Comprehensive Risk Assessment of Smart Energy Information Security: An Enhanced MCDM-Based Approach

Abstract

To address the challenges of assessing information security risks in smart energy systems, this study proposes a multi-attribute decision support method based on interval type-2 fuzzy numbers (IT2TrFN). First, expert questionnaires were designed to gather insights from eight specialists in the fields of smart energy and safety engineering. Linguistic terms associated with IT2TrFN were employed to evaluate indicators, converting expert judgments into fuzzy numerical values while ensuring data reliability through consistency measurements. Subsequently, a decision hierarchy structure and an expert weight allocation model were developed. By utilizing the score and accuracy functions of IT2TrFN, the study determined positive and negative ideal solutions to rank and prioritize the evaluation criteria. Key influencing factors identified include the rate of excessive initial investment, regulatory stringency, information security standards, environmental pollution pressure, and incident response timeliness. The overall risk index was calculated as 0.5839, indicating a moderate level of information security risk in the evaluated region. To validate the robustness of the model, sensitivity analyses were conducted by varying IT2FWA (Weighted aggregated operator) and IT2FGA (Weighted geometric operator) operator selections and adjusting weight coefficients. The results reveal that key indicators exhibit high risk under different scenarios. This method provides an innovative tool for the scientific evaluation of information security risks in smart energy systems, laying a solid theoretical foundation for broader regional applications and the expansion of assessment criteria.

1. Introduction

Energy is the cornerstone of socio-economic development and plays a crucial role in driving economic growth. For nations committed to sustainable development, energy security remains a top priority. According to the Asia Pacific Energy Research Centre, energy security encompasses the availability, accessibility, environmental adaptability, and cost-effectiveness of sustainable energy resources [1]. Ensuring the security of energy supply is a vital indicator of the clean, low-carbon, and sustainable expansion of energy systems. However, with the continuous growth in global energy demand, energy security faces significant challenges. It is estimated that by 2040, energy consumption in developing countries will increase by 33% [2]. The growth of economic clusters and population further drives energy demand, which, if not effectively managed, could have negative consequences for global energy security.

Amid the accelerated global energy transition and rapid advancements in information technology, smart energy systems have emerged as a key direction for the intelligent, efficient, and sustainable development of the energy industry [3]. Smart energy systems leverage technologies such as the Internet of Things (IoT), big data, and artificial intelligence (AI) to enable intelligent perception, optimized management, and efficient coordination of energy production, transmission, and consumption. However, the “physical-information” coupling characteristics of smart energy systems introduce complex security risks [4]. As the proportion of renewable energy sources continues to rise, changes in the energy structure bring new challenges, such as the instability of renewable energy, insufficient energy storage technologies, and an increased reliance on data in smart energy systems. These issues complicate energy security management, particularly in the realm of information security, where traditional energy management models can no longer meet the needs of modern smart energy systems.

Despite the advantages of smart energy systems in terms of intelligence and sustainability, information security risks are becoming increasingly prominent, posing critical constraints to their healthy development. These risks include concerns over data privacy, system stability, and service continuity, with potentially far-reaching impacts on socio-economic and national security. For instance, smart grids rely on numerous sensors and data transmissions, which, if subjected to cyberattacks or data breaches, could lead to energy supply disruptions and even regional power outages. Additionally, smart energy systems store vast amounts of user data, such as energy usage patterns and consumption records. If these data are unlawfully accessed or misused, it could pose a serious threat to user privacy.

In recent years, cyberattacks on the energy sector have become more common. For example, in 2021, the U.S. Colonial Pipeline suffered a ransomware attack, leading to fuel shortages along the East Coast and exposing vulnerabilities in energy infrastructure cybersecurity [5]. Similarly, smart grids and gas pipelines in Europe and Asia have become frequent targets for hackers. In May 2021, Norway’s energy and infrastructure technology provider, Volue, was attacked by the Ryuk ransomware, resulting in the shutdown of applications for water supply and treatment facilities across 200 cities, affecting 85% of the country’s residents [6]. In December 2023, a cyberattack caused a nationwide disruption of Iran’s gas stations, affecting 70% of fuel service stations [7]. These incidents highlight that the information security risks of smart energy systems have become a global challenge.

To address the information security risks in smart energy systems, intelligent energy risk assessment is essential. The integration of information and communication technology (ICT) into power systems has expanded the potential attack surface for cyber threats, necessitating robust risk assessment methods [8]. However, current research primarily focuses on technical risk analysis, while neglecting environmental, economic, and managerial factors. Additionally, existing information security risk assessments are often domain-specific and lack comprehensive evaluations across all energy systems in a given region. Traditional cybersecurity risk assessment methods, such as attack trees (AT), fault tree analysis (FTA), and risk matrix-based approaches, are based on static models [9]. However, these methods struggle to adapt to the dynamic, complex, and cross-domain nature of smart energy systems. Therefore, a comprehensive and adaptive risk assessment method is urgently needed to effectively identify and address multidimensional risks in smart energy systems.

While previous studies have largely focused on technical solutions and domain-specific applications, this study contributes to the literature by introducing a holistic approach that integrates environmental, technical, economic, and managerial perspectives within the risk assessment process. Multi-Criteria Decision-Making (MCDM) methods have been widely applied in energy security management and risk assessment. MCDM methods allow decision-makers to optimize choices when confronted with multiple conflicting criteria. For example, in the natural gas industry, MCDM methods have been used for pipeline safety assessments to optimize maintenance plans and resource allocation [10]. Similarly, MCDM methods have been applied in the information security risk assessment of smart grids, including fuzzy logic-based MCDM and cumulative prospect theory-based security analysis [11].

The advantage of MCDM methods lies in their ability to simultaneously consider multiple decision factors, such as environmental, economic, technical, and managerial aspects, making them highly applicable in risk assessments for complex systems. Methods such as the Analytic Hierarchy Process (AHP), Decision-Making Trial and Evaluation Laboratory (DEMATEL), VIKOR, and TOPSIS have been applied in the risk analysis of smart energy systems [12]. However, this study extends the application of MCDM methods to the information security risk assessment of smart energy systems by incorporating cross-domain risks, including environmental and managerial aspects, which have often been overlooked in prior research [13]. Despite the effectiveness of MCDM methods in energy security management, certain limitations remain. First, there is a lack of holistic analysis, as most existing studies focus on domain-specific risk assessments, such as smart grids or gas pipelines, rather than considering smart energy systems as an integrated whole. Second, there is an over-reliance on technical aspects, with most studies concentrating on cybersecurity threats such as network attacks and data security, while neglecting environmental, economic, and managerial risks [14].

To address these research gaps, this study introduces a comprehensive MCDM-based risk assessment method for smart energy information security, marking a significant contribution by evaluating risks across multiple domains and offering a holistic framework that systematically integrates and ranks these factors. Interval Type-2 Fuzzy Numbers (IT2TrFN) are advanced fuzzy sets characterized by upper and lower membership functions, enabling the representation of complex uncertainties in decision-making processes. The IT2TrFN method offers significant advantages over traditional fuzzy approaches by capturing higher-order uncertainties in expert judgments, making it particularly suitable for dynamic risk assessment in smart energy systems. This approach evaluates risks from four dimensions—environmental, technical, economic, and managerial—constructing a holistic assessment framework to systematically analyze threats and use MCDM models for comprehensive evaluation and ranking of risk factors, thus providing scientific guidance for decision-makers.

The contributions of this study are as follows: First, it proposes a systematic smart energy information security risk assessment framework, addressing the limitations of existing research by integrating environmental, economic, technical, and managerial factors to enhance the comprehensiveness and scientific validity of assessments. Second, it provides a quantitative analysis method based on MCDM, offering scientific decision-making support for policymakers and energy managers. Lastly, this research expands the theoretical framework of smart energy security management and provides practical guidance for building more intelligent, resilient, and secure smart energy systems in the future.

