The industrial control systems (ICSs) and instrumentation and control (I&C) systems of nuclear power plants (NPPs) have changed from analog systems to digital systems. Digital systems offer maintenance and usability advantages, but are prone to cyberattacks. The conventional belief that digital systems are essentially free from cyberattacks owing to the presence of air gaps has been negated by several attacks on actual NPPs. Theoretically, a system can be secured by using all possible security measures. However, in reality, the resources available for cybersecurity are limited. Therefore, the efficient distribution of resources is a critical issue. The conventional methods were mainly focused on impairment failure. In this study, we propose a system that suggests the most attractive attack path that can consider both type 1 (impairment failure) and type 2 (Byzantine failure) security failure. The proposed algorithm consists of two parts: a graph map that evaluates the attractiveness of an attack path, and a path-finding part that searches for the shortest path in the graph map. To quantify the attractiveness of the attack path, we propose a resistance concept. In addition, we quantify the importance of components in the system using a page-rank algorithm. We adopt Dijkstra's algorithm to automatically determine the most attractive path. With the proposed methodology, it is expected that an attractive attack path that considers both type 1 and type 2 security failure can be found, and a corresponding efficient cybersecurity strategy can be established. (c) 2021 Elsevier Ltd. All rights reserved.