ORIGINAL RESEARCH article

Front. Comput. Sci., 07 July 2025

Sec. Computer Security

Volume 7 - 2025 | https://doi.org/10.3389/fcomp.2025.1557918

Fuzzyfortify: a multi-attribute risk assessment for multi-factor authentication and cloud container orchestration


Mohammad Hafiz Hersyah,
Mohammad Hafiz Hersyah1,2*Md. Delwar HossainMd. Delwar Hossain3Yuzo TaenakaYuzo Taenaka1Youki KadobayashiYouki Kadobayashi1
  • 1Cyber Resilience Laboratory, Division of Information Science, Nara Institute of Science and Technology, Ikoma - Nara, Japan
  • 2Computer and Networking Laboratory, Information Technology Faculty, Andalas University, Padang, Indonesia
  • 3Department of Computer Science, Angelo State University, San Angelo, TX, United States

Securing cloud-native infrastructures that integrate Multi-Factor Authentication (MFA) via FIDO2, container orchestration with Kubernetes, and Dockerized microservices remains a complex challenge due to interdependent vulnerabilities and escalating adversarial threats. To address this, we propose a web-based cybersecurity framework that combines Fuzzy Analytical Hierarchy Process (Fuzzy AHP), Domain Mapping Matrix (DMM), and fuzzy inference to perform multi-attribute risk assessment tailored to containerized environments. The method involves aggregating expert judgments to prioritize six key CIA-AAN criteria-Confidentiality, Integrity, Availability, Authentication, Authorization, and Non-repudiation-followed by structural complexity quantification using DMM enhanced with Singular Value Decomposition. These are then fused into a Complexity Resilience Index and used in a fuzzy logic system that incorporates CVE-derived indicators such as base score, impact, and exploitability. When applied to five real-world adversarial techniques, the framework produced differentiated risk outcomes: Data Destruction and Resource Hijacking emerged as High-Level Risks with scores of 70.47 and 74.60 respectively, while Endpoint DOS, Network DOS, and Inhibit System Recovery were classified as Medium-Level Risks. These results illustrate how layered threat propagation and component interdependence increase vulnerability in FIDO2-integrated orchestration settings. Compared to conventional frameworks like EBIOS and NIST RMF, our approach offers enhanced granularity in quantifying risk and simulating threat propagation. By enabling practitioners to understand not only which adversarial activities are most damaging but also why, this framework empowers more informed and proactive cybersecurity decisions-bridging the gap between technical risk modeling and real-world defense planning.

1 Introduction

Cloud computing has transformed how services are developed, deployed, and managed. It enables automation, scalability, and continuous delivery pipelines, allowing organizations to respond quickly to business and user needs (Jun, 2017). As a result, the cloud-native market, valued at USD 794.1 million in 2021, is projected to reach USD 9,621.39 million by 2031 (Business Insight, 2023). A core enabler of this growth is the cloud-native paradigm, which emphasizes modularity and portability.

Application components are independently packaged and deployed across heterogeneous infrastructures, promoting agility and efficient resource utilization. Containerization plays a central role in supporting this modular architecture by delivering lightweight, portable services. At scale, container orchestration platforms such as Docker Swarm, Kubernetes, and Apache Mesos automate deployment, replication, failover, and system scaling (Lee et al., 2021). Security in distributed and dynamic environments depends heavily on reliable access control mechanisms. Multi-Factor Authentication (MFA) has emerged as an essential layer of defense for cloud-native systems. Among existing standards, FIDO2 has gained adoption as a passwordless authentication protocol that eliminates shared secrets and mitigates phishing risks (FIDO, 2022; Ghorbani Lyastani et al., 2020). It supports secure authentication across web and non-web services. However, integrating FIDO2 with orchestration systems such as Kubernetes introduces complex vulnerabilities. Internal misconfigurations and software inconsistencies, combined with the growing reliance on third-party services, increase the likelihood of exposure to multi-dimensional threats (Grimes, 2020).

This study introduces a prioritization strategy for security properties through the modified fuzzy analytical hierarchy process (fuzzy AHP). The method handles uncertainty by aggregating expert judgment and assigning fuzzy weights to the CIA-AAN criteria: Confidentiality, Integrity, Availability, Authentication, Authorization, and Non-repudiation (Bhol et al., 2023; Taleby Ahvanooey et al., 2023; Ogundoyin and Kamil, 2020). These properties require a unified perspective. Isolated emphasis on usability or confidentiality alone can result in system vulnerabilities. Authentication establishes identity (Kim et al., 2020), authorization defines access through RBAC (Zahoor et al., 2023), and non-repudiation ensures user accountability (Schiavone et al., 2016).

The architectural security dimension is captured using the Domain Mapping Matrix (DMM), which models interdependencies among components, interfaces, and system layers. This matrix, combined with Singular Value Decomposition (SVD), allows structural complexity in FIDO2-integrated environments to be measured quantitatively (Sinha et al., 2014). Results from this complexity analysis are then integrated with the security priority weights from modified Fuzzy AHP, forming a novel metric: the Complexity Resilience Index.

Risk levels are assessed using fuzzy logic, which incorporates the complexity resilience index, and real-world CVE data such as impact, base score, and exploitability. Fuzzy inference rules support evaluation under uncertain or incomplete data conditions, offering dynamic and context-aware risk assessments (Outkin et al., 2023; Blaise and Rebecchi, 2022; Gao et al., 2019).

Traditional risk assessment methods often fail to capture such complexity. For example, EBIOS Risk Manager (de la Sécurité des Systémes d'Information, 2019) provides structured analysis but focuses primarily on external threats, lacking integration with architectural dependencies or empirical threat intelligence. Moreover, frameworks like EBIOS do not define thresholds for acceptable risk and rely heavily on generalized mitigation actions. Similar limitations exist in recent literature (Wong et al., 2023; Sultan et al., 2019), where qualitative mitigation evaluations are rarely linked to actionable, data-driven insights.

The proposed framework addresses these gaps by combining expert-based decision-making, structural complexity modeling, and threat intelligence within a unified, multi-attribute risk assessment model. It supports FIDO2, Kubernetes, and Docker environments and is implemented as a web-based simulation tool. Practitioners can use this platform to explore attack scenarios, assess evolving risks, and test mitigation strategies in real time. By aligning theoretical models with operational demands, the framework supports more informed and adaptive cybersecurity decisions.

1.1 Motivation

Risk assessment in cloud-native security remains an unresolved challenge, particularly when dealing with technologies like FIDO2-based MFA, Kubernetes, and Docker. Existing frameworks often rely on general scoring models, static weights, or loosely structured matrices to evaluate critical system properties such as confidentiality, integrity, and availability. These methods struggle to produce consistent prioritization, especially when expert judgment varies or when evaluations involve user-centered concepts like authentication, authorization, and non-repudiation. Without a clear structure, organizations struggle to set effective security priorities.

Beyond this, current approaches such as de la Sécurité des Systémes d'Information (2019) fail to account for the structural complexity of modern architectures. Asset relationships, interface exposures, and dependency layers are rarely quantified in existing assessments, even though these structural elements often influence how vulnerabilities manifest in real systems. Despite the growing adoption of DevOps and orchestration tools in production, there remains a disconnect between best practice guidelines and how architectural complexity impacts risk exposure and the effectiveness of implemented controls.

A similar issue exists in how mitigation strategies are planned and executed. Security controls are often applied as qualitative, and guided by checklist-based practices (Wong et al., 2023; Sultan et al., 2019). There is rarely a structured method to assess how layered defenses, such as detection, mitigation, and prevention, work in combination to reduce residual risk. In time-sensitive or resource-constrained environments, this often results in inconsistent decisions and suboptimal allocation of security investments. What remains lacking is a systematic and quantifiable approach to align threat exposure, system architecture, and control effectiveness, so that mitigation planning becomes both defensible and operationally effective.

1.2 Novelty

This paper introduces a novel, multi-attribute risk assessment framework for cloud-native security. It integrates:

Modified fuzzy AHP: We incorporate basic AHP into pairwise comparison by aggregating the mean of all experts' central consensus judgments using the Saaty scale, followed by fuzzification to compute the normalized value. Existing Fuzzy AHP, like (Chang, 1996), computes fuzzy synthetic extents per expert, then compares fuzzy values using the degree of possibility.

Domain mapping matrix: We correlate industry best practices and asset provision of Kubernetes, Docker, and FIDO2 for MFA in a cloud computing environment using singular value decomposition to determine structural complexity metrics: components, interfaces, and architecture. To our knowledge, no cybersecurity studies have modeled structural complexity using Domain Mapping Matrix or SVD, despite its use in systems engineering (Sheard and Mostashari, 2009).

CISSP-based risk reduction with SAFe scaling: This study proposes a risk reduction strategy from the CISSP principle of layered defense—detection, mitigation, and prevention—each contributing incrementally to lowering residual risk (Chapple et al., 2018). To operationalize this concept, the approach adopts the Scaled Agile Framework's (SAFe) Weighted Shortest Job First (WSJF) model (Knaster and Leffingwell, 2020), applying tiered effectiveness weights of 5%, 3%, and 1% to reflect the cumulative impact of layered controls in prioritizing cybersecurity mitigation efforts.

1.3 Contribution

This study provides three primary contributions:

1. Complexity resilience index: we formulate a novel index that fuses structural complexity metrics from domain mapping (components, interfaces, architecture) with modified Fuzzy AHP-based CIA-AAN prioritization to quantify system resilience.