2. Literature Review

2.1. Information Security Risks in Smart Energy Systems

Smart energy systems integrate advanced technologies such as smart grids, Internet of Things (IoT) devices, data analytics, and distributed energy production to improve energy efficiency, optimize infrastructure, and enhance overall security [15]. These systems are pivotal in advancing energy distribution and management, directly influencing energy security. Recent cybersecurity standards, such as ISO/IEC 27001 and the NIST Cybersecurity Framework, have been increasingly adopted to address the security challenges within these systems, ensuring alignment with international cybersecurity practices. Wang et al. underscore the role of smart grids in improving energy security and reliability [16], while Arsecularatne et al. highlight the importance of data-driven decision-making for optimizing energy usage, load scheduling, and security monitoring [17]. Machine learning and AI algorithms further enhance predictive analytics for identifying energy consumption patterns, while emerging AI-driven threat detection technologies provide real-time monitoring, bolstering the capacity to identify vulnerabilities and mitigate security risks. These innovations foster industrial progress, leading to the development of complex energy system architectures that indirectly strengthen energy security [18].

However, despite their potential advantages, smart energy systems face significant challenges, such as data privacy risks, high implementation costs, and the need for effective governance frameworks. The integration of ICT infrastructure into energy management has improved monitoring and optimization capabilities [2]. However, some studies raise concerns that the energy consumption associated with ICT could undermine sustainability objectives [19]. Empirical research indicates that ICT enhances energy efficiency and security by enabling intelligent energy management and driving smart industrial advancements [20]. However, the increasing use of AI and machine learning to optimize security measures raises concerns about the adequacy of traditional security frameworks, highlighting the need for adaptive and evolving defense strategies in smart energy systems.

While the existing literature primarily focuses on theoretical models of smart energy systems, fewer studies examine the potential security risks introduced by ICT integration. This research addresses this gap by exploring the relationship between smart energy systems and information security risks. Empirical findings suggest that the development of smart energy systems affects energy security management in varying degrees across different economies. Some studies report a positive correlation between the adoption of smart energy systems and improved information security, but further research is required to assess the impact of AI and machine learning on security frameworks within these evolving systems.

2.2. Application of MCDM Methods in Smart Energy Information Security Risk Assessment

Multi-Criteria Decision-Making (MCDM) methods have been widely applied in managing and assessing risks within smart energy systems [21]. These methods assist decision-makers in optimizing choices when faced with multiple conflicting criteria, thereby enhancing the scientific validity of security strategies. In smart energy security management, MCDM methods facilitate the evaluation of security strategies, resource allocation, and system resilience [14]. The incorporation of AI-based algorithms into MCDM frameworks has improved decision-making by enabling real-time threat detection and dynamic risk evaluation, ensuring that security strategies are adaptive to emerging risks. Fuzzy MCDM approaches, which integrate fuzzy logic, offer flexible frameworks to address uncertainties in security evaluations [22]. Additionally, cumulative prospect theory-based MCDM methods quantify decision-makers’ risk preferences, improving the accuracy of assessments [11].

Smart energy security encompasses multiple dimensions, including data privacy, cybersecurity threats, and system stability [23]. Traditional single-criterion security evaluation methods often fail to capture the complexity of these interconnected issues. MCDM methods, particularly those based on interval-valued fuzzy sets, enhance risk assessment reliability in uncertain environments [24]. Recent advancements, such as the integration of MCDM with deep learning techniques, enable machine learning algorithms to detect security risk patterns while MCDM models analyze the contributing factors and optimize protective measures [25]. AI-driven frameworks, such as those utilizing generative adversarial networks (GANs), have been introduced to bolster cybersecurity defenses in smart energy systems, providing more robust defense mechanisms [26].

Despite the advantages of MCDM methods, challenges remain, particularly the reliance on expert judgment, which can be subjective and inconsistent. Moreover, some security risk indicators, such as the potential impact of cyberattacks, are inherently difficult to quantify [27]. To address these challenges, researchers have integrated fuzzy set theory and AI-enhanced consistency measurement techniques into MCDM methods to improve reliability and minimize biases in expert judgment. Triangular fuzzy numbers and interval type-2 fuzzy sets increase flexibility by reducing dependence on precise numerical data [28]. The incorporation of consistency measurements further mitigates expert bias, improving the transparency and fairness of risk evaluations.

Several advanced MCDM methods have been proposed to refine smart energy security assessments. Analytical Hierarchy Process (AHP) and Analytical Network Process (ANP) have been used to quantify the relative importance of different security risk factors [29]. AHP structures pairwise comparisons to determine criterion weights but assumes the independence of criteria, which may not be valid in complex energy security assessments [30]. In contrast, ANP considers the interdependencies among criteria, making it more suitable for comprehensive security risk analysis. Hybrid approaches combining MCDM with AI and machine learning models are increasingly being explored to enhance these assessments.

Consensus measurement techniques have refined the application of MCDM in security risk assessment [31]. Traditional MCDM methods often lack standardized consensus evaluations, leading to inconsistencies in expert opinions [32]. AI-based consensus measurement techniques help reduce discrepancies and improve the robustness and consistency of evaluations. These methods help align expert opinions and dynamically adjust weight allocations [33], thereby enhancing decision-making [34]. In the context of smart energy security [35], AI-driven anomaly detection models have been integrated with MCDM to address dynamic cybersecurity threats, offering real-time adaptability and improving risk mitigation strategies.

Overall, MCDM methods, when integrated with AI technologies and consensus measurement frameworks, hold significant potential to enhance the accuracy and adaptability of smart energy security risk assessments. Future research should focus on exploring the application of AI-driven adaptive MCDM methods to strengthen the resilience of smart energy systems against evolving cybersecurity threats and emerging risk landscapes.

3. Methodology

The IT2TrFN-based Multi-Criteria Decision-Making (MCDM) method was selected for this study due to its ability to address the dynamic and cross-domain nature of smart energy systems—an area where traditional risk assessment methods often fall short. The methodology employed in this research is structured into four stages, each designed to systematically assess the information security risks associated with smart energy systems. The first stage focuses on the identification and construction of an indicator system relevant to smart energy information security risk assessment. This system is developed through an extensive review of the existing literature, ensuring that it encompasses all critical aspects of smart energy systems. The indicator system provides the foundation for subsequent stages by identifying the key factors that influence security risks. In the second stage, data preprocessing is carried out. This involves determining the relative importance of the experts based on their expertise and experience. The process includes the construction of two matrices: the Initial Decision Matrix ($IDM$) and the Aggregated Decision Matrix ($ADM$). These matrices include previously identified secondary and tertiary indicators. During this stage, consensus metrics must meet the fundamental requirements for decision modeling. The outcome of this stage is the creation of a comprehensive Aggregated Weighted Group Decision Matrix ($CAWGDM$).

The third stage involves the analysis of the results to assess the performance of the developed method. This includes the identification of both the Negative Ideal Solution ($NIS$) and Positive Ideal Solution ($PIS$). The distance between these ideal solutions and the individual indicators is then calculated. This enables the calculation of the level index, which is used to reveal the information security risks associated with smart energy systems in the studied region.

The final stage is dedicated to sensitivity analysis, which evaluates the robustness of the proposed method from two perspectives. The first perspective examines the variation in EA(Expert Assessment) weights under different aggregation operators. The second perspective explores the impact of varying parameter $\theta$ values on the $\mathrm{E}\mathrm{A}$ weights. This stage is crucial for understanding the stability of the decision-making process and ensuring the method’s reliability under different conditions. Both the IT2TrFN and MCDM methods utilized in this study are implemented using Matlab 2022a, ensuring robust data processing and analysis capabilities.

