Fuzzy-Based Uniﬁed Decision-Making Technique to Evaluate Security Risks: A Healthcare Perspective

: Neoteric biomedical, technological, and normative shifts have prompted care ﬁrms to establish clinical governance as a contrivance to assure high-quality service in an exceedingly intricate milieu. Web security is an epochal concern in the healthcare sector, although it has garnered scant attention since the inception of web applications. The necessity to provide adequate security for healthcare web applications (HWAs) cannot be exaggerated, as umpteen health agencies are contingent on them to carry out their operations. Every healthcare organization renders a humongous volume of data available online to practitioners, pharmacies, and patients. Researchers are continually endeavoring to ameliorate techniques to increase the security and longevity of HWAs. In this context, experts examined certain imperative security risks in HWAs to quantitatively evaluate them in the design phase and covered numerous facets of HWAs, along with their security attributes and risk factors. The authors have proposed a combined approach of fuzzy-based symmetric techniques, i.e., AHP-TOPSIS (Analytic Hierarchy Process–Technique for Order of Preference by Similarity to Ideal Solution), for the assessment of alternative HWAs, leveraging the multi-criteria decision-making (MCDM) approach. Ten consecutive HWAs from local hospitals in Uttar Pradesh, India, have been taken to estimate the security risk, incorporating this methodology to evaluate the priority of weigh-tage and the impact of security attributes. Henceforth, the ﬁndings and methodology employed in this study can assist security practitioners in identifying and prioritizing the most inﬂuential risk factors to secure HWAs and encourage them to develop revamped or novel methods.


Introduction
In this rapidly evolving IT world, scientific communities, local or multinational businesses, and the medical sector rely extensively on computers to store sensitive data. The dispensation of healthcare amenities is being reformed from an archaic hospital-centric model to a more virtual, dispersed service that extensively exploits the most recent technologies such as the 3D printing of tissues and implants, intelligent machines, genomics, data analytics, and robotics. This advancement has transformed the working environment of web applications via myriad innovative techniques to help them carry out their tasks recent technologies such as the 3D printing of tissues and implants, intelligent m genomics, data analytics, and robotics. This advancement has transformed the environment of web applications via myriad innovative techniques to help the out their tasks quickly and efficiently. Medical workers are assigned a copious blage of responsibilities, and managing them is more intricate and arduous. P patients' documentation has to be managed, including tracking inventory, the schedules of doctors, records for keeping bills, patient reports, etc. [1]. Due to t uitous use of computers, healthcare web applications (HWAs) are becoming ine convoluted and require high levels of security [2]. The security assessment proce HWA practitioners the assurance that the presence of any vulnerability will no negative impact on their systems and that they can always use mitigation tech Hereby, this process maximizes the success of user satisfaction on HWA system the present scenario, security issues are constantly evolving due to the hetero nature of HWAs. Digital technology is being researched and implemented in all healthcare. Figure 1 divides the numerous HWAs into several application d however, there are thousands of distinct applications [3]. The security estimation of HWAs focuses on the functional aspects of the app and its ability to endure a malicious attack and recover without data loss or an abnormality. Security breaches are compromising thousands of health records statistics have shown data breach instances, and recently, innumerable incidenc inadvertent loss or theft of sensitive clinical data have been documented [4,5] th affected patients. Moreover, threats from botnets (a network of surreptitiously computer systems due to malware) have increased drastically. Cybercriminals p access to botnets and use the network of infected computer systems for various usually financial data thefts, the dissemination of spam, concealing other crimes tributed denial of service (DDoS). According to a recent study, every year, almos lion compelled authorizations for the disclosure of healthcare records are issue United States [6]. According to the Cyber Crime Website of the Department of USA [7], a company has reportedly suffered a loss of more than USD 100,000 as a cybercrime. As per a white paper published by Cyber Unit CCIPS, US Depart Justice, many public and private organizations are increasingly adopting vuln disclosure programs, which increase their ability to detect security issues, prote The security estimation of HWAs focuses on the functional aspects of the application and its ability to endure a malicious attack and recover without data loss or any other abnormality. Security breaches are compromising thousands of health records. Ample statistics have shown data breach instances, and recently, innumerable incidences of the inadvertent loss or theft of sensitive clinical data have been documented [4,5] that have affected patients. Moreover, threats from botnets (a network of surreptitiously infected computer systems due to malware) have increased drastically. Cybercriminals purchase access to botnets and use the network of infected computer systems for various crimes, usually financial data thefts, the dissemination of spam, concealing other crimes, or distributed denial of service (DDoS). According to a recent study, every year, almost 25 million compelled authorizations for the disclosure of healthcare records are issued in the United States [6]. According to the Cyber Crime Website of the Department of Justice, USA [7], a company has reportedly suffered a loss of more than USD 100,000 as a result of cybercrime. As per a white paper published by Cyber Unit CCIPS, US Department of Justice, many public and private organizations are increasingly adopting vulnerability disclosure programs, which increase their ability to detect security issues, protect sensitive data, and prevent the disruption of services [8]. A built-in software security framework that includes all security attributes can be a viable and potent solution to numerous security issues [9,10]. It can prove to be a boon to the users, organizations, and governments that spend billions of dollars every year on securing their networks.
Consequently, to secure an individual's data, three major security factors and privacy goals are commonly identified as the CIA (confidentiality, integrity, and availability) triad [11,12]. There is a significant necessity to the CIA triad: confidentiality must be included for highly sensitive data; integrity is essential because it may be fatal to provide an inaccurate procedure based on faulty medical data; and availability is also necessary because the data must be available on time for adequate treatment. In the medical field, the security and privacy of individual data are critical, and it is a major challenge to protect healthcare data [13].
Often, experts in the IT industry have focused on the deployment phase of HWAs to improve security longevity and minimize maintenance costs and time. However, integrating security and unearthing vulnerabilities early in the design phase of web applications can reduce the time and cost of development by minimizing the development team's work [14][15][16]. This reveals the impact of vulnerabilities that can affect healthcare web applications' integrity, violate confidentiality and privacy norms, and exploit loopholes in the design phase. Moreover, security flaws in the design may also cause the application to violate its security and result in the unauthorized disclosure, modification, and destruction of data [17]. The vulnerability may impact exhaustive data theft, malware, and spyware injection that may cause failure in the entire HWA security. In light of this, it has become vitally important in today's environment to ensure security from the early stages of the software development life cycle (SDLC). In accordance with a recent study, software organizations are contemplating implementing a software security risk in the early phase of development rather than depending on the later phase of the SDLC. This step could improve the situation and reduce losses to a substantial level. In addition, techniques of security optimization can further help security practitioners and researchers reduce the time and cost required for developing an HWA system. Moreover, in-depth identification, analysis, and mitigation will deliver a quality product.
Despite the increasing prevalence of HWAs in contemporary healthcare systems, there is a notable research gap in comprehending certain security issues and risk factors pertaining to these applications. Prior research has predominantly focused on generic web application security with minimal emphasis on the specific risks and vulnerabilities that are unique to HWAs. This study aims to address this research gap by:

