Fog computing is an emerging paradigm in the IoT space, consisting of a middle computation layer, sitting between IoT devices and Cloud servers. Fog computing provides additional computing, storage and networking resources in close proximity to where data is being generated and/or consumed. As the Fog layer has direct access to data streams generated by IoT devices and responses/commands sent from the Cloud, it is in a critical position in terms of security of the entire IoT system. Currently, there is no specific tool or methodology for analysing the security of Fog computing systems in a comprehensive way. Generic security evaluation procedures applicable to most information technology products are time consuming, costly and badly suited to the Fog context. In this article, we introduce a methodology for evaluating the security of Fog computing systems in a systematic way. We also apply our methodology to a generic Fog computing system, showcasing how it can be purposefully used by security analysts and system designers.