Quantitative security risk evaluation of information systems is increasingly drawing more and more attention. This paper extends the attack tree model, and proposes a new quantitative risk evaluation method .While the risk value of the leaf node (atomic attack) is quantified, the multi- attribute utility theory is adopted. All algorithms are presented for each steps of this new evaluation method. In addition, a worked example is also experimented in this paper. The experimental result shows that the novel method can not only make the evaluation result more reasonable and objective, but also offer a good foundation for the implementation of the automatic evaluation tool.