•
Conducting an extensive analysis of the inherent security risks of HWAs, considering factors such as patient data confidentiality, secure data transmission, access control, and authentication.

•
Examining the impact of these security risks on the availability, confidentiality, and integrity of sensitive healthcare data.

•
Identifying and prioritizing the most significant security risk factors requiring immediate attention and effective mitigation strategies.

•
Providing healthcare organizations, developers, and security professionals with actionable recommendations and guidelines to improve the security of HWAs and protect patient data.
This study advances the field of HWA security by addressing these research gaps. The findings provide insights and practical implications for healthcare organizations and security practitioners, allowing them to proactively address the unique security challenges posed by HWAs and safeguard sensitive healthcare data. This research paper contributes significantly to the field of HWA security by introducing the AHP-TOPSIS (Analytic Hierarchy Process-Technique for Order of Preference by Similarity to Ideal Solution) system. Multiple HWAs are scrutinized, and their potential security risks are evaluated using the MCDM approach. The authors conducted an empirical study based on MCDM and have acknowledged numerous studies on the methods of risk management strategies. The proposed methodology is based on risk assessment in HWAs, which identi-fies, maps, prioritizes, and evaluates the impact of risk factors on various alternatives, as discussed below:

•
The identification of security risk factors and attributes: It creates a roadmap for security professionals for the development of secure healthcare web applications. The identification aim is to target key risk factors at the design phase to mitigate them at the earlier phase of the development life cycle.

•
Mapping security risk factors with security attributes: This may be done through an indepth literature survey and expert points of view. It gives developers an understanding and overview, i.e., whether the security requirements are fulfilled or not.

•
The prioritization of security risk factors: The authors used fuzzy AHP for the prioritization of security risk factors corresponding to their respective weights and ranks.

•
The impact of attributes on alternatives: The fuzzy AHP-TOPSIS is used to evaluate the impact of attributes on different alternatives. The identification and prioritization of the risk factors will provide a path to develop a secure healthcare web application.
The paper is organized in the following manner: Section 2 reviews the existing literature in this domain. Section 3 discusses the software security risk factors along with their related attributes in healthcare web applications. In Section 4, the methodology and numerical analysis of the experimental data are described in depth. The paper is concluded in Section 5 with a succinct analysis and discussion.

