The aim of this paper is to present a theoretically sound approach to evaluate the impact of an attack on a computer system. However, let us note that this approach is general enough to be applied to any critical infrastructure. More specifically, we propose to use fuzzy measures and integrals, in a decision-theoretic setting to measure the consequences of an attack on a computer network. Any computer system has vulnerabilities which can be exploited. If someone uses these vulnerabilities, valuable information may be lost, stolen, corrupted, or misused. This is particularly important for systems that are part of critical infrastructures. Therefore, it is crucial to be able to quantify the impact that an attack may have on a computer system, in terms of confidentiality, availability and integrity (CIA). Once the impact quantification is available, it is possible to design sound strategies to protect systems. A very natural approach to weigh the consequences of an attack is to use multi-criteria decision making (MCDM) techniques