Next Article in Journal
The Impact of Environmental Governance on Energy Transitions: Evidence from a Global Perspective
Previous Article in Journal
Assessing the Economic Vulnerability of Romanian Tomato Growers to Extreme Weather Events
Previous Article in Special Issue
Integrated Model for Intelligent Monitoring and Diagnostics of Animal Health Based on IoT Technology for the Digital Farm
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Sustainability
Volume 17
Issue 19
10.3390/su17198757
Review Report
sustainability-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
Article
Peer-Review Record

Sustainable Development of Smart Regions via Cybersecurity of National Infrastructure: A Fuzzy Risk Assessment Approach

Sustainability 2025, 17(19), 8757; https://doi.org/10.3390/su17198757
by Oleksandr Korchenko 1,2, Oleksandr Korystin 3,4,5, Volodymyr Shulha 2, Svitlana Kazmirchuk 2, Serhii Demediuk 6,7 and Serhii Zybin 2,*
Reviewer 1: Anonymous
Reviewer 2: Anonymous
Reviewer 3: Anonymous
Sustainability 2025, 17(19), 8757; https://doi.org/10.3390/su17198757
Submission received: 10 August 2025 / Revised: 16 September 2025 / Accepted: 25 September 2025 / Published: 29 September 2025
(This article belongs to the Special Issue Artificial Intelligence and Mobile Technologies for Sustainable Development of Smart Regions)

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

In general, the reviewed article makes a good impression, as it contains a new approach to risk assessment in critical information infrastructure systems. However, before accepting the article, I suggest that the authors pay attention to the following remarks and recommendations:

  1. The term "adaptive" in the phrase "adaptive fuzzy model" does not correspond to the traditional use of this term, because the model does not adapt here to changes in data (signals), but simply takes into account and displays the necessary properties and conditions of the modeling object.
  2. Various risk assessment technologies are given in the work, but their shortcomings are almost not described, which weakens the need for the development of a new technology.
  3. In my opinion, a significant drawback of the fuzzy technology of risk assessment is the presence of a significant subjective (non-objective) factor in it, which is caused by the subjectivity of expert judgments and the subjectivity of the choice of the type of indicator functions. Unlike the probability of an event, which can be estimated on the basis of objective statistical procedures for processing real data, where the Central Limit Theorem applies, there are no such objective procedures for evaluation of indicator functions. Expert knowledge alone does not guarantee the reliability of risk assessment, as it uncontrollably depends on a sample of experts (different groups of experts may have significantly different risk assessments).
  4. It should be noted that the procedures for averaging the subjective assessments of experts are not the best approach, especially when the level of awareness of experts is quite different. For some reason, the authors did not investigate measures of deviation of expert assessments from average assessment, for example, standard deviation or variance. After all, such measures could in a certain way characterize the reliability of a fuzzy technology. It is known that the greater the variance, the less confidence in the average values!
  5. In addition to the subjectivity of the risk assessment technology, its drawback is the dependence on a large number of experts, which is financially costly.
  6. There is no verification procedure of the developed technology in the work, only examples of its use for some partial cases are given.
  7. There are no qualitative and quantitative comparisons of new results with known ones.
  8. It is worth separating the general description (abstract symbolism) of the proposed fuzzy technology and its use for calculating a specific example of its application (numerical calculations).
  9. Almost all formulas for 𝐿 and 𝑃C are identical in structure and can be represented by one formula with an index that takes its values from a two-element set. This will significantly reduce the volume of the article and will not burden the reader with significant duplication of information.
  10. There are certain mathematical inaccuracies in formulas (1), (2), because their left parts do not contain the two variables 𝑛𝑡, 𝑛r, which are in their right parts.

Author Response

Comments 1: The term "adaptive" in the phrase "adaptive fuzzy model" does not correspond to the traditional use of this term, because the model does not adapt here to changes in data (signals), but simply takes into account and displays the necessary properties and conditions of the modeling object.

Response 1:

We agree with this comment. The comment is taken into account (the word "ADAPTIVE" has been removed from the text while preserving the logic of the article's text).

