Impact of Critical Infrastructure Cyber Security on the Sustainable Development of Smart Cities: Insights from Internal Specialists and External Information Security Auditors
Round 1
Reviewer 1 Report
Comments and Suggestions for AuthorsThis study aims to describe and assess the impact of critical infrastructure cyber-security issues on the sustainable development of smart cities.
Issus:
1. In this paper, the use of some abbreviations is not standardized. Many abbreviations have already been defined, but they have been redefined later in the text.
2. Of course, there are still some abbreviations that have not been defined, such as, PM² and NIS2.
3. In Page 2, some sentences lack punctuation marks. The author needs to check this issue, including other parts of the paper.
4. In scientific writing, all equations need to be numbered. Furthermore, each variable should be represented in italics and must be defined or explained. These situations exist in this paper. Also, are there any incorrect subscripts for these variables?
5. I suggest that the discussion can be considered as a separate section.
6. In addition, the literature review can be improved, since the paper is strongly related to security of cyber-physical systems. I suggest the authors to review the following paper:
Z. Yu, H. Gao, X. Cong, N. Wu and H. H. Song, "A Survey on Cyber–Physical Systems Security," in IEEE Internet of Things Journal, vol. 10, no. 24, pp. 21670-21686, 15 Dec.15, 2023, doi: 10.1109/JIOT.2023.3289625.
Author Response
Thank you for your thoughtful comments and suggestions. We appreciate your review and the opportunity to clarify several aspects of our study. Below, we address the specific concerns raised:
- Abbreviations: Thank you for pointing this out. The abbreviations have been reviewed and corrected. You can find the updated definitions on section 1.2 of the text (Highlighted in blue).
- PM² and NIS2 Abbreviations: The definitions for PM² and NIS2 have also been added and clarified in the revised version of the paper (Highlighted in blue).
- Punctuation Issues on Page 2: All punctuation issues on page 2 and throughout the text have been carefully reviewed and corrected. (Highlighted in blue)
- Literature Review: Thank you for highlighting this point. The literature review has been updated, and relevant references have been added to strengthen the paper. (Highlighted in blue)
Author Response File: Author Response.pdf
Reviewer 2 Report
Comments and Suggestions for AuthorsThe manuscript comprehensively discussed the importance of PayTech technologies from a security perspective. They conducted a survey and collected data from multiple organization leaders. The results are well discussed. However:
-
All the cited contributions are basic security practices already approved by several standards, such as the ISO 27000 series. What does your survey add as new practices that are not already existing in security standards?
-
The second contribution: "Identify the need for the integration of regulatory frameworks to establish a unified cybersecurity standard." My question is, what do current standards lack based on your survey? In the discussion section, the authors do not mention new practices that are not included in current standards.
I recommend the authors to limit the contribution to providing current organizations' applied security practices compared to what they should do based on security standards such as the ISO 27000 series. Or, add new practices and baselines to enforce the organization in applying security standards.
Author Response
Thank you for your thoughtful comments and suggestions. We appreciate your review and the opportunity to clarify several aspects of our study. Below, we address the specific concerns raised:
Question |
Response |
Modifications made |
1. All the cited contributions are basic security practices already approved by several standards, such as the ISO 27000 series. What does your survey add as new practices that are not already existing in security standards? |
Standards such as ISO 27000 set a general framework for safety management, but do not take into account the differing views and priorities of internal and external stakeholders. We found that internal professionals (e.g. CISOs) focus on protecting reputation and operational continuity, while external auditors emphasise compliance. These differences can make coordination difficult if they are not accounted for. Our findings suggest that companies should consider these differences when developing integrated cyberattack recovery strategies. While standards such as ISO 27000 address general incident management principles, they do not adequately emphasise the use of reputation management tools. 2. Emphasising the role of reputation management (H1): While standards such as ISO 27000 address the general principles of incident management, they do not adequately address the use of reputation management tools. We have shown that reputation tools can partially compensate for financial losses after cyberattacks, especially in the context of publicly traded companies. This finding emphasises the need to incorporate reputational tools into strategic cyber resilience planning. Standards such as ISO 27000 do not address the cross-border role of international organisations such as the EU in critical infrastructure protection. We investigated how EU involvement affects the protection of infrastructure located outside its jurisdiction but owned by European companies. This allows for the development of new approaches to cross-border coordination and risk management. |
Sections 1 and 4 have additional changes highlighted in red color |
2. The second contribution: "Identify the need for the integration of regulatory frameworks to establish a unified cybersecurity standard." My question is, what do current standards lack based on your survey? In the discussion section, the authors do not mention new practices that are not included in current standards.