2. Fuzzy logic-based risk assessment using real-world threat intelligence: we apply fuzzy logic to combine the complexity resilience index with CVE-based threat metrics (impact, base score, exploitability) for five adversarial techniques—data destruction, endpoint denial of service, network denial of service, inhibit system recovery, and resource hijacking.

3. Web-based implementation: we deploy the core framework as an interactive, web-based tool to facilitate practitioners' adoption. The platform allows users to conduct what-if simulations and visualize changes in risk levels based on varying structural and threat inputs.

We divide this paper into seven (7) sections. Section 2 provides related prior research. Section 3 explains the assets domain and adversarial techniques. Section 4 discusses methodology. Section 5 presents the proposed multi-attribute risk assessment activities in detail. Section 6 discusses the comparative analysis of risk evaluation techniques, the impacts of adversarial methods, and the framework's limitations. The paper concludes with future research directions in Section 7.

2 Related prior research

This section presents prior research on multi-factor authentication (MFA) security, container orchestration security, fuzzy logic, risk assessment-based methodology, and mitigation strategies.

2.1 Multi-factor authentication security

A paper from Derhab et al. (2020) studies the security of the proposed architecture. It also evaluates a two-factor mutual authentication protocol for mobile cloud computing. Using MFA can spot early signs of compromise. It can find hacked accounts using advanced logs. Logs show that users who authenticate may decline or time out during the second phase of the method, per (Henricks and Kettani, 2020). This can trigger specific security rules and brief the analyst on the incident. According to Pöhn et al. (2023), security flaws are not always in MFA mechanisms themselves. This highlights social engineering as a critical next concern. An adversary could take advantage of this to conduct malicious activities.

2.2 Container orchestration security

The deployment of Kubernetes in large-scale systems like Netflix and Uber demonstrates its ability to manage extensive container ecosystems. It also highlights security vulnerabilities requiring thorough risk assessments (Nguyen, 2023). While our previous work (Hersyah et al., 2023) proposed a multi-dimensional risk assessment for Docker containers in IaaS environments using tools like AHP, ISO 27K, and MITRE (Adversarial Tactics, Techniques, and Common Knowledge) ATT&CK, it had limitations, including on Docker assets, inadequate guidance on resource limits, and a lack of real-world Kubernetes attack scenarios. Papers Mostajeran et al. (2017) and Blaise and Rebecchi (2022) further explore containerized platform risks and Helm Chart deployments, identifying vulnerabilities but lacking systematic methodologies and comprehensive Kubernetes threats. Additionally, Minna et al. (2021); Cao et al. (2022) examine Kubernetes networking and security abstractions but fall short in detailed risk profiling. Building on these findings, our study aims to develop a holistic multi-attribute risk assessment framework.

2.3 Fuzzy logic

The work in Flavia and Chelliah (2023) proposed an optimized, fuzzy logic-based method. It aims to create an anonymous identity and authenticate users. This would allow them to exchange data securely within P2P cloud environments. By addressing CIA-AAN, we seek a holistic approach. We will consider multiple facets of the foundation of cybersecurity. Alali et al. (2018) proposes using a Fuzzy Inference Model (FIS) to assess risk. It should consider four factors: vulnerability, threat, likelihood, and impact. The paper lacks detail on adversarial tactics, which this paper will cover. Insights from Haripriya and Kulothungan (2019) propose a novel IDS, Secure-MQTT, for MQTT-based IoT. It uses fuzzy logic to find any malicious devices. We use real-world data from MITRE ATT&CK to test attacks and their countermeasures.

2.4 Risk assessment-based methodology

EBIOS risk manager (de la Sécurité des Systémes d'Information, 2019) only offers a limited description of assets and risk scenarios. In this paper, we propose improvements by combining the complexity resilience index and detailed CVE metrics for better risk determination. We also explained detailed mitigation controls. Paper (Wu et al., 2023) introduces a risk assessment model using a Gini coefficient-based, evidence-reasoning approach rooted in Dempster-Shafer theory. The model addresses essential risk factors for cloud service providers integrating with diverse entities. However, its framework requires alignment with the advancements in Huang et al. (2024) to ensure its relevance against evolving cyber threats and dynamic business environments. Additionally, Casola et al. (2024) and Mills et al. (2023) propose a secure software development method tailored to modern DevOps pipelines, demonstrating its feasibility through a microservice application case study. Building on these works, our paper emphasizes the need for a comprehensive, multi-attribute risk assessment to enhance secure development methodologies.

2.5 Mitigation strategies

Recent studies show that most of the existing mitigation attempts for containers have drawbacks. For example, the Linux-based mitigation strategies used in containers, such as groups, namespaces, and capabilities, are prone to attacks due to resource exploitation, denials of services, and privilege escalation (Gao et al., 2019). Investigation from Wong et al. (2023); Dissanayaka et al. (2020) offers existing mitigation strategies and their limitations in a qualitative approach. A study from Devi Priya et al. (2023) proposing mitigation strategies from the DREAD threat modeling framework. A study from Koksal et al. (2024) attempts to conduct mitigation limited to DDoS attacks in container-based cloud environments using Kubernetes. We improve the mitigation efforts from the beginning of the paper by implementing a domain mapping matrix to ensure compliance with industry best practices and by demonstrating more attack vectors based on adversarial techniques and measurable quantitative efforts to reduce the risk scale from each impact.

3 Assets domain and adversarial techniques

A unified framework categorizes assets by their traits, limits, complexity, and sensitivity. This aids in systematic evaluations, as suggested by Kure et al. (2022); Assump cão et al. (2022). Figure 1 shows our main contribution to the paper's multi-attribute risk assessment. We adopted a methodology that employs modified fuzzy AHP, domain mapping matrix, and fuzzy logic. It improves the SSDE (Security SLA-based Security-by-Design Development) methodology by Casola et al. (2024).

Figure 1
Flowchart illustrating cloud security processes divided into three sections: assets provision and adversarial group, security properties and best practices, and risk level determination and mitigation. Each section includes various components and metrics, such as CVE metrics, assets best practices, and mitigation activities. Arrows indicate flow and relationships between components, with legends clarifying symbols and lines used.

Figure 1. The proposed multi-attribute risk assessment.

3.1 Assets domain

The determination of system characterization begins with its asset identification. We enhance the provision of comprehensive asset descriptions based on previous publications (Hersyah et al., 2023; Blaise and Rebecchi, 2022). This paper identifies 5 (five) minimum assets and components that compose the basic foundation of MFA and AWS-labeled container orchestration utilization.

1. MFA and authentication assets: AWS Identity and Access Management (IAM) is the foundation. It configures MFA users, groups, roles, and permissions to ensure controlled access. AWS Cognito complements this. It enables user pool integration and offers risk scoring and verification. IAM users link to hardware or virtual MFA devices.

2. Kubernetes assets: include Amazon Elastic Kubernetes Service (EKS) clusters as the master components, AWS EC2 or Fargate as worker nodes, and AWS Elastic Block Store (EBS) for scalable, high-performance block storage.

3. Docker container assets: Include Amazon ECR for storing, managing, and deploying Docker images. Also, AWS CodeBuild is used to compile code, run tests, and produce deployable software.

4. Cloud infrastructure assets: include AWS Virtual Private Cloud (VPC) for isolating resources, subnets, and security groups for network segmentation and access control, and AWS Key Management Service (KMS) for encrypting data at rest and in transit. CloudTrail and CloudWatch support monitoring. They capture logs from Kubernetes, Docker, and other services. Load balancers like ALB and NLB manage traffic. AWS Route 53 is a DNS service that routes traffic to apps and services.

5. Compliance and governance assets: include AWS Config for monitoring resource configurations and ensuring compliance with defined rules, and AWS Security Hub for providing a centralized view of security best practices and compliance status across AWS accounts to detect.

3.2 Adversarial techniques

MFA, container engines, and orchestrators have exploitable flaws. Their reliance on software and hardware layers adds modularity. But it creates new attack surfaces. Critical security issues often arise from internal threats (Mahavaishnavi et al., 2024), misconfigurations (Renaud et al., 2024), and interdependencies (Bracke et al., 2024), leading to vulnerabilities that adversaries leverage to target deployed applications. We categorize adversarial techniques in Section 5.2 to evaluate these vulnerabilities. We analyze their actions using MITRE ATT&CK (MITRE Corporation, 2024). It is a framework that maps adversarial tactics and techniques from initial access to impact. The following details describe the adversarial techniques and their corresponding groups.

1. Data destruction - adversarial group: APT38: stemming from unauthorized external access or internal threats. Vulnerabilities include inadequate MFA, misconfigured Kubernetes, and insecure Docker images. These interdependencies can lead to data loss and business disruption.

2. Endpoint denial of service - adversarial group: sandworm team: malicious attacks involve using exposed APIs, unpatched Kubernetes or Docker software, and misconfigurations in service dependencies. resulting in operational downtime and potential loss of customer trust.

3. Network denial of service - adversarial group: APT28: exploiting weak network security, misconfigured policies, and interdependent systems in containerized environments. These attacks disrupt services and may result in revenue loss.

4. Inhibit system recovery - adversarial group: wizard spider: stemming from internal threats that conduct ransomware. Vulnerabilities and interdependencies arise from compromised container images and weak backup plans. They cause major financial losses, data loss, and high recovery costs.

5. Resource hijacking - adversarial group: TeamTNT: involving unauthorized use of cloud resources for malicious activities like cryptocurrency mining. Vulnerabilities include insecure Docker containers, weak Kubernetes authentication, and interdependent resource management systems. They lead to higher costs, lower performance, and compliance issues.