 

Comments 2: Various risk assessment technologies are given in the work, but their shortcomings are almost not described, which weakens the need for the development of a new technology.

Response 2:

This is not the first time that the author team has been working on the problem defined by the subject of the study. Moreover, this article is a logical continuation, based on a deepening of the research methodology. It is logical therefore that the previous results are not described (to avoid incorrect presentation of scientific texts), but only a reference to the source is indicated - the previous publication (the reference # 3 - Oleksandr Evgeniyovych, Korystin, Oleksandr, Korchenko, Svitlana, Kazmirchuk, Serhii, Demediuk, & Oleksandr Oleksandrovych, Korystin (2024). Comparative Risk Assessment of Cyber Threats Based on Average and Fuzzy Sets Theory, International Journal of Computer Network and Information Security (IJCNIS), 16 (1), 24-34. https://doi.org/10.5815/ijcnis.2024.01.02).

The shortcomings of existing risk assessment systems have been investigated by the authors in a monograph that is in the open access, so this article did not focus on this issue (https://er.nau.edu.ua/server/api/core/bitstreams/9c00d285-8b50-46d1-967d-5f5dc82d1205/content - Ukrainian language).

 

Comments 3: In my opinion, a significant drawback of the fuzzy technology of risk assessment is the presence of a significant subjective (non-objective) factor in it, which is caused by the subjectivity of expert judgments and the subjectivity of the choice of the type of indicator functions. Unlike the probability of an event, which can be estimated on the basis of objective statistical procedures for processing real data, where the Central Limit Theorem applies, there are no such objective procedures for evaluation of indicator functions. Expert knowledge alone does not guarantee the reliability of risk assessment, as it uncontrollably depends on a sample of experts (different groups of experts may have significantly different risk assessments).

Response 3:

The opinion is debatable. The authors of the publication have their own vision of the problem, which they note in their numerous works.

 

Comments 4: It should be noted that the procedures for averaging the subjective assessments of experts are not the best approach, especially when the level of awareness of experts is quite different. For some reason, the authors did not investigate measures of deviation of expert assessments from average assessment, for example, standard deviation or variance. After all, such measures could in a certain way characterize the reliability of a fuzzy technology. It is known that the greater the variance, the less confidence in the average values!

Response 4:

The opinion is debatable. The authors of the publication have their own vision of the problem, which they note in their numerous works.

 

Comments 5: In addition to the subjectivity of the risk assessment technology, its drawback is the dependence on a large number of experts, which is financially costly.

Response 5:

We are agree with this comment.

 

Comments 6: There is no verification procedure of the developed technology in the work, only examples of its use for some partial cases are given.

Response 6:

We are agree with this comment.

The very profound observation that requires additional scientific development and practical experimental application.

The verification of the developed technology has been carried out experimentally during its practical application, and as is known, practice is also one of the criteria of truth.

 

Comments 7: There are no qualitative and quantitative comparisons of new results with known ones.

Response 7:

We are agree with this comment.

 

Comments 8: It is worth separating the general description (abstract symbolism) of the proposed fuzzy technology and its use for calculating a specific example of its application (numerical calculations).

Response 8:

We are agree with this comment.

This is the important suggestion that will be used in subsequent studies, but it does not affect the conclusions and results in essence. Here the authors proceeded from the logic to reduce the number of cross-references, so the examples were given immediately after the description in the general case.

 

Comments 9: Almost all formulas for ? and ?C are identical in structure and can be represented by one formula with an index that takes its values from a two-element set. This will significantly reduce the volume of the article and will not burden the reader with significant duplication of information.

Response 9:

This is the valid comment, but the authors proceeded from the logic that providing additional formulaic explanations would facilitate the reproduction of the results obtained in the work by the reader's independent verification.

 

Comments 10: There are certain mathematical inaccuracies in formulas (1), (2), because their left parts do not contain the two variables ??, ?r, which are in their right parts.

Response 10:

This is the valid comment, but in fuzzy set theory, a practice has taken hold when, to simplify the notation of a fuzzy number, only a tilde is used (the left part of the formulas), and the components of which they consist (the right part of the formulas) are already accompanied by arguments. This can be compared with the similar notations y(x)=x2  or y=x2.

