Nowadays, security analysis of complex systems has become a major concern. Many works have been achieved to reduce vulnerabilities in such systems. However, existing methods used to perform security assessment as a holistic approach are still poorly instrumented and limited in scope. In this work, we propose methodology and associated framework for security analysis. The methodology relies upon model-driven engineering approach and combines two types of methods: a qualitative method named EBIOS that is usually simple and helps to identify critical parts of the system; then a quantitative method, the Attack Trees method, that is more complex but gives more accurate results. We present the automatic generation of Attack trees from EBIOS analysis phase. We show on a SCADA system case study how our process can be applied.