4 Methodology

This section explains the Modified Fuzzy AHP, Domain Mapping Matrix, and Fuzzy Logic. The Modified Fuzzy AHP is used to rank security priorities based on multiple criteria. The Domain Mapping Matrix identifies relationships between asset domains and aligns them with best practices. Fuzzy Logic is then applied to calculate the overall risk level.

4.1 Modified fuzzy AHP

Zadeh introduced fuzzy set theory in 1965 (Zadeh, 1965), laying the foundation for this technique, which is further explained in Emrouznejad and Ho (2017), where the integration of fuzzy logic into decision-making frameworks such as the Analytic Hierarchy Process (AHP) enables handling of uncertainty and vagueness in human judgments. In this study, we adopt and modify the Fuzzy AHP method developed by Chang (1996). We engaged four certified professionals in cloud security and container orchestration. Each expert was asked to conduct a pairwise comparison of the six CIA-AAN criteria using Saaty's 1–9 fundamental scale. To synthesize these individual judgments, we applied the Aggregated Mean Approach (Forman and Peniwati, 1998), and the arithmetic mean of each corresponding pairwise element across the expert matrices was calculated. This method, a standard form of Aggregation of Individual Judgments (AIJ), yields a central consensus matrix that reflects the collective view of the expert group (Tran et al., 2024). It ensures that no single expert dominates the evaluation and simplifies the fuzzification process.

Let:

Ak=[aij(k)] be the pairwise comparison matrix provided by expert k, where aij(k) is the judgment of criterion i relative to criterion j from expert k.

n is the number of criteria (e.g., 6 for CIA-AAN).

K is the number of experts (e.g., 4 in this study).

Then, the consensus matrix A = [āij] is computed as follows:

āij=1Kk=1Kaij(k),fori,j=1,2,,n    (1)

That is, each element of the consensus matrix is the arithmetic mean of all experts' judgments for the corresponding pairwise comparison:

āij=aij(1)+aij(2)++aij(K)K    (2)

After forming the consensus matrix, we applied Triangular Fuzzy Numbers (TFNs) to reflect the inherent uncertainty in expert judgments, as shown in Figure 2.

Figure 2
Graph depicting a triangular membership function used in fuzzy logic. The graph shows a triangle with points at (xi, 0), (xm, 1), and (xu, 0). Equations for μ(x) are provided for sections xi ≤ x ≤ xm and xm ≤ x ≤ xu. Horizontal lines indicate membership values, including 1 at x = xm and β at an intermediate height. Axes are labeled μ(x) and x.

Figure 2. Triangular fuzzy number.

Step1: After using the fuzzy number operational laws, a fuzzy pairwise comparison matrix is given:

                  X~=[(1,1,1)ã12ã1nã21(1,1,1)ã2nãn1ãn2(1,1,1)],
V(M1M2)={1,if m2m1,0,if l1u2,l1u1(m2u2)(m1u1),otherwise.    (3)

Step 2: The fuzzy geometric mean value r~i, for each criterion i is computed as

r~i=(ãi1×ãi2××ãin)1/n    (4)

Step 3: The fuzzy weight w~i for each criterion i is calculated as

w~i=r~i×(r~1+r~2++r~n)-1,wherer~k=(lk,mk,uk)      and (r~k)-1=(1uk,1mk,1lk).    (5)

Step 4: The technique is resumed by conducting de-fuzzification by formulating the center of Area (CoA)

CoA(Ã)=l+m+u3    (6)

Step 5: The normalized weight vector to compute all components is = 1 (one).

NWi=WiWi    (7)

4.2 Domain mapping matrix

We use a Domain mapping matrix (Maurer and Lindemann, 2008) to map elements between assets (MFA, Docker, and Kubernetes) and their best practices. It is a (l, m) rectangular binary adjacency matrix, where each entry indicates whether a specific best practice is applicable to a given asset.

A=[A11A12A1mA21A22A2mAijAi1Ai2Alm],Aij={1,if requirement iand element j have a relation,0,otherwise.    (8)

4.3 Fuzzy logic and Fuzzy Inference System description

Fuzzy Logic, implemented through a Fuzzy Inference System (FIS), provides a structured approach for reasoning under uncertainty and imprecision. This study employs the skfuzzy library (Warner, 2022) in Python to develop the FIS. The typical process involves four main stages (Geramian et al., 2019):

4.3.1 Fuzzification stage

In the fuzzification stage, precise input values are translated into fuzzy values. These fuzzy values are grouped into categories like low, medium, high, and very high. Each category is represented using a shape called a membership function (MF), which helps determine how strongly a value belongs to that category. Common shapes include triangular, trapezoidal, and Gaussian. In this study, we use trapezoidal membership functions, defined as:

μtrapezoidal(x;a,b,c,d)=max(min(x-ab-a,1,d-xd-c),0)    (9)

4.3.2 Fuzzy rule base stage

The Fuzzy Rule Base defines the relationship between input and output variables in this stage. Rules are expressed in an if-then format, where the antecedent (if part) describes the input conditions, and the consequent (then part) specifies the corresponding output action. Logical operators such as AND and OR combine the antecedent terms. These operators are mathematically represented as:

AND operation (Minimum method): is used to model the intersection of fuzzy sets, where the membership degree of the combined condition is determined by taking the minimum value.

μAND=min(μx,μy)=min(0.6,0.8)=0.6

OR operation (Maximum method): is used to model the union of fuzzy sets, where the membership degree of the combined condition is determined by taking the maximum value.

μOR=max(μx,μy)=max(0.6,0.8)=0.8

Combined use of AND and OR in rules

In Fuzzy Logic rules, AND and OR operators are often combined to handle complex relationships and shows flexibility. For example, consider the following rule:

IF (n1 is high OR n2 is medium) AND (n3 is high OR n4 is medium)THEN Output is high.

This rule uses both OR and AND operations:

IF min (max(μn1,high,μn2,medium),max(μn3,high,μn4,medium))THEN Output is High.

4.3.3 Fuzzy inference and aggregation stage

In this stage, the defined rules are evaluated using the fuzzified input values, and the results are aggregated. Rule evaluation uses methods like the above mentioned methods, such as the AND and OR operations. After all rules are evaluated, their results are aggregated. Aggregation methods commonly used include:

Maximum method:

μaggregated(z)=max(μrule1(z),μrule2(z),)    (10)

4.3.4 Defuzzification stage

Finally, the aggregated output is defuzzified to obtain a crisp value. This is where fuzzy logic principles are translated into a precise numerical output. In this study, the discrete centroid method is employed:

z*=i=1nzi·μaggregated(zi)i=1nμaggregated(zi)    (11)

5 Proposed multi-attribute risk assessment

This section demonstrates the calculation stepwise of the proposed multi-attribute risk assessment described in Figure 1 as a proofing concept toward the contributions in Section 1.

5.1 Asset based assessment methods

5.1.1 Modified Fuzzy AHP

We structured the Fuzzy AHP process step by step in Section 4.1, beginning with the collection of objective expert judgments from four certified Kubernetes professionals. The detailed responses are provided in Supplementary Tables S4S8. The aggregation of these expert inputs into consensus values is formalized in Equation 1, while the construction of the aggregated pairwise comparison matrix is outlined in Equation 2. The final comparison matrix evaluating the CIA-AAN security elements is presented in Table 1.

Table 1
www.frontiersin.org

Table 1. Pairwise comparison matrix of CIA-AAN element properties.

In the fuzzification process, crisp values from the traditional AHP scale (e.g., 1 to 9) were converted into triangular fuzzy numbers. For instance, a value of 1 was transformed into the fuzzy number (1,1,1), while a value of 4 was mapped to (3,4,5). Similarly, reciprocal values, such as 1/4, were converted into (1/5,1/4,1/3). We constructed the CIA-AAN fuzzy pairwise comparison matrix based on the judgments and applied fuzzification, using Equation 3, displayed in Table 2.

Table 2
www.frontiersin.org

Table 2. The CIA-AAN fuzzy pairwise comparison matrix.

We computed geometric mean of each object element using Equation 4 displayed in Table 3:

Table 3
www.frontiersin.org

Table 3. Fuzzy geometric mean calculation and results for each criterion.

We further compute by adding each row of Calculation Result of lower bound (0.714+0.728+0.858+0.693+0.953+0.890), Calculation Result of middle bound (0.849+0.934+1.069+0.890+1.177+1.122), and Calculation Result of upper bound (1.049+1.164+1.371+1.200+1.399+1.348), resulting the geometric mean value in 4.836, 6.041, and 7.531.

The next step is determining each criterion's fuzzy weight and Center of Area (CoA). We formulate the Fuzzy weight by multiplying the Calculation Result from Table 3 and the reciprocal values of the Geometric mean value (7.531, 6.041, 4.836), based on Equation 5. We compute defuzzification by formulating the Center of Area (CoA) using Equation 6 to give a crisp value. It is the average of its lower, middle, and upper parameters of the Fuzzy Weight, displayed in Table 4.

Table 4
www.frontiersin.org

Table 4. Fuzzy weight and center of area (CoA).

Finally, We get the normalized value from each criterion using the Equation 7 in Table 5. The normalized values of CIA-AAN serve as the security properties rank, which we will incorporate later with structural complexity to propose the complexity resilience index.

Table 5
www.frontiersin.org

Table 5. The CIA-AAN normalized values.