Related Work
Several studies have been undertaken by researchers using multiple methodologies and symmetrical techniques to analyze the security of healthcare web applications. Along with fuzzy AHP, symmetrical TOPSIS techniques have been utilized in various domains of interest to improve security measures and handle MCDM (multi-criteria decision-making)based problems. Considerable research on the security of healthcare web applications has previously been conducted utilizing various methodologies and techniques. The following research studies have been reviewed by the authors in this domain: Abdulaziz et al. (2022) examined big data security by identifying and prioritizing security measures using two hybrid approaches. The approaches include fuzzy AHP and classical AHP. The fuzzy AHP approach quantitatively analyzes as well as prioritizes the different factors based on their weight to enhance overall security. The early identification of vulnerability will heighten the security and durability of big data, which will benefit consumers and enterprises. This study's findings showed that MCDM approaches, i.e., fuzzy AHP, demonstrated more efficient results than classical AHP. It is helpful in the procedures of decision-making to alleviate the problem of uncertainty [18]. Alfakeeh et al.
(2022) used AHP-TOPSIS with a hesitant fuzzy technique to forecast the risk of different healthcare applications. This approach is used to measure the security and durability that would help in designing secure healthcare applications. The authors selected 10 alternatives to evaluate the efficiency and security of applications. Among the 10, alternative 6 provided the most efficient and long-lasting security. Furthermore, the authors concluded that security breaches could be considerably mitigated if addressed early in their development phase and prioritized security as the topmost concern [19]. Lotfi et al. (2022) asserted that a strategy called Resilience and Sustainable Health Care Supply Chain (RSHCSC) with VMI, which combines fuzzy and data-driven robust optimization, is suitable for enhancing the inventory management system and addressing unpredictability and disruption. The use of hybrid fuzzy and data-driven robust optimization with a stochastic programming technique was suggested for three RSHCSC models. Essential variables such as fuzzy cut, robustness and resilience coefficient, level of confidence, and size models were subjected to sensitivity analysis. According to the results, as the fuzzy cut, robustification coefficient, confidence level, resiliency coefficient, and CVaR confidence level increase, the number of costs also increases [20]. To determine which maturity model best adheres to TQM (Total Quality Management) principles for Industry 4.0 maturity models, Zceylan and Elibal (2022) used the linguistically fuzzy TOPSIS (Technique for Order Preference by Similarity to Ideal Solution) method for ranking and the DEMATEL (Decision-Making Trial and Evaluation Laboratory) method for weighting criteria. Seven main criteria and 33 supporting factors were used to assess the maturity of four Industry 4.0 models. Researchers and practitioners can use the study's findings to compare, create, and improve Industry 4.0 maturity models [21]. Abushark et al. (2021) defined several taxonomies and created a design hierarchy, incorporating the most prevalent quality evaluation factors, which integrate variables, characteristics, and traits from different Security Requirements Engineering (SRE) methodologies. The fuzzy AHP-TOPSIS model was utilized in this paper as an MCDM (Multiple-Criteria Decision-Making) model. The author defined the STORE technique as a highly consistent and usable approach among all other SRE techniques with a threat-driven approach. In addition, they concluded that STORE elicits security requirements in an efficient and wellorganized manner [22].  identified and analyzed the characteristics of security and sustainability. In this study, the fuzzy AHP algorithm was utilized for quantitative assessment, which was verified by four other approaches based on AHP. As a result, the evaluation of security in this study can assist developers in formulating standards that will ensure the development of more secure online applications [23].
Attaallah et al. (2020) discussed security as a critical aspect in the process of software development that must be considered during its development cycle. Thus, the researcher evaluates the effect of security risks using the integrated approach of TOPSIS and fuzzy AHP. This hybrid approach is ideal for evaluating malware analysis on the basis of its impact. According to the evaluation report, among the 10 institutions, the 8th institutional web application was determined as the most efficient and durable security system among all competing options [24]. Al-Zahrani (2020) reviewed healthcare applications to ensure software usability and security by using the hybrid technique. The author suggested that security experts must design a healthcare web application with two intents; it ensures usability, given to fulfill the users rather than ensuring the optimum security and efficacy of security as well as usability in the early development phase [25].
Altowaijri (2020) proposed a framework for the healthcare sector to enhance the healthcare security of cloud computing. The author introduced the concept of master nodes and slave nodes in his architecture to store the data. In this architecture, the master node keeps metadata; on the other side, the responsibility of the slave node is to store data. The sensors can access all consumers' data and ensure its efficiency as it is in a quasi-structured form, and these data are easily accessible. This architecture stores data in encrypted form. It is based on the RSA (Rivest Shamir Adleman) and PKI (Public Key Infrastructure) algorithms, which provide accessibility to authorized users at a certain time to access the data of particular patients [26]. Abu-elezz et al. (2020) investigated healthcare blockchain technology's scoping review with strengths and risks. This research was carried out in three phases: the identification phase, the screening phase, and the eligibility phase. These filtering stages were conducted through a flow diagram of Preferred Reporting Items for Systematic Reviews and Meta-Analysis (PRISMA). Researchers have suggested that this analysis will help to obtain a more precise understanding, owing to various constraints. The findings of this analysis must be viewed with caution, and this scoping review provides useful insights, particularly in medical care [27].

Security Risk Factors and Attributes
Software security is the branch of software engineering that aims to prevent the exploitation of security loopholes in the system and detect possible vulnerabilities that may prove detrimental to the software. The successful implementation of a security plan may converge the developing team's entire focus to select periodic errors/vulnerabilities that may have impacted the healthcare web application system and can prepare a strategy for a timely recovery. In this section, several security attributes and security risk factors are identified on behalf of the literature survey and from the expert's viewpoint. The use of security attributes in the development lifecycle comes under the ambit of security plan specifications at various stages, without which the security of the software system cannot be insured.

Security Attributes
Security is a multidimensional and comprehensive process that involves a large gamut of operations divided into several stages to ensure the in-depth analysis of security-related challenges and threats. To mitigate the security issues that could affect the performance of a healthcare web application system, the five set attributes are elucidated: confidentiality, integrity, availability, access control, and authentication. These attributes form the basic fundamentals of security; without them, the security of software cannot be ensured. The main reason for using these attributes is to plug in gaps in the healthcare web application structure so that security breaches cannot be made [28].

Confidentiality
Confidentiality ensures that the data are not disclosed to unauthorized users. This attribute has been described as a pillar of healthcare ethics since Hippocrates [29]. It is a broad security concept implemented at all stages of a healthcare web application system, including the processing, storage, retrieval, and display of information. Hence, it strengthens a trusted binding mechanism of design and all its components, assuring that the sanctity of data is preserved in encrypted form and not violated by intruders.

