In the domain of IoT security management, we consider attack vulnerabilities and how to identify those so as to prevent attacks from spreading. More specifically, inspired by this problem for Smart Home Internet of Things (SHIoT), we take a complex network framework in which an IoT system attack graph can be cast. We then address the problem of assessing the worst vulnerability, that is the one that has the potential to cause maximum damage, in the SHIoT. Due to the non-additive nature of an attack path’s attack probability, we show how the problem can be modeled so that a shortest path-based algorithm approach can be used to determine the worst vulnerability. We then illustrate an approach to iteratively fortify the environment to reduce impact from vulnerability. Finally, we show an approach to use Common Vulnerability Scoring System (CVSS) to determine attack probabilities on arcs in the attack graph and present analysis on representative attack graphs for small to large attack graphs.