5.1.2 Domain mapping matrix

We assemble a domain mapping matrix as explained in Section 4.2 to improve the EBIOS risk manager. It maps assets to their best practices to describe structural complexity. It will assess asset value by comparing the assets with the FIDO2 best practices for MFA and the OWASP best practices for Kubernetes, Docker, and Cloud Computing (FIDO, 2022; OWASP, 2024c,b,a). We implement the Domain Mapping Matrix by adhering to Equation 8 in Table 6. The articulation assets consist of MFA and container orchestration in cloud environments. They total 16 in the column axis. We map them to 31 best practices from FIDO2 and OWASP in the row axis. These details include MFA, Kubernetes, Docker, and Cloud Computing best practices. We assign a value of 1 for a direct correlation between an asset and its best practices. In the absence of any identified direct relationship, we assign a value of 0.

Table 6
www.frontiersin.org

Table 6. Domain mapping matrix.

We apply Singular Value Decomposition (Σ), which reduces data dimensionality and generalizes the eigen decomposition for mxn matrix. It does this by extending the polar decomposition. It can be applied to multi-attribute risk assessment. Where Σ is an m×n diagonal matrix. It contains the singular values of A with a stretch nature, in 31 x 16. Only the first 16 rows would have non-zero values in the matrix's columns. The singular values, σi, come from the eigenvalues of ATA (or AAT, depending on the dimensions). The singular values are the square roots of these eigenvalues, which are defined as follows:

σi=λi    (12)

where λi are the eigenvalues of ATA (or AAT). The Singular Value of A is given by:

[σ1000σ2000σr000000]  [V1TV2TVrTVr+1TVnT]=[Row ANull A]    (13)

where Σ1, Σ2, …, Σn are the singular values. These are non-negative and are typically arranged in descending order. The formulation of singular value is as follows:

Σ=[9.2498000000005.2087000000003.7101000000002.5898000000002.4903000000002.0203000000001.4057000000001.3579]
  [1.1421000000000.9265000000000.6504000000000.3867000000000.0000000000000.0000000000000.0000000000000.0000]

We referenced paper Sheard and Mostashari (2009) and Sinha and Suh (2018) to calculate structural complexity metrics, which consist of components, interfaces, and architecture. Based on this, we proposed a complexity resilience index using the proposed Equations 1720.

5.1.3 Structural complexity 1: components

This aspect is related to component engineering. The singular value decomposition formula gives us the singular values of the 16 assets: 9.2498, 5.2087, 3.7101, 2.5898, 2.4903, 2.0203, 1.4057, 1.3579, 1.1421, 0.9265, 0.6504, 0.3867, 0.0000, 0.0000, 0.0000, 0.0000. And for a variable c defined as the sum of the first k singular values from the domain mapping matrix:

C1=i=1kσi, where {C1 denotes the component score,σi represents the singular value associatedwith the asset i.    (14)

This represents the accumulation of singular values that contribute to the component metric of structural complexity. The sum of the singular values is given by:

C1= 9.2498+5.2087+3.7101+2.5898+2.4903+2.0203          +1.4057+1.3579+ 1.1421+0.9265+0.6504+0.3867          +0.0000+0.0000+0.0000+0.0000=31.1382

5.1.4 Structural complexity 2: interfaces

The second aspect is related to interface design and management, which is the cumulative term that explains interaction complexity βij between components, which we expressed as the following formula:

C2=i=1kj=1kβijAij,Aij={1,[(i,j)|(ij)]A,0,otherwise.    (15)

The cumulative sum from the domain mapping matrix, which we can find in the last row of Table 6, is the total of the granular assets score, which is given by:

C2= 7+6+6+23+18+7+27+11+9+8+6+9+1          +1+3+8=150

5.1.5 Structural complexity 3: architecture

The last aspect is related to the system integration effort to address the architecture topology metric, which we expressed in the following formula:

C3=i=1kσimin(l,m), where {i=1kσiis the Component Aspect, l is the number of best practices,m is the number of asset domains.    (16)

The architecture metric can be obtained as follows:

C3=31.138216=1.9461    

5.1.6 Complexity resilience index determination

We propose the complexity resilience index by formulating linear computation between the structural complexity metrics (component, interface, and architecture) and the normalized values of CIA-AAN from the modified fuzzy AHP in Table 5.

1. Component with availability and non-repudiation: these tools provide operations to manage and scale applications across diverse environments. Emphasizing availability ensures the app works well and is always accessible. It also minimizes downtime (Alahmad et al., 2019). Also, non-repudiation means logging all system actions. This includes container deployments and Kubernetes changes. It provides undeniable accountability (Truyen et al., 2020).

2. Interface with integrity, authentication, and authorization: data in systems built with Docker and Kubernetes must be trustworthy and unchanged. So, we must maintain its integrity as it moves through interfaces. This setup uses FIDO2 to strengthen authentication. It ensures that only verified users and services can access the system. Authorization defines what authenticated users can do. It controls resource access based on policies (Kudo et al., 2021; Bánáti et al., 2018).

3. Architecture with confidentiality: confidentiality protects private, sensitive information from unauthorized access (Seifermann et al., 2019). This approach uses strong encryption and secure access controls. They protect sensitive data at rest and in transit.

To calculate the complexity resilience index score, we propose the following linear computation based on the security attributes assigned to each complexity aspect:

wc=C1×(12×i{a,nr}wi),    (17)
wi=C2×(13×j{int,auh,autz}wj),    (18)
wa=C3×(k{conf}wk),    (19)
complexity resilience index=wc+wi+wa.    (20)

We adopt the Cyclomatic Complexity Metric as defined by McCabe (McCabe, 1976), which is widely used to evaluate ranges of software complexity:

• 1 – 10: Simple procedure

• 11 – 20: Medium Procedure

• 21 – 50: Complex Procedure

• > 50: Untestable code

We computed all Equations from 17 to 20 to obtain proposed complexity resilience index scores.

wc=31.1382×(0.17937+0.182192)=8.4218wi=150×(0.15365+0.15271+0.190973)=24.8665wa=1.9461×(0.14111)=0.2746complexity resilience index=8.4218+24.8665+0.2746=33.562934 (Complex Procedure).

5.2 Adversarial technique-based assessment methods

This subsection examines adversarial techniques discussed in Section 3.2. These techniques are organized within adversarial tactics that contain methods from external and internal threats, misconfigurations, and interdependencies targeting vulnerabilities in these systems. The evaluation focuses on the CVE's impact, base score, and exploitability associated with five critical techniques identified in the MITRE ATT&CK framework (MITRE Corporation, 2024): Data Destruction (T1485), Endpoint Denial of Service (DoS) (T1499), Inhibit System Recovery (T1490), Network Denial of Service (DoS) (T1498), and Resource Hijacking (T1496). These techniques span multiple stages of adversarial tactics, from initial access to impact, and are particularly critical due to their potential to disrupt FIDO2 for MFA and container orchestration systems in cloud environments. The analysis uses a stacked bar chart to show the CVE metrics. It highlights the impact (blue), base score (green), and exploitability (red).

5.2.1 Data destruction—adversarial group APT38

The APT38 group (MITRE ATT&CK, 2024b) uses CVE-2023-23192 to bypass authentication, which internal threats can also abuse. Misconfigurations, such as those associated with CVE-2023-28842, arise during phases like Execution–Deploy Container, where improperly secured configurations enable adversaries to deploy malicious containers. Interdependency issues, exemplified by CVE-2022-29179, often occur in the Privilege Escalation–Escape to Host phase, where weak interconnections between containerized environments and host systems are illustrated in Figure 3. These vulnerabilities result in an average impact score of 4.9, a base score of 6.9, and an exploitability score of 1.9.

Figure 3
Bar chart comparing impact, base score, and exploitability scores for various adversarial tactics by data destruction. Green bars represent impact, blue bars represent base score, and red bars represent exploitability. Tactics include resource development, initial access, execution, impact, and others. A legend to the right lists adversary techniques and CVEs with corresponding colors. Average scores are highlighted on the chart.

Figure 3. Data destruction impact, base score and exploitability.

5.2.2 Endpoint of denial services—adversarial group sandworm team

The Sandworm's cyber threat level, as outlined in MITRE ATT&CK (2024a). Sandworm employs CVE-2023-24619 for MFA interception and leveraging container orchestration vulnerabilities. Misconfigurations associated with CVE-2023-37480 are exploited during the Container Discovery phase, where inadequate configurations allow adversaries to exploit containerized environments. Interdependency issues, highlighted by CVE-2021-25746, occur during the Privilege Escalation–Stole Credentials phase, where weak interactions between containerized systems and authentication mechanisms enable unauthorized credential access. Figure 4 shows the impact of 4.2, base score of 6.5, and exploitability score of 2.0.

Figure 4
Bar chart showing impact, base, and exploitability scores across various adversarial tactics, each linked with specific CVEs. Scores vary per tactic, with a color-coded legend for CVEs including vulnerability scanning, phishing, and others. Tactics include reconnaissance and credential access, ranked from high to low scores.

Figure 4. Endpoint DOS impact, base score, and exploitability.

5.2.3 Network denial of service—adversarial group APT28

Figure 5 examines the APT28 as outline in MITRE ATT&CK (2024a). This group used CVE-2023-52105 to bypass authentication. They also used CVE-2023-30610 to intercept MFA. These attacks targeted the authentication. Misconfigurations associated with CVE-2022-24829 were exploited during the Initial Access–Exploit Public Application phase, allowing attackers to compromise application environments. Interdependency issues linked to CVE-2018-9057 were identified in the Discovery–Container and Resource Discovery phase, where adversaries leveraged weak dependencies within containerized systems. Their average impact, base score, and exploitability: 3.7, 6.3, and 2.2.

Figure 5
Bar chart showing impact, base score, and exploitability scores for different adversarial tactics by network DOS phase. The x-axis lists tactics like reconnaissance and resource deployment. The y-axis shows scores ranging from 0 to 10. A legend indicates adversary techniques with corresponding CVEs, such as vulnerability scanning and brute force. Each tactic has three bars representing different scores, color-coded in red, green, and blue.