Integrity
Integrity is the accuracy of the data in storage or during transmission. It assures that the end-user's data are not corrupted or tampered with during transmission. In a more expanded form, integrity can be ensured both at the source and destination, which can prevent the unauthorized use of data [30].

Availability
The availability attribute ensures that a system is ready and available for use by an authorized user whenever needed. The availability of a system may be compromised in case of a denial-of-service attack [31]. The availability of a system confirms that the system is ready to be used for all the needed functionalities. The system should be designed in multiple subsystems so that the availability of the system is not jeopardized in case of the failure of any of the subsystems.

Access Control
Access control limits how the system should be used by its legitimate users. The users are required to present credentials to access the system's specific functionality. Depending on respective access controls, role-based accessibility is allocated to users: some of the users may be given complete control of the system, such as the administrators, while other users may be given only limited access, such as the end-users, based on their specific use of the system [32].

Authentication
Authentication is the process of identifying the legitimate user requesting access to the system. A username and password are the most common method of authenticating any user to provide access. The authentication process involves a mechanism that validates authentic users or multiple users to access information. This authentication can be in the form of a security question, SMS, OTP, biometric, RSA, etc. [33].

Security Risk Factors
The demand for security is escalating every day as the IT field expands, resulting in enhanced applications that may require high levels of security. Security typically relies on two integrated viewpoint elements, i.e., effective risk management as well as effective countermeasures [34]. To estimate security risk and ameliorate it, organizations need to identify and address the different types of security characteristics that affect security directly or indirectly. HWAs' security may be enhanced by identifying and mitigating security risks at earlier phases of the SDLC. In this paper, the risk is defined from the perspective of the software vulnerability, taking into account both the likelihood of HWA vulnerability and exploitation impact in a system. This may cause the potential loss, destruction, or damage of assets, while a vulnerability is a weakness that could expose threats within user systems, networks, and applications [35]. A system's security is jeopardized when a vulnerability is discovered but not patched, and new vulnerabilities are identified over the course of a software system's lifespan. As per the studies of existing research and experts' opinions, some of the common security risks are listed below with a concise elucidation (see Table 1). Table 1. An overview of security risk factors in the design phase.

ACPVPM
This weakness might allow an attacker to modify the variable that contains an unintended value. It is a public method that reads, alters, or modifies a private variable; it may violate other code parts' definitions or values. In addition, if an attacker can read the private variable, it is easy for the attacker to launch more attacks as well as expose sensitive information, and it affects the integrity scope of variables [36].

UPC
An attacker might use this flaw to alter the victim's password and allow him to gain access to the user's data. On the other hand, the application does not require any kind of authentication or knowledge about the user's original password when creating a new password [39].
Access Control, Authentication

RCT
In a multi-threaded environment that uses the locking functionality around code that enforces the system to block, alter, and read persistent data. If a resource is used concurrently by two execution threads, there is a risk that invalid resources can be used. It is mainly introduced in programming when the critical resource is changed by two or more execution threads [40].

USP
This weakness might allow attackers to access data files in an unauthorized way or unexpectedly change configuration settings to execute their programs. Such programs will enable the application to find critical resources using a search path, which an attacker may alter through malicious code [41].
Confidentiality, Integrity, Availability, Access Control

DCIC
The main drawback of this weakness is that the program's executable code or source code is downloaded without verifying its data integrity and origin. The absence of authentication makes it possible for attackers to fool the machine by executing malicious code or altering the source code [42].

RC
In this flaw, concurrent operations are executed on a single resource without proper synchronization. The code requires that certain states should not be modified between two operations, but a timing window exists in which the state can be modified by an unexpected actor or process. Such conditions allow a remote user to take advantage of the race by executing a series of commands and conducting a DoS (denial of service) attack [43].

EITV
The critical internal variables are initialized by software or stored data by using input fields that can be manipulated by unauthorized users. If any variables have been externally initialized, they should be distrusted, specifically in the case of users, because there is the possibility of incorrect initialization. The improper initialization of variables may interrupt the software response and create vulnerabilities in software security [44].

ICMD
This vulnerability occurs when software uses an upstream component (client to server) to receive input data that defines several variables, fields, or properties in an object that should be updated or initialized. However, it is unable to appropriately control which attributes may be modified. If any attributes of an object are only solely meant for internal use, then their unintentional modification may result in a security flaw [45].

Methodology
Web application security is one of the chief concerns that define the application's reliability, lifespan, and efficiency for both end-users and developers. In order to raise the caliber of a web application, security estimation is essential in the design phase that extends the security lifespan. Apart from technological progress in the development sector, numerous statistics have shown data breach instances that have affected the privacy of patients and the eminence of HMS. This section delineates the MCDM-based fuzzy methodology to evaluate security attributes and their risk factors.
The integrated approach of fuzzy AHP and fuzzy TOPSIS is extremely proficient to scrutinize healthcare web application security from the design tactics viewpoint for gauging HWAs' rankings and fix their security risks. The current study involves various aspects for designing a security risk estimation framework, such as the identification of factors, the mapping of security risk factors with their corresponding security attributes, the assessment of risk factors, and statistical analysis. The mapping matrix is based on synchronizing the top 10 security risk factors, i.e., ACPVPM, PCF, MESD, UPC, RCT, USP, DCIC, RC, EITV, and ICMD, which are mapped with their security attributes such as CIA, Access Control, and Authentication (see Figure 2).