To establish the decision hierarchy, it is essential to identify all constituent elements. The hierarchy consists of a set of $n$ criteria (denoted as $B_1, B_2,\dots ,B_n$) and r indicators (denoted as $C_1,C_2,\dots C_r$). Additionally, the formation of a collaborative expert group (labeled as $E_1, E_2,\dots ,E_l$) is a key step in the practical implementation of the developed method. The process for implementing this methodology is described in detail through the following steps:

Step 1: Assigning weights to experts. This step involves determining the relative importance of each expert within the group. Two specific parameters, $d_e^1$ and $d_e^2$, are used to calculate the weight of the $e_{th}$ expert in a group of $l$ experts. The calculation procedure is outlined as follows:

$$\left\{\begin{array}{c}{d}_e^1=m_e+{\displaystyle \frac{{\delta }_e{m}_e}{m_e+y_e}}+{\displaystyle \frac{m_e\left(m_e+y_e\right)}{m_e+n_e+{\lambda }_e}}\\ d_e^2={\displaystyle \frac{{\mu }_e}{2\pi }}+{\displaystyle \frac{{\gamma }_e{\mu }_e}{2\pi \left({\mu }_e+{\eta }_e\right)}}+{\displaystyle \frac{{\mu }_e\left({\mu }_e+{\eta }_e\right)}{2\pi \left({\mu }_e+{\eta }_e+{\sigma }_e\right)}}\\ {\omega }_e={\displaystyle \frac{(1-\vartheta )d_e^1+\vartheta d_e^2}{\sum _1^{\mathcal{l}}\left[(1-\vartheta )d_e^1+\vartheta d_e^2\right]}}\end{array}\right.$$

(1)

where ${\omega }_e$ is the weight of the $e_{th}$ expert, and $\vartheta$ is the weight coefficient.

Step 2: The Initial Decision Matrix ($IDM$) is created by assigning linguistic terms to each criterion, which are paired with interval type-2 fuzzy numbers ($IT2TrFN$) to reflect the importance level of each indicator. These $IT2TrFNs$ are subsequently defuzzified in a specified manner to construct the matrix.

To ensure the reliability of the data, outliers or extreme values in the expert assessment data are identified using the interquartile range (IQR) method. Specifically, the IQR is calculated as the difference between the 75th percentile (Q3) and the 25th percentile (Q1) of the expert judgments. Any data points that fall below Q1 − 1.5 × IQR or above Q3 + 1.5 × IQR are flagged as potential outliers. These outliers are then reviewed and adjusted through iterative consensus-building sessions with the experts to ensure alignment with the overall assessment context. This process mitigates the impact of extreme values on the final index values, thus enhancing the robustness and reliability of the results.

$$\widetilde{\stackrel{~}{A}}=\left({\tilde{A}}_i^U,{\tilde{A}}_i^L\right)=\left[\begin{array}{c}\left(a_{i1}^U,a_{i2}^U,a_{i3}^U,a_{i4}^U;H_1\left({\tilde{A}}_i^U\right),H_2\left({\tilde{A}}_i^U\right)\right),\\ \left(a_{i1}^L,a_{i2}^L,a_{i3}^L,a_{i4}^L;H_1\left({\tilde{A}}_i^L\right),H_2\left({\tilde{A}}_i^L\right)\right)\end{array}\right]$$

(2)

Here, $H_j\left({\tilde{A}}_i^U\right)$ and $H_j\left({\tilde{A}}_i^L\right)$ represent the membership degrees of the $j+1$ elements in the membership functions $a_{i(j+1)}^U$ and $a_{i(j+1)}^L$, where $1\le j\le 2$.

$$Defuzzified\left({\widetilde{\stackrel{~}{A}}}_i\right)={\displaystyle \frac{\begin{array}{c}\frac{\left(a_{i4}^U-a_{i1}^U\right)+\left(H_1\left({\tilde{A}}_i^U\right)\ast a_{i2}^U-a_{i1}^U\right)+\left(H_2\left({\tilde{A}}_i^U\right)\ast a_{i3}^U-a_{i1}^U\right)}{4}+a_{i1}^U\\ +\frac{\left(a_{i4}^L-a_{i1}^L\right)+\left(H_1\left({\tilde{A}}_i^L\right)\ast a_{i2}^L-a_{i1}^L\right)+\left(H_2\left({\tilde{A}}_i^L\right)\ast a_{i3}^L-a_{i1}^L\right)}{4}+a_{i1}^L\end{array}}{2}}$$

(3)

Constructing the $IDM$ requires the arrangement of linguistic terms and $IT2TrFN$ to form the matrix.

$$Z_e^B=\left[\begin{array}{ccccc}& X_1& X_2& \dots & X_q\\ B_1& u_{11}^e& u_{21}^e& \dots & u_{1q}^e\\ B_2& u_{12}^e& u_{22}^e& \dots & u_{2q}^e\\ ⋮& ⋮& ⋮& \ddots & ⋮\\ B_n& u_{1n}^e& u_{n2}^e& \dots & u_{nq}^e\end{array}\right]$$

(4)

Here, $Z_e^B$ represents the $IDM$ constructed by the $e_{th}$ expert, and $q$ is the number of objects.

Step 3: Expert opinions are integrated into a unified decision matrix using a weighted aggregation approach, helping to consolidate individual assessments into a collective judgment.

$$\begin{array}{c}{M}_{\omega }\left(Z_1^B,Z_2^B,\dots ,Z_{\mathcal{l}}^B\right)={\omega }_1{Z}_1^B\oplus {\omega }_2{Z}_2^B\oplus \dots \oplus {\omega }_{\mathcal{l}}{Z}_{\mathcal{l}}^B\hfill \\ = \left({\displaystyle \genfrac{}{}{0pt}{}{\sqrt{1-\prod _1^{\mathcal{l}}{\left(1-m_{ij\left(e\right)}^2\right)}^{{\omega }_e}}{v}^{{i2\pi }^{\sqrt{1-\prod _1^{\mathcal{l}}{\left[1-{\left(\frac{{\mu }_e}{2\pi }\right)}^2\right]}^{{\omega }_e}}}},\prod _1^{\mathcal{l}}{n}_{ij\left(e\right)}^{{\omega }_e}{v}^{i2\pi \prod _1^n{\left(\frac{w_{e_i}}{2\pi }\right)}^{{\omega }_e}},}{\sqrt{\prod _1^{\mathcal{l}}{\left(1-m_{ij\left(e\right)}^2\right)}^{{\omega }_e}-\prod _1^{\mathcal{l}}{\left(1-m_{ij\left(e\right)}^2-{\delta }_{ij\left(e\right)}^2\right)}^{{\omega }_e}}{v}^{{i2\pi }^{\sqrt{\prod _1^{\mathcal{l}}{\left[1-{\left(\frac{{\mu }_{e_i}}{2\pi }\right)}^2\right]}^{{\omega }_e}-{\mathsf{\Pi }}_1^{\mathcal{l}}{\left[1-{\left(\frac{{\mu }_{{\delta }_i}}{2\pi }\right)}^2-{\left(\frac{{\gamma }_{e_i}}{2\pi }\right)}^2\right]}^{{\omega }_e}}}}}}\right)\end{array}$$

(5)

Here, ${\omega }_e$ represents the weight assigned to the $e_{th}$ expert.

Step 4: The construction of the Aggregated Decision Matrix ($ADM$) to assess the relative importance of the considered secondary indicators is as follows:

$$Z^B=\left[\begin{array}{ccccc}& X_1& X_2& \cdots & X_q\\ B_1& u_{11}^B& u_{12}^B& \cdots & u_{1q}^B\\ B_2& u_{21}^B& u_{22}^B& \cdots & u_{2q}^B\\ ⋮& ⋮& ⋮& \ddots & ⋮\\ B_n& u_{n1}^B& u_{n2}^B& \cdots & u_{nq}^B\end{array}\right]$$

(6)

Here, $Z^B$ represents the $ADM$. In practice, a value of 1 is typically assigned to each object. Therefore, the $ADM$ can be expressed as: $Z^B=\left[{\displaystyle \genfrac{}{}{0pt}{}{ }{X_1}}{\displaystyle \genfrac{}{}{0pt}{}{B_1}{u_{11}^B}}{\displaystyle \genfrac{}{}{0pt}{}{B_2}{u_{21}^B}}{\displaystyle \genfrac{}{}{0pt}{}{\cdots }{\cdots }}{\displaystyle \genfrac{}{}{0pt}{}{B_n}{u_{n1}^B}}\right]$ and $Z^B=\left[{\displaystyle \genfrac{}{}{0pt}{}{ }{X_1}}{\displaystyle \genfrac{}{}{0pt}{}{B_1}{u_{11}^B}}{\displaystyle \genfrac{}{}{0pt}{}{B_2}{u_{21}^B}}{\displaystyle \genfrac{}{}{0pt}{}{\cdots }{\cdots }}{\displaystyle \genfrac{}{}{0pt}{}{B_n}{u_{n1}^B}}\right]$.