Figure 5. Network DOS impact, base score, and exploitability.

5.2.4 Inhibit system recovery—adversarial group wizard spider

The Spider group, as noted in MITRE ATT&CK (2024d), uses methods like LSASS memory dumping CVE-2022-37977 and Pass the Hash CVE-2022-25166 to break authentication. Misconfigurations like CVE-2024-40720 were exploited during the Defense Evasion–Modify Registry phase, where attackers altered critical registry settings to evade detection. Interdependency issues, linked to CVE-2021-36934, are observed during the Impact-Inhibit system Recovery phase, where weak system recovery protocols allow adversaries to disable recovery functions. Internal threats can also play a role in these issues. Figure 6 shows the average impact, base score, and exploitability of these tactics as 4.0, 6.4, and 3.1.

Figure 6
Bar chart titled “Impact, Base Score, and Exploitability Scores by Inhibit System Recovery Phase,” displaying scores for various adversarial tactics. The x-axis lists tactics like “Initial Access - Phishing” and “Exfiltration - Cloud Storage,” while the y-axis represents scores. Scores are depicted with three color-coded bars: blue (impact), green (base score), and red (exploitability). A legend lists adversary techniques with corresponding CVE identifiers. Scores range from low to high, indicating different risk levels of each technique.

Figure 6. Inhibit system recovery impact, base score, and exploitability.

5.2.5 Resource hijacking–adversarial group TeamTNT

The TeamTNT, as outlined in MITRE ATT&CK (2024c), leveraged account manipulation tactics to disrupt authentication using CVE-2023-41333. Misconfigurations, such as those associated with CVE-2024-5165, were identified during the Execution–Malicious Image phase, where attackers deployed unauthorized container images to execute malicious operations. Interdependency issues linked to CVE-2019-10200 were observed during the Discovery–Container Discovery phase, enabling attackers to exploit weak dependencies in containerized environments. We display in Figure 7 regarding impact, base score, and exploitability. It gave average values of 4.8, 7.5, and 2.4 from TeamTNT.

Figure 7
Bar chart titled “Impact, Base Score, and Exploitability Scores by Resource Hijacking Phase” showing scores for various adversarial tactics. The chart displays three colored bars for each tactic: green for impact, blue for base score, and red for exploitability. Techniques and CVEs are listed on the right, with tactics including reconnaissance, resource development, initial access, and others. Scores range from 1.0 to 10.0.

Figure 7. Resource hijacking impact, base score, and exploitability.

We demonstrated adversarial tactics and techniques in exploiting FIDO2 for MFA and container orchestration vulnerabilities from initial activity to impact, where existing risk assessment frameworks, such as the EBIOS risk manager, only assume external attacks while overlooking factors such as internal threats, misconfigurations, and interdependencies, which significantly amplify vulnerabilities. Quantitative metrics from the National Vulnerability Database (NVD) are used to evaluate by averaging impact, base score, and exploitability scores derived from Common Vulnerabilities and Exposures (CVE) (Booth et al., 2013), as an improvement over prior studies from Devi Priya et al. (2023), Wong et al. (2023), Mills et al. (2023), and Yosifova et al. (2021). The following subsection details how fuzzy logic harmonizes these metrics with the complexity resilience index, enabling risk level determination and mitigation strategies.

5.3 Risk level determination

Fuzzy logic, as explained in Section 4.3, is a key component of our multi-attribute risk assessment framework, implemented using the skfuzzy library in Python (Warner, 2022). By processing uncertain conditions with adaptive input criteria and flexible rules, fuzzy logic dynamically models imprecise and incomplete data to determine risk levels. It is a control system for managing complex processes. Table 7 shows membership functions for input and output variables for the fuzzification stage. These fuzzy inputs are then processed using rule evaluation in Table 8. We aggregate the results to produce a fuzzy output. Finally, defuzzification converts the fuzzy results into a crisp risk value. It contributes to mitigation activities in section 5.4.

Table 7
www.frontiersin.org

Table 7. Degree of membership functions for input, output variables.

Table 8
www.frontiersin.org

Table 8. Fuzzy logic rules.

5.3.1 Fuzzification

We use trapezoidal according to Section 4.3.1. Table 7 and Figure 8 outline the degree of membership functions for input and output variables for a fuzzy logic-based multi-attribute risk assessment. The variables include Complexity resilience index, Impact, Base score, Exploitability, and Risk level.

Figure 8
Four graphs depict fuzzy logic membership degrees across different indices. Upper left shows “Complexity Resilience Index” from low to very high (0–100 values). Upper right illustrates “Impact” from low to critical (0–10 values). Lower left displays “Base Score” from low to critical (0–10 values). Lower right represents “Exploitability” from low to critical (0–10 values). Each graph uses color-coded regions: blue (low), green (medium), red (high), and gray (very high/critical).

Figure 8. Input variables categorized for fuzzy logic assessment.

5.3.2 Fuzzy inference system

We show the flexibility of fuzzy rules through the skfuzzy library to define combinations of AND and OR operators within rules using Python's programming logical operators, according to Section 4.3.2 in Table 8, and contemplate maximum method as outlined in Section 4.3.3, reflected in Figure 9.

Figure 9
Fuzzy logic diagram illustrating inputs and outputs using the Mamdani method. Four input graphs–Complexity Resilience Index, Impact, Base Score, and Exploitability–each display overlapping colored regions for different values: Low, Medium, High, and Critical. These inputs are processed to produce the Risk Membership Functions output graph with similar categories. Arrows indicate flow from inputs to the output.

Figure 9. Fuzzy inference system plotting.

The following risk level and score determination is composed according to ISO 31000 (International Organization for Standardization, 2018).

Critical level: Extreme chaos, scores between 90–100.

High level: consider inspection and resolution, scores between 70–89.0.

Medium level: Analyze after addressing high and critical risk, scores between 40–69.0.

Low level: Minimal danger to intellectual property and infrastructure, scores between 0–39.0.

5.3.3 Defuzzification–risk assessment

We use a discrete centroid for defuzzification as outlined in Section 4.3.4. We are referencing the complexity resilience index, impacts, base score, and exploitability from Figures 37. The risk assessment results are obtained as explained in Figure 10.

Figure 10
Five line graphs demonstrating risk levels for different cybersecurity incidents. Each graph represents varying degrees of membership for risk categories: low, medium, high, and catastrophic. Graph titles are: a. Data Destruction, b. Endpoint DoS, c. Network DoS, d. Inhibit System Recovery, e. Resource Hijacking. Each graph features intersecting colored lines illustrating risk progression, with a y-axis labeled “Membership” and an x-axis labeled “Risk” marked from zero to one hundred.

Figure 10. Risk assessment result. (a) Data destruction, (b) Endpoint DoS, (c) Network Dos, (d) Inhibit system recovery, (e) Resource hijacking.

Table 9 presents a multi-attribute risk assessment based on fuzzy logic, comprehensively analyzing five adversarial techniques. Data destruction and resource hijacking were identified as the highest-risk attacks among the evaluated techniques, scoring 70.47 and 74.60, respectively. These scores are categorized as “High” risk, reflecting their significant potential consequences. This underscores the urgent need for robust and proactive mitigation strategies, as these threats could cause extensive damage to critical systems without effective countermeasures. In contrast, threats such as Endpoint Denial of Service (DoS), Network DoS, and Inhibit System Recovery were classified as “Medium” risks, with scores of 59.56, 55.44, and 57.45, respectively. Although these threats can cause substantial disruptions, their lower scores suggest reduced consequences. Nevertheless, they still require attention, as their potential to degrade system performance and availability necessitates ongoing monitoring and appropriate security measures.

Table 9
www.frontiersin.org

Table 9. Risk assessment determination.

The following subsection outlines detailed control activities across detection, mitigation, and prevention layers to address these identified risks.

5.4 Risk mitigation and reduction activities

While traditional cloud risk assessments such as Tanimoto et al. (2014) quantify risk across asset, threat, and vulnerability dimensions, they often apply static values to mitigation efforts without accounting for the depth or layering of controls. In contrast, this study introduces a quantitative model that evaluates risk reduction based on the cumulative effectiveness of layered safeguards. The strategies in Tables 1014 describe specific control actions arranged into three important layers: detection, mitigation, and prevention. This layered approach follows the principle from the Certified Information Systems Security Professional (CISSP) framework (Chapple et al., 2018), which defines residual risk as the total risk minus the effect of safeguards that are in place. To estimate how much risk is reduced, we assign effectiveness values depending on how many layers are applied. When all three layers are implemented, the effectiveness factor is set at 5%. If only two layers are used, this drops to 3%, and if only one is active, it reduces further to 1%. If no controls are used, the risk remains unchanged. These values reflect each layer's relative contribution to lowering risk.

Table 10
www.frontiersin.org

Table 10. Proposed mitigation activities: data destruction.

Table 11
www.frontiersin.org

Table 11. Proposed mitigation details: endpoint DoS.

Table 12
www.frontiersin.org

Table 12. Proposed mitigation activities: network DoS.

Table 13
www.frontiersin.org

Table 13. Proposed mitigation activities: inhibit system recovery.

Table 14
www.frontiersin.org

Table 14. Proposed mitigation activities: resource hijacking.