Reviewer 2 Report

Comments and Suggestions for Authors

This paper proposes a nine-stage fuzzy risk assessment methodology for evaluating hybrid cyber threats to critical infrastructure in smart regions. The authors apply fuzzy set theory and logic-linguistic analysis to handle uncertainty in expert judgments. They validate their approach using data from 298 cybersecurity experts in Ukraine, assessing 21 types of hybrid threats.

 

Major Weaknesses:

1) The methodology is tested only on Ukrainian cybersecurity threats. No validation across different sectors, countries, or threat types is provided. This severely limits claims about the method's general applicability.

2) The authors provide no comparison with existing risk assessment frameworks. How does this approach perform against traditional methods?

3) There is no comparison with simpler approaches. Would a basic weighted scoring system produce similar results with less complexity?

4) The paper provides no details about expert selection criteria, qualifications, or potential biases. This undermines the validity of the expert judgments that form the foundation of the approach.

5) The selection of trapezoidal fuzzy numbers and specific interval ranges appears arbitrary. No justification is provided for these critical design decisions.

6) The authors claim their method improves decision-making but provide no evidence of actual improvement in security outcomes.

7) Despite proposing a computational method, no code or tools are provided. This makes independent verification impossible.

8) How does the method perform with larger numbers of threats or experts? The computational complexity is not discussed.

 

Recommendations for Improvement:

1) Test the methodology in different sectors and countries.

2) Compare performance against established risk assessment methods.

3) Make code and data available for independent verification.

4) Show how robust the results are to parameter changes.

5) Provide details about expert qualifications and selection process.

6) Focus on core contributions and reduce unnecessary complexity.

7) Acknowledge boundary conditions and failure modes.

 

Conclusion

This paper addresses an important problem and proposes a mathematically sound approach. However, it suffers from significant limitations in validation, generalizability, and practical implementation.

 

Recommendation: Major revisions required before publication consideration.

Author Response

Comments 1:

1) The methodology is tested only on Ukrainian cybersecurity threats. No validation across different sectors, countries, or threat types is provided. This severely limits claims about the method's general applicability.

Response 1:

The specificity of the methodology is based on the fact that domestic data have been used. Comparing the results with other countries could be a topic for future research.

 

Comments 2: The authors provide no comparison with existing risk assessment frameworks. How does this approach perform against traditional methods?

Response 2:

This is not the first time that the author team has been working on the problem defined by the subject of the study. And this article is a logical continuation, based on a deepening of the research methodology. It is logical therefore that the previous results are not described (to avoid incorrect presentation of scientific texts), but only a reference to the source is indicated - the previous publication (the reference # 3 - Oleksandr Evgeniyovych, Korystin, Oleksandr, Korchenko, Svitlana, Kazmirchuk, Serhii, Demediuk, & Oleksandr Oleksandrovych, Korystin (2024). Comparative Risk Assessment of Cyber Threats Based on Average and Fuzzy Sets Theory, International Journal of Computer Network and Information Security (IJCNIS), 16 (1), 24-34. https://doi.org/10.5815/ijcnis.2024.01.02).

Therefore, the justification of the advantage of the used method and the limitations of other systems is contained in the article, which focuses on "Comparative". That is, such a comparison is not the subject of this article, but "... adaptive modeling of multifactor threats using the fuzzy set theory and logic-linguistic analysis, which allows taking into account the insufficient certainty of parameters, the fragmentation of expert information, as well as the lack of a single picture of risks in complex infrastructure systems" which is noted at the very beginning.

 

Comments 3: There is no comparison with simpler approaches. Would a basic weighted scoring system produce similar results with less complexity?

Response 3:

This is not the first time that the author team has been working on the problem defined by the subject of the study. And this article is a logical continuation, based on a deepening of the research methodology. It is logical therefore that the previous results are not described (to avoid incorrect presentation of scientific texts), but only a reference to the source is indicated - the previous publication (the reference # 3 - Oleksandr Evgeniyovych, Korystin, Oleksandr, Korchenko, Svitlana, Kazmirchuk, Serhii, Demediuk, & Oleksandr Oleksandrovych, Korystin (2024). Comparative Risk Assessment of Cyber Threats Based on Average and Fuzzy Sets Theory, International Journal of Computer Network and Information Security (IJCNIS), 16 (1), 24-34. https://doi.org/10.5815/ijcnis.2024.01.02).