It is essential to note that before proceeding further with the data processing, consistency measures must be met. Consistency is ensured through the application of Appendix A.1.

Step 5: Construction of the $IDM$ for Tertiary Indicators. Step 5 involves the construction of the IDM for the tertiary indicators. Secondary indicators consist of various tertiary indicators; for example, the secondary indicator $B_1$ includes two tertiary indicators $C_1$ and $C_2$, while $B_2$ includes $C_3$ and $C_4$. Experts evaluate the performance of these tertiary indicators under their respective secondary indicators. The $IDM$ specific to expert $C_4$ is constructed as follows:

$$Z_e^C=\left[\begin{array}{ccccc}& B_1& B_2& \cdots & B_n\\ C_1& u_{11}^{Ct}& & & \\ C_2& u_{21}^{Ct}& & & \\ C_3& & u_{32}^{Ct}& & \\ C_4& & u_{42}^{Ct}& & \\ ⋮& & & \ddots & \\ C_r& & & & u_{rn}^{Ct}\end{array}\right]$$

(7)

Here, $Z_e^C$ represents the $IDM$ constructed by expert $e_{th}$, and $u_{ij}^{Ct}=\left(m{v}_{ij\left(e\right)}^{i{\mu }_e},n{v}_{ij\left(e\right)}^{i{\eta }_e},\delta v_{ij\left(e\right)}^{i{\gamma }_e},\lambda v_{ij\left(e\right)}^{i{\sigma }_e}\right)$.

Step 6: The IDM for tertiary indicators is created, followed by the aggregation of expert opinions to form the corresponding ADM for these indicators. This step integrates expert evaluations into a final decision matrix [36].

$$IT2FWA\left({\widetilde{\stackrel{~}{a}}}_j^{\left(1\right)},{\widetilde{\stackrel{~}{a}}}_j^{\left(2\right)},\dots ,{\widetilde{\stackrel{~}{a}}}_j^{\left(e\right)}\right)=\left(\begin{array}{c}\left(\sum _{e=1}^{nDM}{\theta }_e{a}_{j,1}^{U\left(e\right)},\sum _{e=1}^{nDM}{\theta }_e{a}_{j,2}^{U\left(e\right)},\sum _{e=1}^{nDM}{\theta }_e{a}_{j,3}^{U\left(e\right)};\right.\\ \left.1-\prod _{e=1}^{nDM}{\left(1-h_{A_j}^{U\left(e\right)}\right)}^{{\theta }_e}\right),\\ \left(\sum _{e=1}^{nDM}{\theta }_e{a}_{j,1}^{L\left(e\right)},\sum _{e=1}^{nDM}{\theta }_e{a}_{j,2}^{L\left(e\right)},\sum _{e=1}^{nDM}{\theta }_e{a}_{j,3}^{L\left(e\right)};\right.\\ 1-\prod _{e=1}^{nDM}{\left(1-h_{A_j}^{L\left(e\right)}\right)}^{{\theta }_e}\end{array}\right)$$

(8)

Here, ${\theta }_e$ represents expert $e_{th}$, and $nDM$ denotes the number of decision-makers.

$$Z^C=\left[\begin{array}{ccccc}& B_1& B_2& \cdots & B_n\\ C_1& u_{11}^C& & & \\ C_2& u_{21}^C& & & \\ C_3& & u_{32}^C& & \\ C_4& & u_{42}^C& & \\ ⋮& & & \ddots & \\ C_r& & & & u_{rn}^C\end{array}\right]$$

(9)

Here, $Z^C$ represents the $ADM$, and $u_{ij}^C=\left(m{v}_{Cij}^{i{\mu }_e},n{v}_{Cij}^{i{\eta }_e},\delta v_{Cij}^{i{\gamma }_e},\lambda v_{Cij}^{i{\sigma }_e}\right)$. Before proceeding with further data processing, it is crucial to ensure that consistency measures meet the basic requirements.

Step 7: Constructing the $CAWGDM$ to evaluate the tertiary indicators in detail. This process involves weighting the aggregated matrix ($Z^C$) according to the conditions specified in $W_B$. The equation is outlined as follows:

$$\begin{array}{c}{Z}^{Com}={\left[W_B\otimes Z^C\right]}_{n\times r}\hfill \\ =\left({\displaystyle \genfrac{}{}{0pt}{}{m_B\cdot m_{Cij}{v}^{i2\pi \left(\frac{{\mu }_e}{2\pi }\right)\left(\frac{A{\mu }_e}{2\pi }\right)},\sqrt{{\left(n_B\right)}^2+{\left(n_{Cij}\right)}^2-{\left(n_B\right)}^2{\left(n_{Cij}\right)}^2}{v}^{i2\pi \sqrt{{\left(\frac{{\eta }_e}{2\pi }\right)}^2+{\left(\frac{C{\eta }_e}{2\pi }\right)}^2-{\left(\frac{{\eta }_e}{2\pi }\right)}^2{\left(\frac{C{\eta }_e}{2\pi }\right)}^2}},}{\sqrt{\left[1-{\left(n_B\right)}^2\right]{\left({\delta }_{Cij}\right)}^2+\left[1-{\left(n_{Cij}\right)}^2\right]{\left({\delta }_B\right)}^2-{\left({\delta }_{Cij}\right)}^2{\left({\delta }_B\right)}^2}{v}^{i2\pi \sqrt{{\left(1-\frac{{\eta }_e}{2\pi }\right)}^2{\left(\frac{C_{\mathcal{Y}}}{2\pi }\right)}^2+{\left(1-\frac{C_e}{2\pi }\right)}^2{\left(\frac{{\gamma }_e}{2\pi }\right)}^2-{\left(\frac{C{\gamma }_e}{2\pi }\right)}^2{\left(\frac{{\gamma }_e}{2\pi }\right)}^2}}}}\right)\end{array}$$

(10)

The constructed $CAWGDM$ will be presented as follows:

$$Z^Q=\left[\begin{array}{ccccc}& B_1& B_2& \cdots & B_n\\ C_1& u_{11}^Q& & & \\ C_2& u_{21}^Q& & & \\ C_3& & u_{32}^Q& & \\ C_4& & u_{42}^Q& & \\ ⋮& & & \ddots & \\ C_r& & & & u_{rn}^Q\end{array}\right]$$

(11)

Here, $u_{ij}^Q=\left(m_{ij}{v}_Q^{i{\mu }_e},n_{ij}{v}_Q^{i{\eta }_e},{\delta }_{ij}{v}_Q^{i{\gamma }_e},{\lambda }_{ij}{v}_Q^{i{\sigma }_e}\right)$. $Z^{\mathrm{A}}$ can be represented as:$\left[\begin{array}{ccccc}{C}_1& C_2& C_3& \dots & C_r\\ u_{11}^Q& u_{21}^Q& u_{31}^Q& \dots & u_{r1}^Q\end{array}\right]$.

Step 8: Determining the $PIS$ and $NIS$ in the $CAWGDM$. $PIS$ is represented as $C$, characterized by the maximum value in the entire matrix, while $NIS$ is represented as $C^{+-}$, containing the minimum value. The formulas for these solutions are as follows:

$$C^{+}=\underset{1\le i\le r}{max}\left\{u_{ij}^{\mathrm{Q}}\right\};C^{-}=\underset{1\le i\le r}{min}\left\{u_{ij}^{\mathrm{Q}}\right\}$$

(12)

Here, $PIS$ and $NIS$ are derived from the scores and accuracy functions of $IT2TrFN$ (Appendix A.2). $PIS$ and $NIS$ are denoted as $C^{+}=\left(m_{ij}^{+},n_{ij}^{+},{\delta }_{ij}^{+},{\lambda }_{ij}^{+},{\mu }_{ij}^{+},{\eta }_{ij}^{+},{\gamma }_{ij}^{+},{\sigma }_{ij}^{+}\right)$ and $C^{-}=\left(m_{ij}^{-},n_{ij}^{-},{\delta }_{ij}^{-},{\lambda }_{ij}^{-},{\mu }_{ij}^{-},{\eta }_{ij}^{-},{\gamma }_{ij}^{-},{\sigma }_{ij}^{-}\right)$.

