Increasing cyber threats require organizations to adopt measurable mechanisms for cybersecurity risk prioritization. The Cyber Security Maturity (CSM) framework issued by Badan Siber dan Sandi Negara is widely used to assess cybersecurity capability; however, its results remain descriptive and lack computational support for prioritization. This study proposes a cybersecurity risk prioritization model using Fuzzy Logic Tsukamoto, with maturity values from five CSM aspects as input variables. A total of 100 simulated datasets were generated using a rule-based scenario approach to represent diverse maturity conditions. Trapezoidal and triangular membership functions were applied, and the fuzzy rule base consisted of 15 rules based on the weakest-link principle. Results show that 88% of the data include at least one aspect in a transition zone and are consistently processed by the model. The output produces a distribution of 46% low, 44% medium, and 10% high risk within a 0–100 range, providing a structured, measurable, and reproducible prioritization approach.

Y. Tsukamoto, “An approach to fuzzy reasoning method,” in Advances in Fuzzy Set Theory and Applications, M. Gupta, R. Ragade, and R. Yager, Eds. Amsterdam, Netherlands: North-Holland, 1979, pp. 137–149.

T. J. Ross, Fuzzy Logic with Engineering Applications, 3rd ed. Hoboken, NJ, USA: Wiley, 2010. doi: 10.1002/9781119994374.

C. Gilbert and M. Gilbert, “The impact of AI on cybersecurity defense mechanisms: Future trends and challenges,” Global Scientific Journal, vol. 12, pp. 427–441, Sep. 2024. doi: 10.11216/gsj.2024.09.229721.

R. A. Khan, S. U. Khan, H. U. Khan, and M. Ilyas, “Systematic literature review on security risks and its practices in secure software development,” IEEE Access, vol. 10, pp. 5456–5481, 2022. doi: 10.1109/ACCESS.2022.3140181.

M. M. Alani, A. Mashatan, and A. Miri, “XMal: A lightweight memory-based explainable obfuscated-malware detector,” Computers & Security, vol. 133, p. 103409, Oct. 2023. doi: 10.1016/j.cose.2023.103409.

F. Merola, C. Bernardeschi, and G. Lami, “A risk assessment framework based on fuzzy logic for automotive systems,” Safety, vol. 10, no. 2, p. 41, Apr. 2024. doi: 10.3390/safety10020041.

S. Kerimkhulle et al., “Fuzzy logic and its application in the assessment of information security risk of industrial Internet of Things,” Symmetry, vol. 15, no. 10, p. 1958, Oct. 2023. doi: 10.3390/sym15101958.

Ł. Apiecionek, “Fuzzy network solutions for IoT security,” in Proc. IEEE EUROCON 2025, Jun. 2025, pp. 1–5. doi: 10.1109/EUROCON64445.2025.11073458.

M. Safaei Pour, C. Nader, K. Friday, and E. Bou-Harb, “A comprehensive survey of recent Internet measurement techniques for cyber security,” Computers & Security, vol. 128, p. 103123, May 2023. doi: 10.1016/j.cose.2023.103123.

Badan Siber dan Sandi Negara, “Tools cyber security maturity (CSM) v1.10,” Jakarta, Indonesia, 2021.

O. Korchenko, O. Korystin, V. Shulha, S. Kazmirchuk, S. Demediuk, and S. Zybin, “Sustainable development of smart regions via cybersecurity of national infrastructure: A fuzzy risk assessment approach,” Sustainability, vol. 17, no. 19, p. 8757, Sep. 2025. doi: 10.3390/su17198757.

A. Barlybayev and A. Turginbayeva, “Development and implementation of an advanced fuzzy expert system for the assessment of information security risks,” Journal of Computational and Cognitive Engineering, vol. 4, no. 4, pp. 570–580, Apr. 2025. doi: 10.47852/bonviewJCCE52024683.

P. Radanliev et al., “Cyber risk at the edge: Current and future trends on cyber risk analytics and artificial intelligence in the industrial Internet of Things and Industry 4.0 supply chains,” Cybersecurity, vol. 3, no. 1, p. 13, Dec. 2020. doi: 10.1186/s42400-020-00052-8.

A. R. Hevner, S. T. March, J. Park, and S. Ram, “Design science in information systems research,” MIS Quarterly, vol. 28, no. 1, pp. 75–105, Mar. 2004.

K. Peffers, T. Tuunanen, M. A. Rothenberger, and S. Chatterjee, “A design science research methodology for information systems research,” Journal of Management Information Systems, vol. 24, no. 3, pp. 45–77, 2007.

L. A. Zadeh, “The concept of a linguistic variable and its application to approximate reasoning—III,” Information Sciences, vol. 9, no. 1, pp. 43–80, Jan. 1975. doi: 10.1016/0020-0255(75)90017-1.

S. Napitupulu, E. B. Nababan, and P. Sihombing, “Comparative analysis of fuzzy inference Tsukamoto, Mamdani, and Sugeno in the horticulture export selling price,” in Proc. IEEE MECnIT 2020, Jun. 2020, pp. 183–187. doi: 10.1109/MECnIT48290.2020.9166587.

H. Fakhravar, Quantifying Uncertainty in Risk Assessment Using Fuzzy Theory. arXiv, 2020. doi: 10.48550/arXiv.2009.09334.

L. A. Zadeh, “Fuzzy sets,” Information and Control, vol. 8, no. 3, pp. 338–353, Jun. 1965. doi: 10.1016/S0019-9958(65)90241-X.

B. Cassottana, M. M. Roomi, D. Mashima, and G. Sansavini, “Resilience analysis of cyber-physical systems: A review of models and methods,” Risk Analysis, vol. 43, no. 11, pp. 2359–2379, Nov. 2023. doi: 10.1111/risa.14089.

J. W. Park and S. J. Lee, “A quantitative assessment framework for cyber-attack scenarios on nuclear power plants using relative difficulty and consequence,” Annals of Nuclear Energy, vol. 142, p. 107432, Jul. 2020. doi: 10.1016/j.anucene.2020.107432.

H. Irawan, A. H. Muhammad, and A. Nasiri, “Design of cybersecurity maturity assessment framework using NIST CSF v1.1 and CIS Controls v8,” INOVTEK Polbeng - Seri Informatika, vol. 9, no. 1, Jun. 2024. doi: 10.35314/isi.v9i1.3973.