Fuzzy-Based Quantitative Security Risk Assessment Under Uncertainty for Critical Sectors

The recent digital transformation has significantly impacted telecommunication and electronics sectors, as well as Information Technology (IT) and Operational Technology (OT), across various stages including design, deployment, and operation. These advancements have been utilized across a wide range of Internet of Things (IoT)-based critical sectors such as healthcare, transportation, automotive, smart grids, and aerospace. A primary requirement for the effective operation of these critical applications is the identification of potential security risks and the systematic application of methods to mitigate these risks. In this paper, we propose a fuzzy-based risk assessment method that utilizes two key metrics: security requirements and vulnerability, to evaluate the risk level of the complex systems. The proposed methodology is quantitative and well-suited to address the uncertainties and complexities inherent in the risk assessment process. We applied this method to Representational State Transfer Application Programming Interface (REST API) data to evaluate the framework. To manage the identified risks effectively, we also conducted a sensitivity analysis on security requirements to pinpoint the most critical ones. This analysis revealed that authentication and input sanitization are among the most sensitive security requirements, indicating that marginal deviations or latent vulnerabilities in these areas could significantly affect the overall security posture. The proposed risk assessment method offers substantial benefits for the identification and prioritization of security risks, thereby enabling organizations to allocate resources more effectively and enhance their overall security posture.