Step 9: Measuring the distance from the tertiary indicators to the $PIS$ and $NIS$. The calculations for these are outlined as follows:

$$\left\{\begin{array}{c}\mathrm{K}\left(C_i,C^{+}\right)=\sqrt{\sum _{\rho \in \{m,n,\delta ,\lambda \}}{\left|{\left({\rho }_{ij}\right)}^2-{\left({\rho }_{ij}^{+}\right)}^2\right|}^2+{\displaystyle \frac{1}{16{\pi }^4}}\sum _{\zeta \in \{\mu ,\eta ,\gamma ,\sigma \}}{\left|{\left({\zeta }_{ij}\right)}^2-{\left({\zeta }_{ij}^{+}\right)}^2\right|}^2}\\ \mathrm{K}\left(C_i,C^{-}\right)=\sqrt{\sum _{\rho \in \{m,n,\delta ,\lambda \}}{\left|{\left({\rho }_{ij}\right)}^2-{\left({\rho }_{ij}^{-}\right)}^2\right|}^2+{\displaystyle \frac{1}{16{\pi }^4}}\sum _{\zeta \in \{,\eta ,\eta ,\gamma ,\sigma \}}{\left|{\left({\zeta }_{ij}\right)}^2-{\left({\zeta }_{ij}^{-}\right)}^2\right|}^2}\end{array} \right.$$

(13)

Here, $\mathrm{K}\left(C_i,C^{+}\right)$ and $\mathrm{K}\left(C_i,C^{-}\right)$ represent the distances from the tertiary indicators to the $PIS$ and $NIS$.

Step 10: Distances from the tertiary indicators to both the PIS and NIS are calculated. The ranking values are then determined for each indicator, and the level index is computed by averaging these values.

$$\alpha \left(C_i\right)={\displaystyle \frac{K\left(C_i,C^{+}\right)}{K\left(C_i,C^{-}\right)+Z\left(C_i,C^{+}\right)}}$$

(14)

$$\chi ={\displaystyle \frac{1}{r}}{\sum }_{i=1}^r\alpha \left(C_i\right)$$

(15)

Here, $\alpha \left(C_i\right)$ refers to the ranking value assigned to sub-criteria, while $\chi$ represents the value of the Level Index.

To provide a clearer description of the model we have developed, we have created a technical roadmap, as shown in Figure 1.

4. Case Study

This section presents an overview of the application of the proposed methodology in Shaanxi Province, China. It details the implementation process, the assessment results of smart energy information security risks in the province, and a comparison analysis with alternative methods. The theoretical and managerial implications derived from the study are also discussed.

4.1. Implementation of the Methodology

This study introduces an innovative Multi-Criteria Decision-Making (MCDM) approach to assess the information security risks of smart energy cities. The primary objective is to calculate the information security risk index for smart energy cities. After identifying relevant criteria and indicators, an indicator system for smart energy cities was established. The information security risk index is categorized into three levels: low, medium, and high, based on the calculated index values.

Shaanxi Province was selected as the case study location due to its significance as a major energy hub in Northwest China. Known as “China’s Kuwait”, Shaanxi is rich in key energy resources such as coal, oil, and natural gas. Its developed energy system plays a crucial role in supporting the national energy supply and economic development. Moreover, as a strategic connector between eastern and western China, Shaanxi holds an irreplaceable position in energy transport and national strategic planning (Figure 2).

Through an extensive literature review, the study categorizes the indicators for evaluating smart energy information security risks into four main types: environmental, technological, economic, and management risks. Specifically, the information security risk for smart energy cities is classified as a primary indicator in the decision hierarchy, consisting of four secondary indicators. Each secondary indicator is further subdivided into 6–8 tertiary indicators, yielding a total of 29 tertiary indicators. Table 1 provides a detailed description of the identified indicators and the quantification method for each tertiary indicator. The secondary indicators are labeled as $B_1,B_2,B_3,B_4$, and the tertiary indicators are labeled as $C_{11},C_{12},C_{13},\dots ,C_{46}$. Based on these identified indicators, a decision hierarchy is constructed.

Table 1. Smart Energy Information Security Risk Indicator System.

Objective	Secondary Indicator	Tertiary Indicator	Indicator Quantification	Reference
Smart Energy Information Security Risk	Environmental Risk $B_1$	Climate Change Risk $C_{11}$	Severe, Moderate, Mild	[37]
		Resource Supply Stability $C_{12}$	Strong, Moderate, Weak	[38]
		Environmental Pollution Pressure $C_{13}$	Severe, Moderate, Mild	[39]
		Policy and Regulatory Intensity $C_{14}$	Severe, Moderate, Mild	[40]
		Legal Protection for Information Security $C_{15}$	Severe, Moderate, Mild	[41]
		Information Security Management System $C_{16}$	Severe, Moderate, Mild	[42]
		Information Security Standards $C_{17}$	Available, In Progress, None	[43]
	Technical Risk $B_2$	Infrastructure Completeness $C_{21}$	(Normal Operating Time/Total Operating Time) × 100%	[44]
		Critical Facility Redundancy $C_{22}$	(Backup Equipment/Total Critical Equipment) × 100%	[45]
		Energy Information Transmission Stability $C_{23}$	(Lost Data Packets/Total Sent Data Packets) × 100%	[46]
		Fault Response Capability $C_{24}$	Average Fault Recovery Time (MTTR): The average time from fault occurrence to recovery	[47]
		Data Encryption Strength $C_{25}$	(Encrypted Data/Total Data) × 100%	[48]
		Unauthorized Access Detection Rate $C_{26}$	(Successfully Detected Unauthorized Access/Actual Unauthorized Access) × 100%	[49]
		System Vulnerability Management $C_{27}$	(Fixed Vulnerabilities/Total Found Vulnerabilities) × 100%	[50]
		Network Attack Defense Capability $C_{28}$	(Successfully Blocked Attacks/Total Attacks) × 100%	[51]
	Economic Risk $B_3$	Initial Investment Deviation $C_{31}$	[(Actual Initial Investment−Budgeted Initial Investment)/Budgeted Initial Investment] × 100%	[52]
		Operational Cost Growth Rate $C_{32}$	[(Current Operational Cost−Previous Operational Cost)/Previous Operational Cost] × 100%	[53]
		Technology Update Cost Share $C_{33}$	(Technology Update Cost/Total Cost) × 100%	[54]
		Unit Energy Production Cost $C_{34}$	Total Production Cost/Total Energy Output	[55]
		Energy Price Volatility $C_{35}$	[(Current Energy Price−Previous Energy Price)/Previous Energy Price] × 100%	[56]
		Market Demand Growth Rate $C_{36}$	[(Current Market Demand−Previous Market Demand)/Previous Market Demand] × 100%	[53]
		Investment Return Period $C_{37}$	Total Investment/Average Annual Net Profit	[57]
		Revenue Volatility $C_{38}$	[(Current Revenue−Previous Revenue)/Previous Revenue] × 100%	[58]
	Management Risk $B_4$	Information Security Responsibility Implementation $C_{41}$	Strong, Moderate, Weak	[59]
		Security Training Coverage Rate $C_{42}$	(Actual Participants/Required Participants) × 100%	[60]
		Emergency Plan Drill Frequency $C_{43}$	Annual Drills/Planned Drills	[61]
		Timeliness of Security Incident Response $C_{44}$	(Incidents Responded to within the Specified Time/Total Incidents) × 100%	[62]
		Operations and Maintenance Compliance Rate $C_{45}$	(Compliant Operations/Total Operations) × 100%	[63]
		Outsourced Security Management Capability $C_{46}$	Strong, Moderate, Weak	[64]

Table 1. Smart Energy Information Security Risk Indicator System.