Methodology
Web application security is one of the chief concerns that define the application's reliability, lifespan, and efficiency for both end-users and developers. In order to raise the caliber of a web application, security estimation is essential in the design phase that extends the security lifespan. Apart from technological progress in the development sector, numerous statistics have shown data breach instances that have affected the privacy of patients and the eminence of HMS. This section delineates the MCDM-based fuzzy methodology to evaluate security attributes and their risk factors.
The integrated approach of fuzzy AHP and fuzzy TOPSIS is extremely proficient to scrutinize healthcare web application security from the design tactics viewpoint for gauging HWAs' rankings and fix their security risks. The current study involves various aspects for designing a security risk estimation framework, such as the identification of factors, the mapping of security risk factors with their corresponding security attributes, the assessment of risk factors, and statistical analysis. The mapping matrix is based on synchronizing the top 10 security risk factors, i.e., ACPVPM, PCF, MESD, UPC, RCT, USP, DCIC, RC, EITV, and ICMD, which are mapped with their security attributes such as CIA, Access Control, and Authentication (see Figure 2). For evaluating the risk factors of healthcare web applications, the hierarchical structure is represented graphically. All the classifying factors and sub-factors for the data processing algorithm, in order to generate the research finding were identified using a literature review and a consultation with experts. The researcher of this review discovered that specialists had used fuzzy theory along with AHP to examine the imprecise real-world challenges because they are exceedingly ambiguous [46]. The precise details of these approaches are discussed in the subsequent section.

Fuzzy AHP
Fuzzy AHP is a powerful prescript for addressing arduous conclusive problems, and all the complicated problems may be evaluated through various classed levels of objectives. To solve the arduousness of a complex problem, fuzzy AHP divides it into a tree-like structure. In addition, for the estimation of the priority of various alternatives For evaluating the risk factors of healthcare web applications, the hierarchical structure is represented graphically. All the classifying factors and sub-factors for the data processing algorithm, in order to generate the research finding were identified using a literature review and a consultation with experts. The researcher of this review discovered that specialists had used fuzzy theory along with AHP to examine the imprecise real-world challenges because they are exceedingly ambiguous [46]. The precise details of these approaches are discussed in the subsequent section.

Fuzzy AHP
Fuzzy AHP is a powerful prescript for addressing arduous conclusive problems, and all the complicated problems may be evaluated through various classed levels of objectives. To solve the arduousness of a complex problem, fuzzy AHP divides it into a tree-like structure. In addition, for the estimation of the priority of various alternatives with multiple criteria in a hierarchical structure, it is also utilized as a decision-making technique [47]. The fuzzy AHP is based on fuzzy interval arithmetic, which uses the TFN to compute the weights of elements. Saaty was the first who proposed the AHP technique [48]. To deal with imprecision in multi-criteria decision problems, it merely uses the pair-wise comparison matrix [49]. The triangular fuzzy numbers are used in this model to represent linguistic variables and to conduct fuzzy operations using AHP. To deal with the uncertainty caused by imprecision and vagueness, Zadeh developed the fuzzy set theory [50].
On the basis of experts' viewpoints as well as responses via questionnaire or by using brainstorming, the tree structure is prepared, and after that, a triangular fuzzy number (TFN) is fabricated from the hierarchy. In addition, a pair-wise comparison of every cluster of grouped objectives performs a significant contribution to determining the impact of one criterion on the other. The researcher transfigures the linguistic values into the TFN as well as crisp numbers, and in this study, the values of the TFN are between 0 and 1 [51]. The computational simplicity of triangular fuzzy membership functions, as well as their ability to deal with fuzzy data, is the reason for their widespread acceptance [52]. Additionally, the classification of linguistic values is equally important, fairly important, strongly important, weakly important, absolutely important, etc., and apart from these, the crisp values are grouped as from {1, 2, . . . .9}. Furthermore, a fuzzy number TFN µ a (t) is defined by the triangular membership function l o , m i , and u p are given as limits (i.e., lower limit, middle limit, and upper limit, respectively), as shown in Figure 3, and the membership functions are depicted in Equations (1) and (2): Mathematics 2023, 11, x FOR PEER REVIEW 10 of 26 with multiple criteria in a hierarchical structure, it is also utilized as a decision-making technique [47]. The fuzzy AHP is based on fuzzy interval arithmetic, which uses the TFN to compute the weights of elements. Saaty was the first who proposed the AHP technique [48]. To deal with imprecision in multi-criteria decision problems, it merely uses the pair-wise comparison matrix [49]. The triangular fuzzy numbers are used in this model to represent linguistic variables and to conduct fuzzy operations using AHP. To deal with the uncertainty caused by imprecision and vagueness, Zadeh developed the fuzzy set theory [50]. On the basis of experts' viewpoints as well as responses via questionnaire or by using brainstorming, the tree structure is prepared, and after that, a triangular fuzzy number (TFN) is fabricated from the hierarchy. In addition, a pair-wise comparison of every cluster of grouped objectives performs a significant contribution to determining the impact of one criterion on the other. The researcher transfigures the linguistic values into the TFN as well as crisp numbers, and in this study, the values of the TFN are between 0 and 1 [51]. The computational simplicity of triangular fuzzy membership functions, as well as their ability to deal with fuzzy data, is the reason for their widespread acceptance [52]. Additionally, the classification of linguistic values is equally important, fairly important, strongly important, weakly important, absolutely important, etc., and apart from these, the crisp values are grouped as from {1, 2, ….9}. Furthermore, a fuzzy number TFN ( ) is defined by the triangular membership function , , and are given as limits (i.e., lower limit, middle limit, and upper limit, respectively), as shown in Figure 3, and the membership functions are depicted in Equations (1) and (2): ( , , ) is depicted as a TFN in a quantitative manner, and experts have assigned ratings to the factors affecting the values using the scale shown in Table 2. Absolutely important (9, 9, 9) 2 Intermittent values between (1, 2, 3) (l o , m i , u p ) is depicted as a TFN in a quantitative manner, and experts have assigned ratings to the factors affecting the values using the scale shown in Table 2.
In the conversion of numeric values into TFNs, Equations (3)-(6) are used [51][52][53], which are designated as (l o jk , m i jk , u p jk ) where, l o jk is lower, m i jk is middle and u p jk is a higher value. In Equations (3)-(6), R jkz indicates the relative importance of the values between two factors, which is given by security expert z, where j and k signify a pair of factors being decided by security experts. n jk is evaluated for a specific comparison on the basis of geometric mean, which is given by experts using TFN n jk , where lower, middle, and upper values are as l o jk ≤ m i jk ≤ u p jk . Additionally, TFN[n jk ] is recognized by Equation (3).
where ∼ x z jk represents the z th decision maker's preference of the j th criteria over the k th criteria. When there are multiple decision-makers, Equation (8) is used to calculate the average of each decision-maker's preferences.
After that, with the help of Equation (9) and based on average preferences, pair-wise comparison matrices are updated for all the factors in the hierarchy.
The fuzzy geometrical mean and fuzzy weights of each factor are then described using the geometrical mean technique, as indicated in Equation (10). After that, with the help of Equation (11), the fuzzy weight of the factor is concluded.
Further, with the help of Equations (12) and (13), the average and normalized weight criteria may be calculated.
N_wt i = Avg i Avg 1 Avg 2 . . . .. Avg n (13) Furthermore, to compute the BNP value of the fuzzy weights, the Centre of Area (COA) approach is applied for every measurement with the help of Equation (14).