 

Comments 4: The paper provides no details about expert selection criteria, qualifications, or potential biases. This undermines the validity of the expert judgments that form the foundation of the approach.

Response 4:

The specified expert group conducted the research on behalf of the Apparatus of the National Security and Defense Council of Ukraine, therefore, the expert involvement for both risk identification and their further assessment consisted of relevant specialists in this field. The survey has attended by specialists from all segments of critical infrastructure. The qualitative analysis of the expert sample has been sufficiently analyzed in the authors' previous publications (e.g. Oleksandr Korystin, Nataliia Svyrydiuk and Olena Mitina. Risk Forecasting of Data Confidentiality Breach Using Linear Regression Algorithm. I. J. Computer Network and Information Security, 2022, 4, 1-13. DOI:10.5815/ijcnis.2022.04.01.)

 

Comments 5: The selection of trapezoidal fuzzy numbers and specific interval ranges appears arbitrary. No justification is provided for these critical design decisions.

Response 5:

The proposed approach describes the processes in general terms and is not focused on specific fuzzy numbers and ranges. The method is illustrated by the example of trapezoidal (although triangular ones can also be used) fuzzy numbers with specific ranges. These ranges have been determined in previous studies, which allows obtaining new results under the same conditions. The obtained new results do not contradict the previously obtained ones, but complement (specify) them, as noted in the Conclusions section.

 

Comments 6: The authors claim their method improves decision-making but provide no evidence of actual improvement in security outcomes.

Response 6:

The authors consider the efficiency through the improvement in the accuracy of risk level calculation that is possible based on the proposed approach. This is discussed in the Conclusions section.

 

Comments 7: Despite proposing a computational method, no code or tools are provided. This makes independent verification impossible.

Response 7:

Based on the proposed method, the authors developed a corresponding software model of the system (materials for obtaining copyright are at the stage of registration). All control calculations have been implemented manually, and also verified with the results of calculations for the system software model (this confirms the adequacy of the model's functioning) and are given in specific examples in the article. By analogy with the examples that explain each formula, each result provided in the work can be easily reproduced manually. Thus, an independent check can be carried out.

 

Comments 8: How does the method perform with larger numbers of threats or experts? The computational complexity is not discussed.

Response 8:

The verification of the proposed method has been carried out on solving tasks that do not require high performance, unlike processes that need to be in real time. Therefore, a large number of threats and experts will not affect the effectiveness of the method.

 

Reviewer 3 Report

Comments and Suggestions for Authors

This manuscript proposes a nine-stage, scientifically grounded approach for assessing cybersecurity risks to the critical national infrastructure that supports smart regions, particularly under conditions of uncertainty and hybrid threats. The core of the methodology leverages fuzzy set theory and logic-linguistic analysis to process subjective expert judgments, which were collected via a questionnaire from 298 respondents. The method involves threat identification, expert assessment, fuzzification, calculation of fuzzy risk values, and comparison against predefined benchmarks using the Generalized Hamming Distance (GHD) to determine a final risk level. The authors apply this framework to 21 hybrid cyber threats relevant to Ukraine, interpreting the results to prioritize threats and inform strategic resource allocation for enhancing cyber resilience and sustainable development.

  1. The manuscript introduces a detailed fuzzy logic-based method but fails to adequately justify its superiority over existing approaches. While the introduction mentions that current threat models struggle with incomplete or ambiguous data, the paper does not substantiate this claim with a critical analysis of specific limitations in other models. The authors state their method improves upon one using average values, but a direct, quantitative comparison is never presented.

    • The authors must include a dedicated subsection in "Materials and Methods" that explicitly compares their proposed fuzzy model with at least two other state-of-the-art (SOTA) risk assessment frameworks (e.g., a probabilistic model, a purely qualitative matrix-based model, or the average-value model mentioned from reference [3]). This comparison should use the same expert data to demonstrate tangible advantages in terms of sensitivity, stability, or granularity of results.