Objective	Secondary Indicator	Tertiary Indicator	Indicator Quantification	Reference
Smart Energy Information Security Risk	Environmental Risk $B_1$	Climate Change Risk $C_{11}$	Severe, Moderate, Mild	[37]
		Resource Supply Stability $C_{12}$	Strong, Moderate, Weak	[38]
		Environmental Pollution Pressure $C_{13}$	Severe, Moderate, Mild	[39]
		Policy and Regulatory Intensity $C_{14}$	Severe, Moderate, Mild	[40]
		Legal Protection for Information Security $C_{15}$	Severe, Moderate, Mild	[41]
		Information Security Management System $C_{16}$	Severe, Moderate, Mild	[42]
		Information Security Standards $C_{17}$	Available, In Progress, None	[43]
	Technical Risk $B_2$	Infrastructure Completeness $C_{21}$	(Normal Operating Time/Total Operating Time) × 100%	[44]
		Critical Facility Redundancy $C_{22}$	(Backup Equipment/Total Critical Equipment) × 100%	[45]
		Energy Information Transmission Stability $C_{23}$	(Lost Data Packets/Total Sent Data Packets) × 100%	[46]
		Fault Response Capability $C_{24}$	Average Fault Recovery Time (MTTR): The average time from fault occurrence to recovery	[47]
		Data Encryption Strength $C_{25}$	(Encrypted Data/Total Data) × 100%	[48]
		Unauthorized Access Detection Rate $C_{26}$	(Successfully Detected Unauthorized Access/Actual Unauthorized Access) × 100%	[49]
		System Vulnerability Management $C_{27}$	(Fixed Vulnerabilities/Total Found Vulnerabilities) × 100%	[50]
		Network Attack Defense Capability $C_{28}$	(Successfully Blocked Attacks/Total Attacks) × 100%	[51]
	Economic Risk $B_3$	Initial Investment Deviation $C_{31}$	[(Actual Initial Investment−Budgeted Initial Investment)/Budgeted Initial Investment] × 100%	[52]
		Operational Cost Growth Rate $C_{32}$	[(Current Operational Cost−Previous Operational Cost)/Previous Operational Cost] × 100%	[53]
		Technology Update Cost Share $C_{33}$	(Technology Update Cost/Total Cost) × 100%	[54]
		Unit Energy Production Cost $C_{34}$	Total Production Cost/Total Energy Output	[55]
		Energy Price Volatility $C_{35}$	[(Current Energy Price−Previous Energy Price)/Previous Energy Price] × 100%	[56]
		Market Demand Growth Rate $C_{36}$	[(Current Market Demand−Previous Market Demand)/Previous Market Demand] × 100%	[53]
		Investment Return Period $C_{37}$	Total Investment/Average Annual Net Profit	[57]
		Revenue Volatility $C_{38}$	[(Current Revenue−Previous Revenue)/Previous Revenue] × 100%	[58]
	Management Risk $B_4$	Information Security Responsibility Implementation $C_{41}$	Strong, Moderate, Weak	[59]
		Security Training Coverage Rate $C_{42}$	(Actual Participants/Required Participants) × 100%	[60]
		Emergency Plan Drill Frequency $C_{43}$	Annual Drills/Planned Drills	[61]
		Timeliness of Security Incident Response $C_{44}$	(Incidents Responded to within the Specified Time/Total Incidents) × 100%	[62]
		Operations and Maintenance Compliance Rate $C_{45}$	(Compliant Operations/Total Operations) × 100%	[63]
		Outsourced Security Management Capability $C_{46}$	Strong, Moderate, Weak	[64]

The parameters used in this article are shown in

Table 2. Key Experimental Parameters.

Parameter	Value/Description
Expert Weight Calculation Parameter ($\vartheta$)	$\vartheta =0.6$ (weight coefficient balancing expert experience and domain influence in Equation (1))
Parameters of IT2TrFN Membership Functions	Linguistic terms mapped to interval type-2 trapezoidal fuzzy numbers (IT2TrFN) with bounds calibrated via expert consensus
Consistency Threshold ($CV$)	$CV\le 0.5$ (re-calibration required if exceeded).
Sensitivity Analysis Range ($\theta$)	$\theta \in [0.0,0.5]$ (step size 0.1) to test weight coefficient variations.
IT2FWA and IT2FGA Operators	IT2FWA: Weighted aggregated operator (Equation (8)); IT2FGA: Weighted geometric operator (Equation (16))
Risk Level Thresholds	High ($\chi \ge 0.60$), Medium ($0.30\le \chi <0.60$), Low ($\chi <0.30$)

.

Before the first phase of the assessment, data collection tools were designed to capture expert insights on the indicators. Expert selection was based on their specific research areas and years of practical experience, ensuring relevance to the subject matter. A total of 8 experts in the fields of smart energy and safety engineering were invited to participate in the assessment [65,66]. During the evaluation, linguistic terms related to $IT2TrFN$ were employed to assess the importance of the indicators in the given context.

Table 3. Language Scale $IT2TrFN$.

Linguistic Term	${\mathit{m}}_{\mathit{s}}\left(\mathit{x}\right){\mathit{e}}^{\mathit{i}\mathit{\mu }\mathit{s}\left(\mathit{x}\right)},{\mathit{n}}_{\mathit{s}}\left(\mathit{x}\right){\mathit{e}}^{\mathit{i}\mathit{\eta }\mathit{s}\left(\mathit{x}\right)},{\mathit{\delta }}_{\mathit{s}}\left(\mathit{x}\right){\mathit{e}}^{\mathit{i}\mathit{\gamma }\mathit{s}\left(\mathit{x}\right)},{\mathit{\lambda }}_{\mathit{s}}\left(\mathit{x}\right){\mathit{e}}^{\mathit{i}\mathit{\sigma }\mathit{s}\left(\mathit{x}\right)}$
Extremely High(EH)	$0.15e^{\mathrm{i}2\pi \left(0.20\right)},0.90e^{\mathrm{i}2\pi \left(0.95\right)},0.10e^{\mathrm{i}2\pi \left(0.20\right)},0.53e^{\mathrm{i}2\pi \left(0.39\right)}$
Very High(VH)	$0.35e^{\mathrm{i}2\pi \left(0.40\right)},0.70e^{\mathrm{i}2\pi \left(0.75\right)},0.30e^{\mathrm{i}2\pi \left(0.40\right)},0.67e^{\mathrm{i}2\pi \left(0.53\right)}$
High(H)	$0.45e^{\mathrm{i}2\pi \left(0.50\right)},0.60e^{\mathrm{i}2\pi \left(0.65\right)},0.40e^{\mathrm{i}2\pi \left(0.50\right)},0.65e^{\mathrm{i}2\pi \left(0.51\right)}$
Medium(M)	$0.55e^{\mathrm{i}2\pi \left(0.60\right)},0.50e^{\mathrm{i}2\pi \left(0.55\right)},0.50e^{\mathrm{i}2\pi \left(0.60\right)},0.58e^{\mathrm{i}2\pi \left(0.39\right)}$
Low(L)	$0.65e^{\mathrm{i}2\pi \left(0.70\right)},0.40e^{\mathrm{i}2\pi \left(0.45\right)},0.40e^{\mathrm{i}2\pi \left(0.50\right)},0.62e^{\mathrm{i}2\pi \left(0.48\right)}$
Very low(VL)	$0.75e^{\mathrm{i}2\pi \left(0.80\right)},0.30e^{\mathrm{i}2\pi \left(0.35\right)},0.30e^{\mathrm{i}2\pi \left(0.40\right)},0.61e^{\mathrm{i}2\pi \left(0.39\right)}$
Extremely low(EL)	$0.95e^{\mathrm{i}2\pi \left(0.89\right)},0.20e^{\mathrm{i}2\pi \left(0.35\right)},0.10e^{\mathrm{i}2\pi \left(0.20\right)},0.40e^{\mathrm{i}2\pi \left(0.38\right)}$

provides a comprehensive overview of the linguistic terms associated with $IT2TrFN$.