|
Our research has identified several key aspects that are not fully covered by current standards such as ISO 27000 and other international regulatory frameworks: Addressing the different perceptions and priorities of internal and external professionals: Standards focus on processes and technology, but rarely take into account differences in task perceptions between internal stakeholders (e.g. CISOs) and external auditors. These differences can hinder effective implementation of the standards in practice. Reputation management as an element of cyber resilience: Existing standards tend to focus on the technical side of recovering from cyberattacks. However, our analysis shows that reputation management plays a key role in restoring the trust of customers and partners after incidents. This aspect is undervalued in current standards. Cross-border coordination and the role of the EU: The standards do not provide mechanisms for effective collaboration between countries and organisations across jurisdictions. Our study emphasises the need to strengthen cross-border coordination, especially in the context of protecting infrastructure owned by the EU but located outside its borders. |
Section 6 have additional changes highlighted in red color |
We thank the reviewer for the recommendation. Our study already includes an analysis of existing standards (e.g. ISO 27000) and identifies aspects that need to be further developed. In particular, we emphasise the following shortcomings:
Differences in approach between internal and external specialists that are not addressed in the standards.
Insufficient role of reputation management as an element of cyber resilience.
Lack of mechanisms for cross-border coordination.
In addition, we offer practical recommendations that can be added to existing standards, including:
Integrating reputation tools into recovery strategies.
Developing mechanisms to harmonise the actions of actors.
Enhancing cross-border coordination to protect critical infrastructure.
In this way, our work not only complements current standards, but also proposes specific new practices to strengthen them.
Author Response File: Author Response.pdf
Reviewer 3 Report
Comments and Suggestions for AuthorsThis study presents results of the anonymous questionnaires that were sent to two groups of participants – internal and external employees of critical infrastructure companies.
In total 120 participants from 3 companies participated in the research: Mall Group (Czech Republic), Worldline S.A. (Belgium) and Advantio Ltd (Ireland).
So the first issue of the work is in a very small number of participants.
The authors have two research questions:
RQ1: Do internal stakeholders (investor relations, reputation management, and Chief Information Security Officers) and external auditors differ in their viewpoints on recovery strategies following cyber-attacks?
RQ2: Do internal stakeholders (investor relations, reputation management, and Chief Information Security Officers) and external auditors differ in their viewpoints on reputation defense and role that the European Union (EU) has outside its jurisdiction from cyber-attacks?
It is not clear why those research questions are important. For example, is there any harm in having different viewpoints from internal and external employees, if any?
Why it is essential to consider viewpoints of EU companies on cyber-attacks outside EU jurisdiction?
And three hypotheses:
H0: There are discernible differences in the perceptions of specialists' roles in the recovery of cyber-attacks among investor relations (IR), reputation management (RM) and CISO (Chief Information Security Officer) specialists, and external information security auditors.
H1: The presence of reputation management tools can help restore the reputation of the company and, simultaneously, restore the value of its shares.
H2: Active intervention by the European Union (EU) is imperative to safeguard critical infrastructure entities based outside the EU from cyber-attack.
Questionnaires contained only 7 questions, which is another concern on the quality of the work done. Developed questionnaires are too simple, for example, there were no multiple questions, covering the same aspect of the work from different perspectives to give a more complex view on the hypotheses and research questions.
In conclusion, it is mentioned, that according to the results H0 is not true, H1 was partially true, while H3 was stated as true, but "out of EU jurisdiction" changed to "EU critical infrastructure located abroad".
Overall, the work done looks unfinished and preliminary. It is recommended to improve the approach and conduct a survey with more questions among much more companies and participants.
It is especially important to include those companies, that worked with cyberattacks, had reputation damage and used reputation management tools to recover.
