The heterogeneous architectures and diverse application scenarios of the Internet of Things (IoT) impede systematic quantification and prioritization of cybersecurity risks. Method: This paper proposes the Cybersecurity Value-at-Risk (Cy-VaR) model—a novel framework that systematically extends financial Value-at-Risk (VaR) theory to the IoT’s three-layer architecture (sensing, network, and application), integrating layered threat analysis, IoT-specific architectural modeling, and quantitative financial methodologies within a scenario-driven, layer-specific risk quantification paradigm. Contribution/Results: Cy-VaR enables cross-layer, unified representation of potential financial losses from cybersecurity incidents, thereby supporting precise, cost-effective security investment decisions. Experimental evaluation demonstrates that Cy-VaR significantly improves assessment consistency and predictability of security investment returns, enhancing the overall resilience of IoT systems.

The Internet of Things (IoT) presents unique cybersecurity challenges due to its interconnected nature and diverse application domains. This paper explores the application of Cyber Value-at-Risk (Cy-VaR) models to assess and mitigate cybersecurity risks in IoT environments. Cy-VaR, rooted in Value at Risk principles, provides a framework to quantify the potential financial impacts of cybersecurity incidents. Initially developed to evaluate overall risk exposure across scenarios, our approach extends Cy-VaR to consider specific IoT layers: perception, network, and application. Each layer encompasses distinct functionalities and vulnerabilities, from sensor data acquisition (perception layer) to secure data transmission (network layer) and application-specific services (application layer). By calculating Cy- VaR for each layer and scenario, organizations can prioritize security investments effectively. This paper discusses methodologies and models, including scenario-based Cy-VaR and layer-specific risk assessments, emphasizing their application in enhancing IoT cybersecurity resilience.