In the MCDM modeling process, experts provided data using these linguistic terms, which were then converted into corresponding fuzzy numbers. The conversion process was based on expert-defined parameters to capture the inherent linguistic uncertainty in their judgments. The fuzzy number parameters (${\mathit{m}}_{\mathit{s}}\left(\mathit{x}\right){\mathit{e}}^{\mathit{i}\mathit{\mu }\mathit{s}\left(\mathit{x}\right)},{\mathit{n}}_{\mathit{s}}\left(\mathit{x}\right){\mathit{e}}^{\mathit{i}\mathit{\eta }\mathit{s}\left(\mathit{x}\right)},{\mathit{\delta }}_{\mathit{s}}\left(\mathit{x}\right){\mathit{e}}^{\mathit{i}\mathit{\gamma }\mathit{s}\left(\mathit{x}\right)},{\mathit{\lambda }}_{\mathit{s}}\left(\mathit{x}\right){\mathit{e}}^{\mathit{i}\mathit{\sigma }\mathit{s}\left(\mathit{x}\right)}$) were determined by the expert’s interpretation of each linguistic term, reflecting the range of possible values. For example, the term “Extremely High (EH)” was assigned a fuzzy number where the membership function is represented by complex exponential expressions, such as $0.15e^{\mathrm{i}2\pi \left(0.20\right)},0.90e^{\mathrm{i}2\pi \left(0.95\right)},0.10e^{\mathrm{i}2\pi \left(0.20\right)},0.53e^{\mathrm{i}2\pi \left(0.39\right)}$, based on expert experience and the specific application context. These parameters help capture both the magnitude and phase of uncertainty, ensuring that the fuzziness of expert judgments is adequately represented.

To ensure the reliability of the data, consistency measures were applied, enhancing the credibility of the results. The developed method carefully assessed consensus in two key areas: (i) the relative importance of the evaluation criteria in relation to the objective, and (ii) the detailed ratings of indicators within each criterion. The weighted coefficient of variation (CV) for these two areas was calculated as {$B_1$,$B_2$,$B_3$,$B_4$} = {0.3325, 0.2987, 0.3160, 0.3225}, indicating a high degree of consensus among the experts, as all values exceed the critical threshold of 0.30. This confirms the acceptability of expert judgments and allows for the continuation of data processing.

4.2. Evaluation Results

Once the decision hierarchy was established, the method first assigns weights to the experts. The weights assigned to each expert are as follows: $E_1=0.142, E_2=0.119, E_3=0.119, E_4=0.125, E_5=0.065, E_6=0.142, E_7=0.163, E_8=0.125$. Based on the judgments provided by the experts, the primary results are as follows: the Negative Ideal Solution ($NIS$) and Positive Ideal Solution ($PIS$) are determined using the score and accuracy functions of $IT2TrFN$. Specifically, the $PIS$ is given by $A=\{0.25e^{+I2\pi }\left(0.31\right),0.81e^{+I2\pi }\left(0.85\right),0.32e^{+I2\pi }\left(0.38\right),0.61e^{+I2\pi }(0.45\left)\right\}$ and the NIS is: $A-=\{0.36e^{+I2\pi }\left(0.44\right),0.48e^{+I2\pi }\left(0.52\right),0.47e^{+I2\pi }\left(0.55\right),0.67e^{+I2\pi }(0.48\left)\right\}.$ The ranking and ordering of these 29 tertiary indicators are presented in Figure 3 and Figure 4.

As shown in the ranking values in Figure 3, all secondary indicators except $C_{27},C_{28},C_{43},C_{46},C_{35},C_{16},C_{26},C_{15},$ and $C_{38}$ have ranking values above 0.5. The ranking order of the secondary indicators is presented in Figure 4. The analysis reveals that the top five indicators among the secondary indicators are $C_{31}$ (Initial Investment Deviation), $C_{14}$ (Policy and Regulatory Intensity), $C_{17}$ (Information Security Standards), $C_{13}$ (Environmental Pollution Pressure), and $C_{44}$ (Timeliness of Security Incident Response). These indicators are critical factors in evaluating the information security risks of smart energy, as they influence the reliability, sustainability, and resilience of the energy system.

The average ranking value, or level index, is 0.5839, which falls within the range of [0.30, 0.60). Based on this, the smart energy information security risk for the study subject is categorized as medium risk. This indicates that there is room for improvement in key areas for Shaanxi Province. Strengthening investment efficiency, improving policy regulation, refining security standards, reducing environmental impacts, and enhancing emergency response capabilities are critical steps toward achieving a more efficient and stable information security protection system.

4.3. Sensitivity Analysis

Sensitivity analysis is crucial for understanding the impact of parameter variations on model outcomes. This analysis is conducted from two perspectives, using a detailed example to assess its robustness. The first perspective involves applying different aggregation operators, specifically $IT2FWA$ and $IT2FGA$ (with calculation details outlined in Equation (16)). The second perspective explores how varying the weight coefficient ($\theta$) while using specific aggregation operators affects the results. This comprehensive approach allows for a thorough evaluation of the decision-making process’s stability and reliability, shedding light on how changes in these parameters influence the outcomes.

$$\mathrm{I}\mathrm{T}2FGA\left({\tilde{A}}_1,\dots ,{\tilde{A}}_n\right)(x)=\left[{\underset{\_}{\mu }}_{\tilde{A}}(x),{\overline{\mu }}_{\tilde{A}}(x)\right]=\left[{\left({\prod }_{p=1}^n{\underset{\_}{\mu }}_{{\tilde{A}}_p}(x{)}^{{\theta }_p}\right)}^{{\displaystyle \frac{1}{\mathsf{\Sigma }{\theta }_p}}},{\left({\prod }_{p=1}^n{\overline{\mu }}_{{\tilde{A}}_p}(x{)}^{{\theta }_p}\right)}^{{\displaystyle \frac{1}{\mathsf{\Sigma }{\theta }_p}}}\right]$$

(16)

(1) Sensitivity Analysis from the First Perspective: Four distinct scenarios are established for this analysis, as outlined in

Table 4. Scenario Descriptions.

Scenario	Description
Scenario 1 ($T_1$)	Different expert weights ($IT2FWA$)
Scenario 2 ($T_2$)	Equal expert weights ($IT2FWA$)
Scenario 3 ($T_3$)	Different expert weights ($IT2FGA$)
Scenario 4 ($T_4$)	Equal expert weights ($IT2FGA$)

. Figure 5 illustrates the ranking of indicators under these four scenarios ($T_1,T_2,T_3,T_4$). When applying specific aggregation operators, the rankings of the indicators remain largely consistent, indicating that the operator has minimal effect on the results. However, when different operators are used to aggregate judgments, especially for key indicators, significant fluctuations in ranking values are observed. This suggests that certain indicators are more sensitive to the aggregation operators, with variations in weight distribution influencing the rankings.

The analysis reveals that despite some differences, the overall ranking order remains relatively stable across scenarios. Certain indicators maintain a consistent ranking, signifying broad consensus on their importance across different conditions. However, other indicators, particularly those ranked lower or in the middle, exhibit greater fluctuations, emphasizing the impact of different aggregation operators on the ranking results.

(2) Sensitivity Analysis from the Second Perspective: Regarding the effect of varying the weight coefficient ($\theta$) while using specific aggregation operators, Figure 6 shows the ranking indices of the top five indicators under different weight coefficients ($\theta$) using $IT2FWA$. Figure 7 further demonstrates that the ranking trends of the indicators are largely consistent, with a notable shift occurring when $\theta$ changes from 0.00 to 0.10. Figure 8 presents the indicator rankings across various $\theta$ values. Notably, indicators $C_{31}$ and $C_{14}$ consistently rank first and second, demonstrating their stability across different weight coefficient settings. As $\theta$ increases, the level index fluctuates within the range of [0.60, 1.00], indicating that the risk level of the smart energy system is relatively low. Beyond $\theta$ = 0.10, the rate of change in the average ranking value stabilizes, suggesting that further increases in $\theta$ have minimal impact on the results.