  2. The validity of the entire framework rests on a single expert survey and a fixed set of fuzzy parameters. The results are presented without any validation against real-world data or alternative analytical methods. Furthermore, the stability of the model's output is not tested.

    • The authors should perform and present a Sensitivity Analysis. For example, they should demonstrate how the final risk rankings change if the trapezoidal membership functions (Figures 1, 2, 3) are altered (e.g., widened, narrowed, or shifted) or if a different type of function (e.g., triangular) is used. This is crucial for proving that the results are robust and not merely an artifact of the initial parameter choices. An Ablation Study, where key stages of the method are systematically removed or simplified, would also strengthen the paper by isolating the contribution of each component.

  3. The "expert group" that developed the questionnaire and the 298 respondents who participated are central to the study's empirical basis. However, the manuscript provides no details about their qualifications, professional backgrounds (e.g., industry, academia, government), or the process used to ensure a lack of bias. This opacity undermines the credibility of the input data.

    • A detailed description of the expert panel and respondent demographics must be added. This should include their years of experience, areas of expertise, and the recruitment process. The questionnaire itself should be included as a supplementary material for transparency.

  1. The manuscript suffers from a confusing structure and significant content repetition.

    • Section 4 is titled "Results" but contains a lengthy discussion on mobile infrastructure, SDGs, and a detailed 36-month implementation roadmap. This material does not represent the direct results of the fuzzy assessment and belongs in a "Discussion" or "Practical Implications" section.

    • The subsequent section, also labeled "4. Discussion" (a typographical error, should be 5), re-explains the nine-stage method and its theoretical significance, which is redundant.

    • The "Conclusions" section (mislabeled as 5) also re-summarizes the method [940-944].

      • The manuscript must be restructured significantly.

        • Section 1 (Introduction): Add distinct "Motivations" and "Contributions" subsections. The former should clearly articulate the specific gaps in existing cyber risk models, and the latter should list the novel contributions of this work in bullet points.

        • Section 4 (Results): This section should focus exclusively on presenting the outcomes of the 9-stage method for all 21 threats (e.g., final risk scores, rankings, and key visualizations). The justification for detailing only the first four threats in Figure 4 is unclear and should be explained or expanded.

        • Section 5 (Discussion): This section should interpret the findings from Section 4. It should include the comparative analysis against SOTA methods, the sensitivity analysis, a thorough discussion of the model's limitations, and the broader implications (the roadmap, SDG alignment, and managerial applications).

        • Section 6 (Conclusion): This should be a concise summary of the key findings and contributions, avoiding repetition of the methodology.

  2. Key acronyms are used without prior definition, hindering comprehension for a broader audience. For instance, "CSS" is first used in the context of "hybrid threats performed in Ukraine in the CSS" but is never defined.

    • All acronyms (CSS, LALM, GHD, etc.) must be explicitly defined upon their first appearance in the text. This is a standard requirement for scientific publications.

  1. A critical scientific paper must transparently acknowledge the limitations of its own methodology. This manuscript fails to do so. Potential limitations include the subjectivity inherent in expert surveys, the scalability of the 9-stage process to thousands of threats, and the model's static nature (it assesses risk at a single point in time).

    • A dedicated subsection titled "Limitations and Future Work" should be added to the Discussion section. This should candidly address the potential weaknesses of the fuzzy approach and the reliance on expert opinion, and outline specific directions for future research to overcome these limitations.

This manuscript addresses a timely and important problem: applying a structured, uncertainty-aware methodology to cyber risk assessment for critical infrastructure. The nine-stage fuzzy method is detailed and appears methodologically sound on the surface.

However, the paper in its current form is not suitable for publication due to several major flaws:

  1. Lack of Scientific Rigor: The work is critically undermined by the complete absence of a comparative analysis with state-of-the-art methods and the lack of validation or sensitivity analysis. The claims of the method's superiority are unsubstantiated.

  2. Poor Structure and Presentation: The manuscript is poorly organized, with misplaced content, significant repetition, and unclear sectioning. This makes the paper difficult to follow and obscures its core contributions.

