Fault injection attacks have become a serious threat against cryptographic ICs. However, the traditional security evaluation often demands experienced engineers repeatedly scan the IC under test for a few hours to a few days, and take the workload statistics and experiences as qualitative indexes. This paper proposes a quantitative model to evaluate security based Design for Security Test (DFST), considering both the sensitive time during the algorithm operation and the sensitive area of the cryptographic IC against fault injection attacks. The case study on two RSA implementations demonstrates the feasibility of the quantitative evaluation of security model.