The stability of the rankings for key indicators, such as $C_{31}$ (Initial Investment Deviation) and $C_{14}$ (Policy and Regulatory Intensity), reflects the robustness of the decision-making process in evaluating information security risks, with minimal influence from the weight coefficient.

5. Discussion and Conclusions

5.1. Discussion

Based on the analysis of the top five key indicators in the risk assessment, the following strategies are proposed to mitigate information security risks in smart energy systems:

(1) Optimize Investment Decisions and Phase-based Evaluations to Enhance Capital Efficiency: To maximize the effectiveness of initial investments, it is critical to establish a structured investment decision-making process during the planning phase. A comprehensive cost–benefit evaluation system should be implemented to assess economic, technological, and risk factors for each investment, prioritizing funds for critical technologies and security measures. Additionally, adopting a phased investment approach with milestone-based assessments ensures that adjustments can be made throughout the project lifecycle. This strategy directly supports SDG 7 (Affordable and Clean Energy) by ensuring that resources are effectively allocated to improve energy access and reliability.

Hypothetical Response Scenario: In a smart energy project, failure to identify security risks during the early stages may lead to disproportionate investments in technology development at the expense of security measures. By implementing phased investments and regular evaluations, the project can identify such issues early, allowing for resource reallocation to mitigate security risks.

(2) Enhance Regulatory Frameworks, Foster Cross-departmental Collaboration, and Implement Technological Monitoring to Strengthen Enforcement: Policies and regulations play a pivotal role in preventing information security risks. It is recommended that information security policies for smart energy systems be regularly updated to reflect international best practices while considering local contexts. Establishing cross-departmental coordination mechanisms between government, industry, and academia will help ensure the effective enforcement of these regulations. Furthermore, leveraging real-time monitoring platforms powered by AI and big data can enable the early detection of security breaches.

Hypothetical Response Scenario: In the event of a data breach within a smart grid, real-time monitoring systems enable regulators to detect anomalies quickly and coordinate a response, mitigating the impact of the incident.

(3) Develop, Promote, and Regularly Update Information Security Standards: Robust information security standards are essential for ensuring a secure smart energy system. It is recommended to integrate both domestic and international best practices into a comprehensive standards framework that meets the specific needs of smart energy systems. These standards should be continuously reviewed and updated to address emerging technologies and security threats.

Hypothetical Response Scenario: If outdated cybersecurity standards are used when integrating new technologies, vulnerabilities may emerge. By adhering to the latest security standards and ensuring regular updates, these risks can be mitigated, securing the system against evolving threats.

(4) Strengthen Environmental Governance and Promote Green Technologies: Environmental factors such as pollution and equipment wear can indirectly impact information security by increasing failure rates. It is recommended to adopt green technologies and low-carbon production processes to reduce environmental pollution. This aligns with SDG 7 (Affordable and Clean Energy) by promoting clean energy solutions and SDG 9 (Industry, Innovation, and Infrastructure) by ensuring that technological innovations are sustainable and environmentally responsible.

Hypothetical Response Scenario: In regions with high pollution, environmental factors may exacerbate equipment failure rates, leading to system instability. By implementing environmental monitoring systems, anomalies can be detected early, allowing for timely intervention to maintain system stability.

(5) Establish a Comprehensive Emergency Response System: A well-coordinated emergency response system is essential for minimizing damage during security incidents. This system should include monitoring, early warning, and recovery processes, supported by advanced monitoring devices and automated alert systems.

Hypothetical Response Scenario: During a cyberattack, the emergency response team, utilizing real-time monitoring tools, can quickly detect the source of the attack and trigger an automated response system. Cross-departmental coordination ensures that resources are mobilized promptly, allowing for efficient decision-making and damage control, thereby restoring system stability.

5.2. Conclusions

This study introduces an innovative framework based on expert insights and fuzzy multi-attribute decision support methods to assess the information security risks of smart energy systems. This framework provides strong support for both theoretical and practical developments in related fields. Eight experts with extensive experience in smart energy and safety engineering were invited to assess the importance of various indicators using language terms related to IT2TrFN, ensuring the reliability of the data through consistency measures. After transforming and verifying the fuzzy data, weighted CV values (all below 0.50) were calculated to evaluate the relative importance of the standards and the detailed ratings of each indicator. This process validated the consistency of expert judgments and ensured the scientific rigor of the data processing. Using IT2TrFN’s score and accuracy functions, this study determined the Negative Ideal Solution (NIS) and Positive Ideal Solution (PIS), establishing the ranking and order of the indicators. Key factors identified for evaluating information security risks included the Initial Investment Overrun Rate, Policy and Regulatory Strength, Information Security Standards, Environmental Pollution Pressure, and Timely Response to Security Incidents.

Despite the advantages of expert-based assessments, this method does have certain limitations. Potential expert bias may arise due to individual differences in experience and subjective judgment, which can affect the consistency of evaluations. Additionally, achieving consensus across a broad range of criteria can be challenging, particularly when assessing complex and interdependent risk factors. To address these limitations, future research could explore integrating automated data collection from operational systems, which would reduce reliance on subjective assessments and enhance the objectivity and robustness of the risk evaluation process.

Furthermore, a decision hierarchy was established with expert weight allocation to create a level index for information security risk assessment, categorizing risk into high, medium, and low levels. The overall level index was found to be 0.5839, indicating a medium risk, suggesting substantial room for improvement in investment efficiency, regulatory enforcement, standard implementation, environmental impact, and emergency response capabilities. Sensitivity analysis confirmed the robustness of the model from two perspectives: aggregation operators (IT2FWA and IT2FGA) and changes in weight coefficients (θ). The results demonstrated the stability of some key indicators across different scenarios and revealed the sensitive impact of operator choices on certain rankings.

Preliminary comparisons with traditional risk assessment models, such as fault tree analysis (FTA) and risk matrix approaches, indicate that the proposed framework provides a more dynamic and comprehensive evaluation by integrating multidimensional factors. However, these alternative models might offer simpler implementation under specific conditions, highlighting potential trade-offs between complexity and adaptability.

It is important to note that the applicability of the model to real-world scenarios faces several challenges, such as the variability of real-world data, the evolving nature of cybersecurity threats, and the potential limitations in the adaptability of the model to rapidly changing technological environments. These factors may influence the precision and effectiveness of the risk assessment model in practice. While the study offers valuable theoretical insights, its application to different regions or industries may require further calibration to account for local conditions and sector-specific differences. Future research could strengthen the robustness of the sensitivity analysis by incorporating multiple weighting approaches, such as equal weighting, experience-based weighting, and familiarity-based weighting. Equal weighting assumes all experts contribute equally to the decision-making process, suitable for scenarios with homogeneous expert backgrounds. Experience-based weighting assigns higher weights to experts with more extensive experience, reflecting their deeper insights. Familiarity-based weighting prioritizes experts familiar with specific criteria or indicators, ensuring that their judgments carry greater weight in relevant areas. These approaches could be incorporated by adjusting the weight allocation model (Equation (1)) and recalculating the ranking values under different weighting schemes. Relevant studies (e.g., [67]) have shown that such methods improve the reliability and adaptability of MCDM models in complex systems.

Finally, based on the established indicator system and risk analysis results, a systematic and dynamic security risk management framework is proposed. This framework offers valuable insights for reducing risks and improving the overall security and operational efficiency of smart energy systems. Future research could integrate neural networks with the proposed MCDM framework to automatically detect threats and improve the accuracy of risk predictions by learning from historical data. This integration would enhance the model’s adaptability to dynamic cybersecurity threats and provide a more robust decision-support tool for managing complex smart energy systems. Future studies should also include detailed comparative analyses with alternative risk assessment models to further elucidate their relative advantages, refine the applicability of the model, and enhance its practical implementation.