Fuzzy TOPSIS
Fuzzy TOPSIS is one of the foremost approaches for determining the ideal solution among analogous alternatives. Besides this, it can be preferred to automate the procedure and eliminate confusion and ambiguity in the selected criteria. This is a linear weighting technique that was first put forth by Chen and Hwang (1992), citing Hwang and Yoon (1981). TOPSIS contemplates the MCDM view with m choices as a geometric arrangement with m points in the n-dimensional space of factors. The method utilized in this study is based on the assumption, i.e., the maximum and minimum ideal solutions, respectively.
To induce an ideal solution, the selected alternative must have the closest and farthest distance from the Fuzzy Positive Ideal Solution (FPIS) and Fuzzy Negative Ideal Solution (FNIS) [54]. Shadbegian and Gray stated that security experts might encounter some issues with the allocation of specific performance ratings of any alternative on the basis of factors. The relevant phases of the Fuzzy AHP-TOPSIS method are presented in the flow chart below (see Figure 4).
This procedure allocates fuzzy numbers in place of specific numbers to represent the relative significance of a factor for consistency with real-world fuzzy surroundings. Furthermore, the fuzzy AHP-TOPSIS technique is well suited to solve group decisionmaking problems in fuzzy contexts. Figure 4 illustrates the comprehensive procedure for achieving weights as well as the estimation of the viability of the fuzzy AHP-TOPSIS method. Firstly, the researcher determines the weights of the evaluation factors. With the help of Equations (1)- (14), the current research applies the fuzzy AHP process to derive fuzzy weight. In addition, a fuzzy decision matrix is created by researchers with the help of Table 3 and Equation (15), and relevant linguistic variables are chosen as alternatives for the criterion.   spectively.
To induce an ideal solution, the selected alternative must have the closest and farthest distance from the Fuzzy Positive Ideal Solution (FPIS) and Fuzzy Negative Ideal Solution (FNIS) [54]. Shadbegian and Gray stated that security experts might encounter some issues with the allocation of specific performance ratings of any alternative on the basis of factors. The relevant phases of the Fuzzy AHP-TOPSIS method are presented in the flow chart below (see Figure 4).   Table 3. Linguistic scales for the rating.
In addition, researchers discovered the closeness coefficients (i.e., relative gaps-degree) and generated alternatives for the achievement of aspiration levels in each factor. To improve the alternatives, Chou et al. proposed that Q ∼ Q j is cleared to evaluate the fuzzy gaps-degree on the basis of the fuzzy closeness coefficients [51]. The similarity to the ideal solution is determined after evaluating the ∼ Dis + j and ∼ Dis − j of each alternative and is depicted in Equation (23).