This method aligns with the prioritization logic in the Scaled Agile Framework (SAFe) (Knaster and Leffingwell, 2020), specifically the Weighted Shortest Job First (WSJF) model, which includes risk reduction as a key factor when deciding which actions should be prioritized. The reduction in risk is calculated using the following Equations 21, 22:

ΔRstage=Rcurrent×E    (21)
     Rafter=Rcurrent-ΔRstage    (22)

In these equations, Rcurrent is the risk before applying any controls, E is the effectiveness factor based on the number of layers, and ΔRstage is the amount of risk reduced. The result, Rafter, shows the remaining risk after controls are applied. By repeating this calculation across stages, the model supports a gradual and measurable path toward acceptable risk levels.

6 Discussion

This section will discuss the comparison between the proposed multi-risk assessment with NIST Risk Management Framework (RMF) (NIST, 2012) and E-Bios Risk Manager (de la Sécurité des Systémes d'Information, 2019), and also discuss the five impacts of adversarial techniques and the limitations of the proposed multi-attribute risk assessment framework. Table 15 describes the comparisons.

1. Data destruction: Adversaries may delete or overwrite data to disrupt services in cloud environments by targeting snapshots and backups. Our framework quantifies the severity of data destruction, enabling prioritization of recovery efforts. Mitigation strategies include, but are not limited to, backup policies, real-time anomaly detection, and monitoring of container and file creation.

2. Endpoint Denial of Service (DoS): Endpoint DoS targets specific layers of the application stack, such as operating systems, servers, databases, and web applications. These attacks exploit flaws to exhaust resources or crash systems. Mitigation strategies include, but are not limited to, geo-blocking, monitoring API logs, and filtering traffic. We also monitor account events and permissions.

3. Network Denial of Service (DoS): Network DoS attacks flood bandwidth, paralyzing website access, email, and MFA systems. These attacks can disrupt critical container orchestration pipelines and hinder cloud-based applications. Mitigation strategies include, but are not limited to, developing network security policies, monitoring user authentication and unusual data flow, filtering traffic, and maintaining system availability.

4. Inhibit system recovery: Adversaries may disable recovery tools, delete backups, or erase version histories. These include volume shadow copies and automated repair features. Mitigation strategies include but are not limited to a zero-trust policy, monitoring for suspicious use of docker commands, executing commands that may exfiltrate data to cloud storage, and redundancy protocols.

5. Resource hijacking: Adversaries may exploit compromised systems that use many resources to conduct cryptocurrency mining to degrade performance. The framework prioritizes Resource Hijacking as the highest risk. It informs targeted mitigation strategies, including but not limited to enhanced monitoring and analysis of traffic patterns and packet inspection and logs for suspicious container deployments that use excessive resource usage to determine anomalous activities.

Table 15
www.frontiersin.org

Table 15. Comparison of FuzzyFortify, NIST RMF, and EBIOS risk manager.

Although the proposed multi-attribute risk assessment framework offers practical enhancements over traditional models, several limitations remain. Firstly, the current expert judgment model assumes equal weighting among all experts, without accounting for differences in professional experience, specialization, or confidence levels. While this simplifies aggregation and aligns with Chang's fuzzy AHP methodology, it may overlook nuances in expert credibility that could refine decision outcomes. Incorporating expert weighting using the Delphi technique in future iterations may improve the reliability of aggregated judgments.

Secondly, the domain mapping matrix lacks granularity for detailed analysis, which currently uses a binary representation (1 for correlation, 0 for no correlation) to quantify the relationship between assets and best practices. Given the evolving sophistication of cybersecurity requirements, we plan to enhance the web-based tool for more comprehensive numerical representations.

Thirdly, the framework's risk reduction output depends on the inclusion of detection, mitigation, and prevention activities. While assigning fixed effectiveness weights (5%, 3%, and 1%), inspired by CISSP's layered defense principle and the Scaled Agile Framework's prioritization logic, offers a structured basis for quantifying control impact, it assumes linear and independent contributions from each layer. This simplification may not reflect the interdependencies between controls in dynamic threat environments, especially when novel adversarial tactics bypass known defenses, resulting in a potential 0% reduction. To address this, future work should consider applying fuzzy scoring to represent control effectiveness, allowing for gradual transitions, uncertainty, and overlapping impacts among detection, mitigation, and prevention activities. Treating the framework as an adaptive system through threat intelligence (e.g., MITRE ATT&CK) and feedback from practitioners would enhance its responsiveness.

7 Conclusion and future work

We present a multi-attribute risk assessment framework through a three-step approach to address critical challenges in securing FIDO2-enabled Multi-Factor Authentication (MFA) and AWS-labeled container orchestration in cloud environments. To the best of our knowledge, no prior work has explored this specific integration. First, the framework introduces a Complexity Resilience Index, which combines objective expert judgments from a modified Fuzzy AHP process to prioritize CIA and AAN security properties, alongside a domain mapping matrix to quantify system complexity across components, interfaces, and architecture. This mapping aligns security properties with three structural levels: availability and non-repudiation at the component level, integrity, authentication, and authorization at the interface level, and confidentiality at the architectural level. Second, fuzzy logic integrates the Complexity Resilience Index with CVE metrics: impact, base score, and exploitability, enabling risk prioritization under uncertainty. Third, the entire framework is deployed as an interactive, publicly available web-based tool to support practitioner adoption. The implementation source code is shared via GitHub, as referenced in the Availability of Source Code section.

Unlike existing frameworks, such as the EBIOS Risk Manager, which often rely on subjective and approximate assessments, our framework directly addresses the complexity inherent in cloud-native systems by aligning asset provisioning with domain best practices. It dynamically maps structural and adversarial threat metrics to help prioritize critical threats, such as resource hijacking and data destruction, thereby delivering evidence-based decisions for more targeted mitigation. This empowers organizations to respond proactively to evolving risks while considering often-overlooked vulnerabilities such as internal threats, configuration errors, and architectural interdependencies. Through adaptive input criteria and flexible rule-based inference, the framework enhances cybersecurity posture by guiding mitigation strategies that remain effective across detection, mitigation, and prevention layers. It also leverages MITRE ATT&CK intelligence to ensure that control decisions remain relevant to real-world adversarial tactics.

Looking ahead, we plan to expand the framework with a cost-benefit analysis module to quantify the operational costs and benefits of asset provision and mitigation actions. This will help define defensible mitigation timelines and support resource allocation based on cost-efficiency. We also intend to conduct testbed-based evaluations and run cybersecurity training programs using the web-based tool, allowing practitioners to validate the model's effectiveness in realistic scenarios. These efforts aim to ensure both theoretical soundness and practical applicability for securing cloud-native infrastructures.

Data availability statement

Publicly available datasets were analyzed in this study. This data can be found here: https://github.com/udahafeez7/public_cybersecurityexercise.git.

Author contributions

MHH: Writing – original draft, Writing – review & editing. MDH: Conceptualization, Data curation, Formal analysis, Investigation, Methodology, Supervision, Validation, Visualization, Writing – review & editing. YT: Conceptualization, Data curation, Formal analysis, Investigation, Methodology, Project administration, Resources, Software, Supervision, Validation, Visualization, Writing – review & editing. YK: Conceptualization, Data curation, Formal analysis, Funding acquisition, Investigation, Methodology, Project administration, Resources, Software, Supervision, Validation, Visualization, Writing – review & editing.

Funding

The author(s) declare that financial support was received for the research and/or publication of this article. This study was funded by the ICSCoE Core Human Resources Development Program Japan.

Acknowledgments

This work is supported by the Laboratory of Cyber Resilience, Information Science Division, Nara Institute of Science and Technology, Japan.

Conflict of interest

The authors declare that the research was conducted in the absence of any commercial or financial relationships that could be construed as a potential conflict of interest.

Generative AI statement

The author(s) declare that no Gen AI was used in the creation of this manuscript.

Publisher's note

All claims expressed in this article are solely those of the authors and do not necessarily represent those of their affiliated organizations, or those of the publisher, the editors and the reviewers. Any product that may be evaluated in this article, or claim that may be made by its manufacturer, is not guaranteed or endorsed by the publisher.

Supplementary material

The Supplementary Material for this article can be found online at: https://www.frontiersin.org/articles/10.3389/fcomp.2025.1557918/full#supplementary-material

References

Alahmad, Y., Daradkeh, T., and Agarwal, A. (2019). “Optimized availability-aware component scheduler for applications in container-based cloud,” in 2019 Sixth International Conference on Software Defined Systems (SDS), 194–199. doi: 10.1109/SDS.2019.8768654

PubMed Abstract | Crossref Full Text | Google Scholar

Alali, M., Almogren, A., Hassan, M. M., Rassan, I. A., and Bhuiyan, M. Z. A. (2018). Improving risk assessment model of cyber security using fuzzy logic inference system. Comput. Secur. 74, 323–339. doi: 10.1016/j.cose.2017.09.011

Crossref Full Text | Google Scholar

Assump cão, P., Oliveira, C., Ortiz, P., Melo, W., and Carmo, L. (2022). “A secure cloud-based architecture for monitoring cyber-physical critical infrastructures,” in 2022 6th Cyber Security in Networking Conference (CSNet), 1–7. doi: 10.1109/CSNet56116.2022.9955607

Crossref Full Text | Google Scholar

Bánáti, A., Kail, E., Karóczkai, K., and Kozlovszky, M. (2018). “Authentication and authorization orchestrator for microservice-based software architectures,” in 2018 41st International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), 1180–1184. doi: 10.23919/MIPRO.2018.8400214

Crossref Full Text | Google Scholar

Bhol, S. G., Mohanty, J., and Pattnaik, P. K. (2023). Taxonomy of cyber security metrics to measure strength of cyber security. Mater. Today 80, 2274–2279. doi: 10.1016/j.matpr.2021.06.228

PubMed Abstract | Crossref Full Text | Google Scholar

Blaise, A., and Rebecchi, F. (2022). “Stay at the helm: secure kubernetes deployments via graph generation and attack reconstruction,” in 2022 IEEE 15th International Conference on Cloud Computing (CLOUD), 59–69. doi: 10.1109/CLOUD55607.2022.00022

Crossref Full Text | Google Scholar

Booth, H., Rike, D., and Witte, G. A. (2013). The National Vulnerability Database (NVD): Overview.

