Cyber-worthiness as it is termed in Australian Defence, or cyber-maturity more broadly, is a necessary feature of modern complex systems which are required to operate in a hostile cyber environment. To evaluate the cyber-worthiness of complex systems, an assessment methodology is required to examine a complex system's or system-of-system's vulnerability to and risk of cyber-attacks that can compromise such systems. This assessment methodology should address the cyber-attack surface and threat kill chains, including supply chains and supporting infrastructure. A cyber-worthiness capability assessment methodology has been developed based on model-based systems engineering concepts to analyse the cyber-worthiness of complex systems and present a risk assessment of various cyber threats to the complex system. This methodology incorporates modelling and simulation methods that provide organisations greater visibility and consistency across diverse systems, especially to drive cybersecurity controls, investment and operational decisions involving aggregated systems. In this paper, the developed methodology will be presented in detail and hypothesised outcomes will be discussed.