Prioritizing security patches in complex interconnected systems suffers from insufficient fine-grained modeling and poor interpretability. Method: This paper proposes a graph-driven, multi-granularity risk assessment framework that jointly models network communication graphs and system dependency graphs, establishing a three-tiered component–asset–system collaborative modeling mechanism. It introduces novel techniques for attack path identification, quantitative risk propagation analysis, and root-cause attribution under multi-source heterogeneous data fusion, leveraging graph neural networks and attack graph modeling for dynamic risk assessment. Contribution/Results: The framework significantly improves both accuracy and interpretability of patch prioritization. In benchmark evaluations, it achieves an average 12.7% improvement in patch ranking accuracy over state-of-the-art methods, while enabling clear risk provenance tracing and generating human-readable, auditable ranking justifications.

As interconnected systems proliferate, safeguarding complex infrastructures against an escalating array of cyber threats has become an urgent challenge. The increasing number of vulnerabilities, combined with resource constraints, makes addressing every vulnerability impractical, making effective prioritization essential. However, existing risk prioritization methods often rely on expert judgment or focus solely on exploit likelihood and consequences, lacking the granularity and adaptability needed for complex systems. This work introduces a graph-based framework for vulnerability patch prioritization that optimizes security by integrating diverse data sources and metrics into a universally applicable model. Refined risk metrics enable detailed assessments at the component, asset, and system levels. The framework employs two key graphs: a network communication graph to model potential attack paths and identify the shortest routes to critical assets, and a system dependency graph to capture risk propagation from exploited vulnerabilities across interconnected components. Asset criticality and component dependency rules systematically assess and mitigate risks. Benchmarking against state-of-the-art methods demonstrates superior accuracy in vulnerability patch ranking, with enhanced explainability. This framework advances vulnerability management and sets the stage for future research in adaptive cybersecurity strategies.