Exploitation prioritization and residual risk assessment based on hybrid MCDM model

Authors

ZIBO WANGFollow
YAOFANG ZHANGFollow
SICAI LVFollow
YINGZHOU WANGFollow
HONGRI LIUFollow
BAILING WANGFollow

Author ORCID Identifier

ZIBO WANG: 0000-0002-0490-0925

YAOFANG ZHANG: 0000-0001-6614-921X

SICAI LV: 0009-0003-2561-4228

YINGZHOU WANG: 0000-0002-6106-4804

HONGRI LIU: 0000-0003-4780-6426

BAILING WANG: 0000-0003-2973-8036

Abstract

Exploitation is one of the most significant ways to launch attacks using vulnerabilities. The increasing number of vulnerabilities and limited allocation of security resources make it impossible to eliminate all exploitations. Because not every vulnerability can be fixed, it is necessary to rank exploitations and subsequently assess the residual risk, which is defined as the remaining threat potential after each elimination. In this paper, a structured and flexible decision support framework based on a hybrid multicriteria decision-making model is proposed for prioritizing exploitations and assessing residual risk. Metrics are treated as criteria in the model. The hybrid model is developed to determine criteria weights and rank exploitations by combining the best-worst method and the multiattribute border approximation area comparison. In addition, the ranking results are incorporated into conventional dependency analysis based on an attack graph to capture residual risk after exploitation elimination. The proposed model is designed for systems where security resources are limited. In such environments, prioritizing exploitations and managing residual risk is necessary to support effective threat mitigation strategies. Finally, a case study involving an industrial control system is presented to evaluate the applicability of the proposed model.

DOI

10.55730/1300-0632.4160

Keywords

Exploitation prioritization, residual risk assessment, hybrid multicriteria decision-making model, exploitation elimination, risk-relevant metrics

First Page

1

Last Page

30

Publisher

The Scientific and Technological Research Council of Türkiye (TÜBİTAK)

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Recommended Citation

WANG, Z, ZHANG, Y, LV, S, WANG, Y, LIU, H, & WANG, B (2026). Exploitation prioritization and residual risk assessment based on hybrid MCDM model. Turkish Journal of Electrical Engineering and Computer Sciences 34 (1): 1-30. https://doi.org/10.55730/1300-0632.4160