermeasures. However, AG has proved to have various limitations in practical applications. To overcome such defects, this study presents a risk flow attack graph (RFAG)-based risk assessment approach. In particular, this approach applies a RFAG to represent network and attack scenarios, which are then fed to a network flow model for computing risk flow. A bi-objective sorting algorithm is employed to automatically infer the priority of risk paths and assist risk assessment, and a fuzzy comprehensive evaluation is performed to determine risk severity. Via the aforementioned processes, the authors simplify AG and follow the risk path of originating, transferring, redistributing and converging to assess security risk. The authors use a synthetic network scenario to illustrate this approach and evaluate its performance through a set of simulations. Experiments show that the approach is capable of effectively identifying network security situations and assessing critical risk.