Google Scholar

Bracke, V., Santos, J., Wauters, T., De Turck, F., and Volckaert, B. (2024). A multiobjective metaheuristic-based container consolidation model for cloud application performance improvement. J. Netw. Syst. Manag. 32:61. doi: 10.1007/s10922-024-09835-7

Crossref Full Text | Google Scholar

Business Insight (2023). Containers as a service market size, share | 2024 to 2031. Available online at: https://www.businessresearchinsights.com/market-reports/containers-as-a-service-market-106392 (Accessed October 23, 2024).

Google Scholar

Cao, C., Blaise, A., Verwer, S., and Rebecchi, F. (2022). “Learning state machines to monitor and detect anomalies on a kubernetes cluster,” in Proceedings of the 17th International Conference on Availability, Reliability and Security, ARES '22 (New York, NY, USA: Association for Computing Machinery). doi: 10.1145/3538969.3543810

Crossref Full Text | Google Scholar

Casola, V., De Benedictis, A., Mazzocca, C., and Orbinato, V. (2024). Secure software development and testing: a model-based methodology. Comput. Secur. 137:103639. doi: 10.1016/j.cose.2023.103639

Crossref Full Text | Google Scholar

Chang, D.-Y. (1996). Applications of the extent analysis method on fuzzy ahp. Eur. J. Oper. Res. 95, 649–655. doi: 10.1016/0377-2217(95)00300-2

Crossref Full Text | Google Scholar

Chapple, M., Stewart, J. M., and Gibson, D. (2018). (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide. SYBEX Inc., USA, 8th edition.

Google Scholar

de la Sécurité des Systémes d'Information, A. N. (2019). La méthode ebios risk manager—le guide. Technical Report ANSSI-PA-048-EN, Agence Nationale de la Sécurité des Systémes d'Information, Paris, France.

Google Scholar

Derhab, A., Belaoued, M., Guerroumi, M., and Khan, F. A. (2020). Two-factor mutual authentication offloading for mobile cloud computing. IEEE Access 8, 28956–28969. doi: 10.1109/ACCESS.2020.2971024

Crossref Full Text | Google Scholar

Devi Priya, V. S., Sethuraman, S. C., and Khan, M. K. (2023). Container security: precaution levels, mitigation strategies, and research perspectives. Comput. Secur. 135:103490. doi: 10.1016/j.cose.2023.103490

Crossref Full Text | Google Scholar

Dissanayaka, A. M., Mengel, S., Gittner, L., and Khan, H. (2020). “Vulnerability prioritization, root cause analysis, and mitigation of secure data analytic framework implemented with Mongodb on singularity linux containers,” in Proceedings of the 2020 4th International Conference on Compute and Data Analysis, 58–66. doi: 10.1145/3388142.3388168

Crossref Full Text | Google Scholar

Emrouznejad, A., and Ho, W. (2017). Fuzzy analytic hierarchy process. doi: 10.1201/9781315369884

Crossref Full Text | Google Scholar

Flavia, B. J., and Chelliah, B. J. (2023). Artificial lizard search optimized fuzzy logic approach to addressing authentication and data security challenges in p2p cloud environments. Comput. Secur. 135:103475. doi: 10.1016/j.cose.2023.103475

Crossref Full Text | Google Scholar

Forman, E., and Peniwati, K. (1998). Aggregating individual judgments and priorities with the analytic hierarchy process. Eur. J. Oper. Res. 108, 165–169. doi: 10.1016/S0377-2217(97)00244-0

Crossref Full Text | Google Scholar

Gao, X., Gu, Z., Li, Z., Jamjoom, H., and Wang, C. (2019). “Houdini's escape: breaking the resource rein of linux control groups,” in Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 1073–1086. doi: 10.1145/3319535.3354227

Crossref Full Text | Google Scholar

Geramian, A., Abraham, A., and Ahmadi Nozari, M. (2019). Fuzzy logic-based FMEA robust design: a quantitative approach for robustness against groupthink in group/team decision-making. Int. J. Prod. Res. 57, 1331–1344. doi: 10.1080/00207543.2018.1471236

Crossref Full Text | Google Scholar

Ghorbani Lyastani, S., Schilling, M., Neumayr, M., Backes, M., and Bugiel, S. (2020). “Is fido2 the kingslayer of user authentication? A comparative usability study of fido2 passwordless authentication,” in 2020 IEEE Symposium on Security and Privacy (SP), 268–285. doi: 10.1109/SP40000.2020.00047

Crossref Full Text | Google Scholar

Grimes, R. A. (2020). Hacking Multifactor Authentication. New York: John Wiley &Sons. doi: 10.1002/9781119672357

PubMed Abstract | Crossref Full Text | Google Scholar

Haripriya, A. P., and Kulothungan, K. (2019). Secure-MQTT: an efficient fuzzy logic-based approach to detect dos attack in MQTT protocol for internet of things. EURASIP J. Wirel. Commun. Netw. 2019:90. doi: 10.1186/s13638-019-1402-8

Crossref Full Text | Google Scholar

Henricks, A., and Kettani, H. (2020). “On data protection using multi-factor authentication,” in Proceedings of the 2019 International Conference on Information System and System Management, ISSM 2019 (New York, NY, USA: Association for Computing Machinery), 1–4. doi: 10.1145/3394788.3394789

Crossref Full Text | Google Scholar

Hersyah, M. H., Hossain, M. D., Taenaka, Y., and Kadobayashi, Y. (2023). “A risk assessment study: encircling docker container assets on IAAS cloud computing topology,” in 2023 6th Conference on Cloud and Internet of Things (CIoT), 225–230. doi: 10.1109/CIoT57267.2023.10084910

Crossref Full Text | Google Scholar

Huang, H., Sun, B., and Hu, L. (2024). A task offloading approach based on risk assessment to mitigate edge DDOS attacks. Comput. Secur. 140:103789. doi: 10.1016/j.cose.2024.103789

Crossref Full Text | Google Scholar

International Organization for Standardization (2018). Risk Management—Guidelines. ISO, Geneva, Switzerland: ISO 31000, 2018.

PubMed Abstract | Google Scholar

Jun, Z. (2017). A security architecture for cloud computing alliance. Recent Adv. Electr. Electr. Eng. 10, 195–201. doi: 10.2174/2352096510666170601091846

Crossref Full Text | Google Scholar

Kim, H., Lee, D., and Ryou, J. (2020). “User authentication method using fido based password management for smart energy environment,” in 2020 International Conference on Data Mining Workshops (ICDMW), 707–710. doi: 10.1109/ICDMW51313.2020.00100

Crossref Full Text | Google Scholar

Knaster, R., and Leffingwell, D. (2020). SAFe 5.0 Distilled: Achieving Business Agility with the Scaled Agile Framework. Boston: Addison-Wesley Professional.

Google Scholar

Koksal, S., Catak, F. O., and Dalveren, Y. (2024). Flexible and lightweight mitigation framework for distributed denial-of-service attacks in container-based edge networks using kubernetes. IEEE Access 12, 172980–172991. doi: 10.1109/ACCESS.2024.3501192

Crossref Full Text | Google Scholar

Kudo, R., Kitahara, H., Gajananan, K., and Watanabe, Y. (2021). “Integrity protection for kubernetes resource based on digital signature,” in 2021 IEEE 14th International Conference on Cloud Computing (CLOUD), 288–296. doi: 10.1109/CLOUD53861.2021.00042

Crossref Full Text | Google Scholar

Kure, H. I., Islam, S., Ghazanfar, M., Raza, A., and Pasha, M. (2022). Asset criticality and risk prediction for an effective cybersecurity risk management of cyber-physical system. Neural Comput. Applic. 34, 493–514. doi: 10.1007/s00521-021-06400-0

Crossref Full Text | Google Scholar

Lee, J.-B., Yoo, T.-H., Lee, E.-H., Hwang, B.-H., Ahn, S.-W., and Cho, C.-H. (2021). High-performance software load balancer for cloud-native architecture. IEEE Access 9, 123704–123716. doi: 10.1109/ACCESS.2021.3108801

Crossref Full Text | Google Scholar

Mahavaishnavi, V., Saminathan, R., and Prithviraj, R. (2024). Secure container orchestration: a framework for detecting and mitigating orchestrator-level vulnerabilities. Multimed. Tools Appl. 84, 18351–18371. doi: 10.1007/s11042-024-19613-x

Crossref Full Text | Google Scholar

Maurer, M., and Lindemann, U. (2008). “The application of the multiple-domain matrix: Considering multiple domains and dependency types in complex product design,” in 2008 IEEE International Conference on Systems, Man and Cybernetics, 2487–2493. doi: 10.1109/ICSMC.2008.4811669

Crossref Full Text | Google Scholar

McCabe, T. (1976). A complexity measure. IEEE Trans. Softw. Eng. SE-2, 308–320. doi: 10.1109/TSE.1976.233837

Crossref Full Text | Google Scholar

Mills, A., White, J., and Legg, P. (2023). Longitudinal risk-based security assessment of docker software container images. Comput. Secur. 135:103478. doi: 10.1016/j.cose.2023.103478

Crossref Full Text | Google Scholar

Minna, F., Blaise, A., Rebecchi, F., Chandrasekaran, B., and Massacci, F. (2021). Understanding the security implications of kubernetes networking. IEEE Secur. Priv. 19, 46–56. doi: 10.1109/MSEC.2021.3094726

Crossref Full Text | Google Scholar

MITRE ATT&CK. (2024a). Apt28 (sandworm team) - russian cyber espionage group. Available online at: https://attack.mitre.org/groups/G0034/ (accessed May 18, 2024).