Empirical Data Analysis and Results
Generally, qualitative assessment seems to be suitable for the assessment of longterm security. It is quite difficult to perform a qualitative assessment of healthcare web application security. Security strategy is prepared on the basis of results drawn from global collaborative activities. In recent years, security professionals have amassed a large number of security policies [52]. Several firms are currently adopting high-end security healthcare web applications. The impact of security attributes on healthcare web applications plays a crucial role in ensuring security [55][56][57][58][59][60]. This study identifies various security attributes and risk factors. For the purpose of assessment, the identified security attributes and risk factors are linked together to establish a relationship among them. For assessment, T11, T12, and T13 are represented as the attributes of confidentiality at level 2 with respect to security. T21, T22, T23, T24, T25, T26, T27, and T28 are represented as the attributes of integrity at level 2 with respect to security. T31 is represented as the attribute of availability at level 2 with respect to security. T41, T42, T43, and T44 are represented as the attributes of access control at level 2 with respect to security. T51 and T52 are represented as the attributes of authentication at level 2 with respect to security. This study uses the opinions of 70 professionals from academia and industry in order to compile the data. The estimation of security via fuzzy AHP-TOPSIS has been assessed by using Equations (1)-(23) as follows: The researcher converted the linguistic values into numeric values as well as aggregated TFN values by using Table 2 and Equations (1)- (6). Additionally, Equation (7) was used to create the pair-wise comparison matrixes for level 1 attributes, as shown in Table 4. Similarly, Tables 5-8 show the fuzzy pair-wise comparison matrixes through the hierarchy at level 2.  The researcher calculated the fuzzy weights of factors with the help of Equations (8)-(10), and the weight of each element is calculated using Equations (11)- (13). Additionally, the BNP values (i.e., best non-fuzzy performance) of each attribute are calculated via Equation (14). Thereafter, the weights for the continuing attributes may be determined and shown in Tables 9-13, which depict the local and dependent weight of attributes according to Figure 4. Table 14 shows the global weight of every attribute of security. Now, the researcher must figure out the impact of risk factors on altering preferences with respect to criteria. Ten successive healthcare web applications (i. e., HWA1, HWA2,  HWA3, HWA4, HWA5, HWA6, HWA7, HWA8, HWA9, and HWA10) from the local hospitals of Uttar Pradesh, India, were taken to estimate the security risk. The researcher gathered input on the technological data with the help of Table 3 for all 10 alternatives, as depicted in Table 15. The researcher assessed the normalized fuzzy decision matrix, as shown in Table 16, by using Equations (15)- (18), and evaluated the weighted normalized fuzzy decision matrix, as shown in Table 17. Additionally, the researcher assessed the satisfaction degree and gap degree by using Equations (22) and (23), as depicted in Table 18. Finally, the obtained global weight of factors from fuzzy AHP is considered as input data for the fuzzy TOPSIS approach, which proliferates a rank for alternatives. Now, the performance may be tested by using fuzzy AHP-TOPSIS. The determined performance of ten healthcare web application alternatives is as follows: HWA1, HWA7, HWA10, HWA4, HWA2, HWA3, HWA5, HWA9, HWA8, and HWA6. According to the findings of this study, HWA1 produced the finest result (see Table 18 and Figure 5). Finally, the obtained global weight of factors from fuzzy AHP is considered as input data for the fuzzy TOPSIS approach, which proliferates a rank for alternatives. Now, the performance may be tested by using fuzzy AHP-TOPSIS. The determined performance of ten healthcare web application alternatives is as follows: HWA1, HWA7, HWA10, HWA4, HWA2, HWA3, HWA5, HWA9, HWA8, and HWA6. According to the findings of this study, HWA1 produced the finest result (see Table 18 and Figure 5).

Sensitivity Analysis
Sensitivity analysis is a threat to the validity procedure that allows security practitioners to validate their results through numerical calculations. Additionally, the threat to validity confers the idea to security experts on how various sources of outcomes may affect the proposed model. This section provides a clear perception of the effectiveness as well as the certainty of the results by altering the crucial criteria. To test the sensitivity analysis, the researcher has chosen 10 alternatives in order to implement a threat to validity. The detail of the analyzed results of the sensitivity analysis is shown in Table 19. Furthermore, a graphical representation of the sensitivity analysis is depicted in Figure 6 for easy and detailed information.

Sensitivity Analysis
Sensitivity analysis is a threat to the validity procedure that allows security practitioners to validate their results through numerical calculations. Additionally, the threat to validity confers the idea to security experts on how various sources of outcomes may affect the proposed model. This section provides a clear perception of the effectiveness as well as the certainty of the results by altering the crucial criteria. To test the sensitivity analysis, the researcher has chosen 10 alternatives in order to implement a threat to validity. The detail of the analyzed results of the sensitivity analysis is shown in Table 19. Furthermore, a graphical representation of the sensitivity analysis is depicted in Figure 6 for easy and detailed information.
The first row of Table 19 shows the original weights of this study. The calculated results are acceptable, and this is clear from the above table that the deviation in the whole security risk factors is negligible. The results of sensitivity analysis are dependent on the weight of the security risk factors.  The first row of Table 19 shows the original weights of this study. The calculated results are acceptable, and this is clear from the above table that the deviation in the whole security risk factors is negligible. The results of sensitivity analysis are dependent on the weight of the security risk factors.