Author Response
Thank you for your thoughtful comments and suggestions. We appreciate your review and the opportunity to clarify several aspects of our study. Below, we address the specific concerns raised:
Question |
Response |
Modifications made |
1. Sample Size and Participant Selection:
|
– We acknowledge the reviewer’s concern regarding the sample size of 120 participants across 3 companies. However, we emphasize the specialized nature of the PayTech industry and the stringent requirements for certification and compliance, particularly in the domain of online payments and cybersecurity standards. The survey is deliberately limited to professionals with a high level of competence in order to ensure the reliability and accuracy of the estimates obtained. This approach avoids subjective and insufficiently substantiated answers characteristic of less qualified respondents. – The selected companies—Mall Group (Czech Republic), Worldline S.A. (Belgium), and Advantio Ltd (Ireland)—are leaders in the PayTech sector, and their operations have a global reach, particularly in the European market. These companies represent critical infrastructure, handling vast volumes of financial transactions and payment processing. Mall Group—One of the largest e-commerce platforms in the Czech Republic, managing thousands of transactions daily. Worldline S.A.—A multinational corporation processing 90% of payments in Belgium and operating widely across Europe. Advantio Ltd—A specialized cybersecurity company responsible for certification and compliance auditing in the PayTech industry, issuing licenses necessary for conducting online transactions and ensuring regulatory compliance. – The inclusion of both internal stakeholders (e.g., CISOs, reputation managers) and external auditors reflects the diverse perspectives critical to understanding cybersecurity preparedness, recovery strategies, and reputation management. |
Sections 1 and 6 have additional changes highlighted in green color |
2. The authors have two research questions: RQ1: RQ2: It is not clear why those research questions are important. For example, is there any harm in having different viewpoints from internal and external employees, if any? |
- The research questions address critical gaps related to differences in perceptions between internal and external stakeholders regarding cyber-attack recovery strategies and the role of the European Union (EU) in protecting infrastructure located abroad. - Understanding these differences is essential because misalignment in viewpoints can impact: - Crisis response effectiveness - Risk assessment methodologies - Coordination between internal teams and external auditors - Reputation management practices - Specifically, financial services companies that are designated as critical infrastructure under EU law must comply with stringent cybersecurity requirements and work closely with EU authorities during cyber incidents. RQ1: Differences in viewpoints between internal specialists (e.g., information security managers, reputation managers) and external auditors can significantly affect the following aspects: The effectiveness of recovery strategies: Internal specialists have a deeper understanding of the company's operational processes, which makes their approach more adapted to current conditions. However, external auditors bring an independent perspective based on common standards and best practices. Differences in these approaches can hamper consistency and slow the recovery process. Risk of underestimating threats: If internal and external experts have different perceptions of the scope or nature of threats, this can lead to inadequate preparation for cyberattacks. Coordination and teamwork: Coherence between internal and external parties is critical to responding quickly to incidents and minimising damage. Thus, understanding these differences is necessary to develop integrated recovery strategies that bring together internal and external perspectives. RQ2: The second research question concerns the EU's role in protecting critical infrastructure outside its jurisdiction. This has several key implications: The cross-border nature of threats: Cyberattacks often target companies operating outside the EU but with close ties to the European market. Protecting such infrastructure is important for the economic stability of the EU. Need for uniform standards: External auditors and internal specialists may have different perspectives on the need to comply with EU standards outside its jurisdiction. These differences may affect the implementation of security measures. Reputational risks: For companies operating in an international context, inconsistency in reputation management approaches can lead to a loss of trust from partners and customers. In addition, the article provides a link to a source that substantiates the relevance of this issue Leroy, I. (2022) ‘The relationship between cyber-attacks and dynamics of company stock. The role of Reputation Management’. Int. J. Electronic Security and Digital Forensics, Vol. 3(1), 24–25. ISSN: 17519128 |
Section 1.2 have additional changes highlighted in green color |
3. Hypothesis Testing and Findings |
H0: Differences in the perceptions of cyber-attack recovery professionals (IR, RM, CISO) and external auditors are critical as they affect the alignment of response strategies, risk minimisation and reputation management. The study found that internal professionals emphasise reputational and operational aspects, while external auditors focus on compliance. These differences can hinder operational recovery if not addressed. H1: Our hypothesis is based on the assumption that reputation tools mitigate reputational and financial risks. This is particularly important in the context of cyberattacks, where market reactions may be associated with a loss of trust. The results show that reputational tools help to partially offset losses in shareholder value, but their effectiveness requires further analysis. H2: Hypothesis H2 has been adjusted to clarify its focus. It now refers to the need for EU involvement in the protection of critical infrastructure owned by EU companies but located outside the jurisdiction. Such companies play an important role in the global economy and their security affects the sustainability of the EU. |
Section 3 have additional changes highlighted in green color |
4. Why it is essential to consider viewpoints of EU companies on cyber-attacks outside EU jurisdiction? |