Google Scholar

MITRE ATT&CK. (2024b). Apt38 - north korean cyber threat group. Available online at: https://attack.mitre.org/groups/G0082/ (accessed November 18, 2024).

Google Scholar

MITRE ATT&CK. (2024c). Teamtnt - cloud-focused cyber threat group. Available online at: https://attack.mitre.org/groups/G0139/ (accessed May 18, 2024).

Google Scholar

MITRE ATT&CK. (2024d). Wizardspider - cybercrime group focused on financial operations. Available online at: https://attack.mitre.org/groups/G0102/ (accessed May 18, 2024).

PubMed Abstract | Google Scholar

MITRE Corporation (2024). MITRE ATT&CK Framework for Containers. Available online at: https://attack.mitre.org/matrices/enterprise/containers/ (accessed September 22, 2024).

Google Scholar

Mostajeran, E., Mydin, M. N. M., Khalid, M. F., Ismail, B. I., Kandan, R., and Hoe, O. H. (2017). “Quantitative risk assessment of container based cloud platform,” in 2017 IEEE Conference on Application, Information and Network Security (AINS), 19–24. doi: 10.1109/AINS.2017.8270418

PubMed Abstract | Crossref Full Text | Google Scholar

Nguyen, C. D. (2020). A Design Analysis of Cloud-Based Microservices Architecture at Netflix.

Google Scholar

NIST (2012). NIST SP 800-37 Revision 1 Guide for Applying the Risk Management Framework to Federal Information Systems. Scotts Valley, CA: CreateSpace.

Google Scholar

Ogundoyin, S. O., and Kamil, I. A. (2020). A fuzzy-ahp based prioritization of trust criteria in fog computing services. Appl. Soft Comput. 97:106789. doi: 10.1016/j.asoc.2020.106789

Crossref Full Text | Google Scholar

Outkin, A. V., Schulz, P. V., Schulz, T., Tarman, T. D., and Pinar, A. (2023). Defender policy evaluation and resource allocation with MITRE ATT&CK evaluations data. IEEE Trans. Depend. Secure Comput. 20, 1909–1926. doi: 10.1109/TDSC.2022.3165624

Crossref Full Text | Google Scholar

OWASP (2024a). Cloud architecture security cheat sheet. Available online at: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Cloud_Architecture_Cheat_Sheet.html (accessed May 20, 2024).

Google Scholar

OWASP (2024b). Docker security cheat sheet. Available online at: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html (accessed May 20, 2024).

Google Scholar

OWASP (2024c). Kubernetes security cheat sheet. Available online at: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html (accessed May 20, 2024).

Google Scholar

Pöhn, D., Gruschka, N., Ziegler, L., and Büttner, A. (2023). A framework for analyzing authentication risks in account networks. Comput. Secur. 135:103515. doi: 10.1016/j.cose.2023.103515

Crossref Full Text | Google Scholar

Renaud, K., Warkentin, M., Pogrebna, G., and van der Schyff, K. (2024). Vista: an inclusive insider threat taxonomy, with mitigation strategies. Inf. Manag. 61:103877. doi: 10.1016/j.im.2023.103877

Crossref Full Text | Google Scholar

Schiavone, E., Ceccarelli, A., and Bondavalli, A. (2016). “Continuous authentication and non-repudiation for the security of critical systems,” in 2016 IEEE 35th Symposium on Reliable Distributed Systems (SRDS), 207–208. doi: 10.1109/SRDS.2016.033

PubMed Abstract | Crossref Full Text | Google Scholar

Seifermann, S., Heinrich, R., and Reussner, R. (2019). “Data-driven software architecture for analyzing confidentiality,” in 2019 IEEE International Conference on Software Architecture (ICSA), 1–10. doi: 10.1109/ICSA.2019.00009

Crossref Full Text | Google Scholar

Sheard, S. A., and Mostashari, A. (2009). Principles of complex systems for systems engineering. Syst. Eng. 12, 295–311. doi: 10.1002/sys.20124

Crossref Full Text | Google Scholar

Sinha, K. (2014). Structural complexity and its implications for design of cyber-physical systems. PhD thesis, Massachusetts Institute of Technology.

Google Scholar

Sinha, K., and Suh, E. S. (2018). Pareto-optimization of complex system architecture for structural complexity and modularity. Res. Eng. Design 29, 123–141. doi: 10.1007/s00163-017-0260-9

Crossref Full Text | Google Scholar

Sultan, S., Ahmad, I., and Dimitriou, T. (2019). Container security: issues, challenges, and the road ahead. IEEE Access 7, 52976–52996. doi: 10.1109/ACCESS.2019.2911732

Crossref Full Text | Google Scholar

Taleby Ahvanooey, M., Zhu, M. X., Ou, S., Dana Mazraeh, H., Mazurczyk, W., Choo, K.-K. R., et al. (2023). Afpr-am: a novel fuzzy-AHP based privacy risk assessment model for strategic information management of social media platforms. Comput. Secur. 130:103263. doi: 10.1016/j.cose.2023.103263

Crossref Full Text | Google Scholar

Tanimoto, S., Sato, R., Kato, K., Iwashita, M., Seki, Y., Sato, H., et al. (2014). “A study of risk assessment quantification in cloud computing,” in 2014 17th International Conference on Network-Based Information Systems, 426–431. doi: 10.1109/NBiS.2014.11

Crossref Full Text | Google Scholar

Tran, T. N. T., Felfernig, A., and Le, V. M. (2024). An overview of consensus models for group decision-making and group recommender systems. User Model. User-Adapt. Interact. 34, 489–547. doi: 10.1007/s11257-023-09380-z

Crossref Full Text | Google Scholar

Truyen, E., Kratzke, N., Van Landuyt, D., Lagaisse, B., and Joosen, W. (2020). Managing feature compatibility in kubernetes: vendor comparison and analysis. IEEE Access 8, 228420–228439. doi: 10.1109/ACCESS.2020.3045768

Crossref Full Text | Google Scholar

Warner, J. S. (2022). scikit-fuzzy: Fuzzy logic toolbox for python. Available online at: https://pypi.org/project/scikit-fuzzy/ (accessed November 02, 2024).

PubMed Abstract | Google Scholar

Wong, A. Y., Chekole, E. G., Ochoa, M., and Zhou, J. (2023). On the security of containers: Threat modeling, attack analysis, and mitigation strategies. Comput. Secur. 128:103140. doi: 10.1016/j.cose.2023.103140

Crossref Full Text | Google Scholar

Wu, H., Wu, Y., and Zhang, J. (2023). Risk assessment modeling with application in the accounting cloud-service industry. Expert Syst. Appl. 229:120526. doi: 10.1016/j.eswa.2023.120526

Crossref Full Text | Google Scholar

Yosifova, V., Tasheva, A., and Trifonov, R. (2021). “Predicting vulnerability type in common vulnerabilities and exposures (cve) database with machine learning classifiers,” in 2021 12th National Conference with International Participation (ELECTRONICA) (IEEE), 1–6. doi: 10.1109/ELECTRONICA52725.2021.9513723

Crossref Full Text | Google Scholar

Zadeh, L. A. (1965). Fuzzy sets. Inf. Control 8, 338–353. doi: 10.1016/S0019-9958(65)90241-X

Crossref Full Text | Google Scholar

Zahoor, E., Chaudhary, M., Akhtar, S., and Perrin, O. (2023). A formal approach for the identification of redundant authorization policies in kubernetes. Comput. Secur. 135:103473. doi: 10.1016/j.cose.2023.103473

Crossref Full Text | Google Scholar

Keywords: MFA, Docker, Kubernetes, fuzzy logic, multi-attribute risk assessment, cloud computing

Citation: Hafiz Hersyah M, Hossain MD, Taenaka Y and Kadobayashi Y (2025) Fuzzyfortify: a multi-attribute risk assessment for multi-factor authentication and cloud container orchestration. Front. Comput. Sci. 7:1557918. doi: 10.3389/fcomp.2025.1557918

Received: 09 January 2025; Accepted: 16 June 2025;
Published: 07 July 2025.

Edited by:

Silvio Ranise, University of Trento, Italy

Reviewed by:

Mengmeng Ren, Xidian University, China
Tarun Kumar Vashishth, IIMT University, India

Copyright © 2025 Hafiz Hersyah, Hossain, Taenaka and Kadobayashi. This is an open-access article distributed under the terms of the Creative Commons Attribution License (CC BY). The use, distribution or reproduction in other forums is permitted, provided the original author(s) and the copyright owner(s) are credited and that the original publication in this journal is cited, in accordance with accepted academic practice. No use, distribution or reproduction is permitted which does not comply with these terms.

*Correspondence: Mohammad Hafiz Hersyah, bW9oYW1tYWQuaGFmaXpfaGVyc3lhaC5tYzRAaXMubmFpc3QuanA=

Disclaimer: All claims expressed in this article are solely those of the authors and do not necessarily represent those of their affiliated organizations, or those of the publisher, the editors and the reviewers. Any product that may be evaluated in this article or claim that may be made by its manufacturer is not guaranteed or endorsed by the publisher.