Comparison of the Results
MCDM approaches are used in a number of research initiatives to assess various factors and their impact on various fields. A comparison of results from different approaches may provide a considerable as well as clear perspective on computed results. In addition, comparing the outcomes of the same data through different approaches is a crucial part of scientific calculation. For comparing the results of fuzzy AHP-TOPSIS, the researcher used various techniques, including classical ANP-TOPSIS, classical AHP-TOPSIS, and the Simple Average Method.
This type of comparison illustrates the capabilities and accuracy of the chosen approach. In comparison to the preceding techniques, the results of the fuzzy AHP-TOPSIS can confer a more precise and preferable result, as shown in Table 20 and Figure 7.

Discussion and Conclusions
The design phase is the backbone of any application irrespective of its nature and area of use. Software development organizations have shown enormous growth that urges highly secured web applications. Recent trends demonstrate that the healthcare industry has turned to deploying web applications rather than conventional forms. This dependency on technology raises security concerns as securing patients' sensitive data and hospital data becomes a critical priority. IT Industries and researchers are currently paying more attention to security. Developers should strive to develop an end-to-end framework for assessing the security risks associated with healthcare web applications to detect, evaluate, and reduce security risks as a solution to these issues. This paper proposed an integrated approach of fuzzy AHP and fuzzy TOPSIS to evaluate the security risk factors. The aim of this study was to determine the priorities based on the ranking and weighting of security attributes using the MCDM process, which demonstrates the use of an analytical hierarchical approach, through which the application becomes more secure and trustworthy. The fuzzy AHP approach can be used to prioritize the security attributes in terms of well-profiling because no attempts have been made to quantitatively prioritize and rank the security attributes that may affect the functionality of HWA security and their trade-offs. For the estimation of security risk, this combined fuzzy AHP-TOPSIS approach was applied. This proposed model was examined for ten successive healthcare web applications from the local hospitals of Uttar Pradesh, India, to determine the impact of risk factors on altering preferences with respect to criteria.
The weight and priority of risk factors are quantified by fuzzy AHP, whereas the impact of attributes on different alternatives is determined with the help of fuzzy AHP-TOPSIS. The fuzzy TOPSIS approach uses the global weight of components produced from fuzzy AHP as input to generate a rank for alternatives. The performance has now been evaluated with fuzzy AHP-TOPSIS, and with a performance score of 0.6322, HWA1 was deemed to be the best among the 10 alternatives. It provides the finest security system in terms of security methods. The determined performance of the other healthcare web application's alternatives is, in order, HWA7, HWA10, HWA4, HWA2, HWA3, HWA5, HWA9, HWA8, and HWA6, with performance scores of 0.6138, 0.6130, 0.5748, 0.5224, 0.4851, 0.4679, 0.4667, 0.4638, and 0.3597. The findings of this study corroborate that mitigating risk in the design phase assists the developer in building a more secure web application. As security breaches are becoming more frequent, it is imperative to create security standards that also emphasize security benchmarks. Consequently, prioritizing security attributes would undoubtedly aid web application developers in enhancing security. In addition, the researcher advised that the proposed framework

Discussion and Conclusions
The design phase is the backbone of any application irrespective of its nature and area of use. Software development organizations have shown enormous growth that urges highly secured web applications. Recent trends demonstrate that the healthcare industry has turned to deploying web applications rather than conventional forms. This dependency on technology raises security concerns as securing patients' sensitive data and hospital data becomes a critical priority. IT Industries and researchers are currently paying more attention to security. Developers should strive to develop an end-to-end framework for assessing the security risks associated with healthcare web applications to detect, evaluate, and reduce security risks as a solution to these issues. This paper proposed an integrated approach of fuzzy AHP and fuzzy TOPSIS to evaluate the security risk factors. The aim of this study was to determine the priorities based on the ranking and weighting of security attributes using the MCDM process, which demonstrates the use of an analytical hierarchical approach, through which the application becomes more secure and trustworthy. The fuzzy AHP approach can be used to prioritize the security attributes in terms of well-profiling because no attempts have been made to quantitatively prioritize and rank the security attributes that may affect the functionality of HWA security and their trade-offs. For the estimation of security risk, this combined fuzzy AHP-TOPSIS approach was applied. This proposed model was examined for ten successive healthcare web applications from the local hospitals of Uttar Pradesh, India, to determine the impact of risk factors on altering preferences with respect to criteria.
The weight and priority of risk factors are quantified by fuzzy AHP, whereas the impact of attributes on different alternatives is determined with the help of fuzzy AHP-TOPSIS. The fuzzy TOPSIS approach uses the global weight of components produced from fuzzy AHP as input to generate a rank for alternatives. The performance has now been evaluated with fuzzy AHP-TOPSIS, and with a performance score of 0.6322, HWA1 was deemed to be the best among the 10 alternatives. It provides the finest security system in terms of security methods. The determined performance of the other healthcare web application's alternatives is, in order, HWA7, HWA10, HWA4, HWA2, HWA3, HWA5, HWA9, HWA8, and HWA6, with performance scores of 0.6138, 0.6130, 0.5748, 0.5224, 0.4851, 0.4679, 0.4667, 0.4638, and 0.3597. The findings of this study corroborate that mitigating risk in the design phase assists the developer in building a more secure web application. As security breaches are becoming more frequent, it is imperative to create security standards that also emphasize security benchmarks. Consequently, prioritizing security attributes would undoubtedly aid web application developers in enhancing security. In addition, the researcher advised that the proposed framework may be used to set the benchmark for any organization. This may also form the basis for the development of new, modified, or refined approaches that may encourage other researchers to undertake the development of other new methods in this area.