Today’s smart spaces deploy various IoT devices to offer services for occupants. Such devices are exposed to security risks that may pose serious threats to network services and users’ privacy. To avoid the disruption of normal operations, self-protecting solutions have been developed to allow IoT networks to autonomously respond to cyber threats in real-time. However, existing self-protecting systems focus solely on architectural adaptations to respond to cyber threats, overlooking the mitigation actions described in cybersecurity standards –which represent the correct cybersecurity posture– as well as the impact of the adaptation strategies on the Quality-of-Service (QoS) performance. To overcome these existing limitations, this paper presents SPARQ, a novel framework for designing self-protecting IoT systems that considers both the security exposure to cyber attacks and the QoS performance. We leverage Attack Graph as a threat model for analyzing the cyber exposure of the system and Queuing Network Models to analyze QoS in IoT systems. Based on the analysis outcomes, SPARQ provides mitigation plans to reduce the cyber risk while also minimizing the impact on QoS. We evaluate the proposed approach on two use cases from real-world scenarios including a critical infrastructure and a smart home. The experimental evaluation shows that SPARQ is capable of reducing the cyber risk significantly while also improving the QoS performance by 35% compared to existing approaches.