  3. Insufficient Detail on Experimental Setup: The credibility of the findings is questionable without transparency regarding the expert data source.

While the topic is relevant and the proposed method is interesting, the paper reads more like a technical report than a validated scientific study. Substantial revisions, including new analyses and a complete restructuring, are required to meet the standards of a peer-reviewed academic journal.

Comments on the Quality of English Language

The manuscript's language is often dense, verbose, and contains grammatical errors, which impedes readability. The technical tone is inconsistent, and the logical flow between paragraphs is sometimes weak.

  • The entire manuscript requires comprehensive professional language editing by a native English speaker with expertise in the field. Sentences should be shortened, and jargon should be used precisely. For example, the abstract is too long and could be condensed to be more impactful.

Author Response

Comments 1: The manuscript introduces a detailed fuzzy logic-based method but fails to adequately justify its superiority over existing approaches. While the introduction mentions that current threat models struggle with incomplete or ambiguous data, the paper does not substantiate this claim with a critical analysis of specific limitations in other models. The authors state their method improves upon one using average values, but a direct, quantitative comparison is never presented.

Response 1:

This is not the first time that the author team has been working on the problem defined by the subject of the study. Moreover, this manuscript is a logical continuation, based on a deepening of the research methodology. It is logical therefore that the previous results are not described (to avoid incorrect presentation of scientific texts), but only a reference to the source is indicated - the previous publication (the reference # 3 - Oleksandr Evgeniyovych, Korystin, Oleksandr, Korchenko, Svitlana, Kazmirchuk, Serhii, Demediuk, & Oleksandr Oleksandrovych, Korystin (2024). Comparative Risk Assessment of Cyber Threats Based on Average and Fuzzy Sets Theory, International Journal of Computer Network and Information Security (IJCNIS), 16 (1), 24-34. https://doi.org/10.5815/ijcnis.2024.01.02).

Therefore, the justification of the advantage of the used method and the limitations of other systems is contained in the article, which focuses on "Comparative". That is, such a comparison is not the subject of this manuscript, but "...modeling of multifactor threats using the fuzzy set theory and logic-linguistic analysis, which allows taking into account the insufficient certainty of parameters, the fragmentation of expert information, as well as the lack of a single picture of risks in complex infrastructure systems" which is noted at the very beginning.

 

Comments 2: The validity of the entire framework rests on a single expert survey and a fixed set of fuzzy parameters. The results are presented without any validation against real-world data or alternative analytical methods. Furthermore, the stability of the model's output is not tested.

Response 2:

The empirical basis of the analytical study is based on the same data set as in the authors' previous publications. These publications note the reliability of the sample and the representativeness of the conclusions based on them. Some of the authors' articles on these issues are as follows: (Korystin Oleksandr, Svyrydiuk Nataliia, Alexander Vinogradov "The Use of Sociological Methods in Criminological Research". The proceedings series Advances in Social Science, Education and Humanities Research: Social Science, Psychology and Legal Regulation (SPL 2021). Atlantis Press, 2021. 10.2991/assehr.k.211218.001).

In addition, issues related to the use of different types of functions when implementing the fuzzification operation, as well as their properties of decay, growth, uniformity and non-uniformity (expansion, contraction, displacement) have been studied in detail by the authors in the monograph. (https://er.nau.edu.ua/server/api/core/bitstreams/9c00d285-8b50-46d1-967d-5f5dc82d1205/content - Ukrainian language).

 

Comments 3: The "expert group" that developed the questionnaire and the 298 respondents who participated are central to the study's empirical basis. However, the manuscript provides no details about their qualifications, professional backgrounds (e.g., industry, academia, government), or the process used to ensure a lack of bias. This opacity undermines the credibility of the input data.

Response 3:

The specified expert group conducted the research on behalf of the Apparatus of the National Security and Defense Council of Ukraine; therefore, the expert involvement for both risk identification and their further assessment consisted of relevant specialists in this field. The survey has attended by specialists from all segments of critical infrastructure. The qualitative analysis of the expert sample has been sufficiently analyzed in the authors' previous publications (e.g. Oleksandr Korystin, Nataliia Svyrydiuk and Olena Mitina. Risk Forecasting of Data Confidentiality Breach Using Linear Regression Algorithm. I. J. Computer Network and Information Security, 2022, 4, 1-13. DOI:10.5815/ijcnis.2022.04.01.)

