Abstract: The objective of the work is to propose a software risk analysis model considering a communication infrastructure with various types of attacks in network and information security processes using fuzzy rough set based approach. The information and network security mechanism are applied as individual services and these services are provided by various vendors based on the data transactions across multiple physical and virtual computing networks. A systematic and scientific approach using mathematical modelling of the events and activities are needed in order to prevent the application, service and data in the security domain. In the case of health care, banking transactions and vehicular tracing application with numbers of devices and computing nodes, a risk analysis is needed before attempting to plan and implement any security decision making solutions. The respective rules and regulations of each subsystem and the depth of each and every problem components are to be considered to model a security plan and operations running with many uncertain events in a communication infrastructure. The compatibility of all the complex events and the compliance of individual requirements are to be considered quantitatively. The earlier STRIDE and OCTAVE security risk models focus on security goals, activities in the organization not focusing on the various root causes of those risks. In business and statistical computing, the different forms of noncompliance, causality and composability of multiple software components are to be considered in determining the process risks but also lead to complexity and controllability of the vulnerable features to minimize the risks due to people during the evolution of any product. In the context of software security, the risk analysis has been carried out in the design stages focusing on the network, hardware software, hacker related features to accept and then assess the risk as per the proposed risk acceptance and risk assessment functions respectively. The proposed SIX CAUSE model exploes the various causes for the risks due to the vulnerability of any web or cloud application or a service with all its compliances before putting into operational modes. The risk pyramid and the minimum rules that are needed to analyse the various types of risks with the help of a decomposition tree and the sub components in the security area are studied to determine the application or system software security risk as Risk Assessment Document (RAD) using fuzzy rough set theory.