 

Comments 4: The manuscript suffers from a confusing structure and significant content repetition.

Response 4:

The typographical error regarding section numbering has been corrected.

The structure of the manuscript that is used in the study is traditional for articles of this nature, and there is no substantial repetition of the material. There are only framework reminders and accents, for example, regarding the 9 stages of analysis: in the section "Proposed Method" there is a detailed presentation of the formalized methodology with the calculation of results at all stages of the analysis, further stages are mentioned when comparing them with the international frameworks ISO31000 and NIST CSF, and logically in the sections "Discussion" and "Conclusions".

The authors performed all the necessary calculations and graphical interpretations of the results, but did not see the point in burdening the article with the same type of data, for example, graphs (Fig. 4) are presented not for all 21 threats, but only for the first four, which, in the opinion of the authors, is sufficient to visually demonstrate the position of the current risk value of the corresponding threat relative to the reference values.

At the same time, the suggestion to partially move practical recommendations from the "Results" section to the "Discussion" section is correct.

 

Comments 5: Key acronyms are used without prior definition, hindering comprehension for a broader audience. For instance, "CSS" is first used in the context of "hybrid threats performed in Ukraine in the CSS" but is never defined.

Response 5:

All acronyms have been explained according to the reviewer's comments.

 

Comments 6: A critical scientific paper must transparently acknowledge the limitations of its own methodology. This manuscript fails to do so. Potential limitations include the subjectivity inherent in expert surveys, the scalability of the 9-stage process to thousands of threats, and the model's static nature (it assesses risk at a single point in time).

Response 6:

The author's opinion is based on direct applied research results, and not on the criticality of the theoretical substantiation of the own analysis model used. The authors do not claim to have theoretical innovations as the subject of criticism of their proposal.

The novelty of the publication, first of all, focuses on possible interpretations of existing methods and approaches to risk assessment, the accuracy of the reflection of these processes. This is very important in further management decisions. A criticality in this case is subordinate to compliance with the international frameworks ISO31000 and NIST.

 

Comments 7: This manuscript addresses a timely and important problem: applying a structured, uncertainty-aware methodology to cyber risk assessment for critical infrastructure. The nine-stage fuzzy method is detailed and appears methodologically sound on the surface.

However, the paper in its current form is not suitable for publication due to several major flaws:

  1. Lack of Scientific Rigor: The work is critically undermined by the complete absence of a comparative analysis with state-of-the-art methods and the lack of validation or sensitivity analysis. The claims of the method's superiority are unsubstantiated.
  2. Poor Structure and Presentation: The manuscript is poorly organized, with misplaced content, significant repetition, and unclear sectioning. This makes the paper difficult to follow and obscures its core contributions.

Insufficient Detail on Experimental Setup: The credibility of the findings is questionable without transparency regarding the expert data source.

Response 7:

Regarding the lack of the comparative analysis, validation, sensitivity analysis, etc.: the author's approach sufficiently takes into account the comparative analysis with both international frameworks and standards and methods that are analyzed in the previous publication (the reference # 3 - Oleksandr Evgeniyovych, Korystin, Oleksandr, Korchenko, Svitlana, Kazmirchuk, Serhii, Demediuk, & Oleksandr Oleksandrovych, Korystin (2024). Comparative Risk Assessment of Cyber Threats Based on Average and Fuzzy Sets Theory, International Journal of Computer Network and Information Security (IJCNIS), 16 (1), 24-34. https://doi.org/10.5815/ijcnis.2024.01.02).

 

Comments 8: The manuscript's language is often dense, verbose, and contains grammatical errors, which impedes readability. The technical tone is inconsistent, and the logical flow between paragraphs is sometimes weak.

Response 8:

The manuscript's language has been revised and improved.

Round 2

Reviewer 3 Report

Comments and Suggestions for Authors

The authors have adequately addressed my comments, and the manuscript is ready for publication now.

Back to TopTop