The consideration of EU companies' viewpoints on cyber-attacks outside EU jurisdiction is crucial for several reasons: Global Interconnectedness of Critical Infrastructure: Many companies based in the EU operate critical infrastructure and financial services globally. These companies rely on interconnected networks that transcend national and regional boundaries. A cyber-attack targeting operations outside the EU can have cascading effects on services and supply chains within the EU, ultimately affecting its economic stability and security. Protection of EU-Owned Assets Abroad: EU companies often own or manage critical infrastructure in regions outside the EU. For example, energy networks, PayTech systems, and logistics hubs operated by EU-based firms play a pivotal role in global trade and finance. The security of these assets is essential for maintaining the operational integrity and competitiveness of EU firms. Impact on EU’s Global Reputation: Cyber-attacks on EU entities abroad can harm the EU’s reputation as a leader in regulatory and cybersecurity frameworks. By actively engaging in the protection of EU-owned infrastructure worldwide, the EU can demonstrate its commitment to fostering resilience in a globalized economy. Alignment of International Standards: Cybersecurity threats often exploit gaps in international regulations and enforcement. By addressing cybersecurity challenges beyond its jurisdiction, the EU can promote the adoption of robust security standards globally, which in turn strengthens protections for EU companies. Economic and Social Stability: Many EU companies provide critical services (e.g., financial transactions, digital payments, and energy) to regions outside the EU. Cyber-attacks on these services can disrupt local economies and communities, creating geopolitical instability that indirectly affects the EU’s strategic interests. |
Section 1, 3 have additional changes highlighted in green color |
5. Questionnaires contained only 7 questions, which is another concern on the quality of the work done… |
We thank you for your comment on the brevity of the questionnaire and seek to clarify our approach to its structure. The choice of the 7-question questionnaire was based on the following considerations: Use of Likert scale (Likert scale): Our questionnaire is based on Likert scale which is widely used in social sciences to measure opinions and attitudes. It is a technique that produces standardised and reliable data even with a small number of questions. The Likert scale allows for a focus on specific aspects (e.g. cybersecurity and reputation management), which reduces the likelihood of subjective interpretation of the results. Research examples show that short questionnaires are effective for professional groups with limited time, such as auditors and IT specialists. Expert survey methodology: This research relies on the opinions of highly qualified experts, including CISOs and external auditors. The methodology of expert interviews justifies the use of short, structured questions because: The experts are highly competent and do not require additional explanations. The focus of the questionnaire allows key insights to be gathered without unnecessary complexity. Approaches such as the Delphi method also involve the use of short questionnaires. Minimising cognitive load: We sought to minimise the cognitive load on respondents given their limited time. A simple questionnaire design avoided survey fatigue and increased participation rates. The use of ‘Agree - Disagree’ scales reduced the likelihood of perceptual errors and simplified data processing. Future improvements: We recognise that future research would benefit from expanding the questionnaire by adding questions that examine aspects of the hypotheses from different perspectives. This would allow for a deeper understanding of the issues under study. |
Section 4 have additional changes highlighted in green color |
The purpose of this study was to identify key differences in the approaches of internal and external professionals to cyberattack recovery and reputation management. The limited number of participants and companies was deliberately chosen to focus on an in-depth analysis of the views of highly qualified professionals.
At the same time, we agree that a larger sample, including more companies and participants, as well as an expanded questionnaire for more detailed analyses, is necessary to obtain broader and more reliable data.
Going forward, we are planning the next series of studies, which will include:
Increasing the sample to include companies from different geographies and industries, especially those with experience of cyber-attacks and reputation management.
Expanding the questionnaire with the addition of questions covering more aspects of reputation management and recovery from cyberattacks.
In-depth analysis of the long-term effectiveness of reputation management tools in the face of cyber threats.
We have highlighted this in the conclusion of our paper (highlighted in green)
Author Response File: Author Response.pdf
Round 2
Reviewer 1 Report
Comments and Suggestions for Authors1. Although the author made some modifications, the use of abbreviations in some parts is still not standardized. For example, the abbreviation, Chief Information Security Officers (CISOs), has been defined many times.
2. In scientific writing, variable symbols should be written in italics. Therefore, the formulas in this paper need to be improved.
3. This reviewer does not find a letter that responses all the previous questions from the reviewers. Thus, I cannot ensure whether all the questions are addressed by the authors. The authors should provide a letter that answer the questions of the reviewers point by point. The authors only answered part of the questions.
Comments on the Quality of English LanguageThe English written can be further improved.
Author Response
Dear Reviewer,
We sincerely thank you for carefully reviewing our manuscript and providing constructive feedback. Your comments have helped us improve the quality of the work and make it clearer and more compelling. We have carefully addressed all the comments and incorporated the necessary changes into the manuscript. In this document, you will find detailed responses to each of your questions and comments, as well as descriptions of the revisions made.
N |
Remark |
Response |
1 |
Although the author made some modifications, the use of abbreviations in some parts is still not standardized. For example, the abbreviation, Chief Information Security Officers (CISOs), has been defined many times. |
We have conducted a thorough review of the text to address the excessive use of abbreviations and their repeated definitions. The abbreviation "Chief Information Security Officers (CISOs)" has been expanded and explained only once in the appropriate section, as well as some other abbreviations. In subsequent mentions, they are used without further expansion. These changes are aimed at improving readability and avoiding redundancy. |
2 |
In scientific writing, variable symbols should be written in italics. Therefore, the formulas in this paper need to be improved. |
We have reviewed the use of variables in the formulas and made adjustments to ensure that the variables are italicized in accordance with the requirements of scientific writing style. |
3 |
This reviewer does not find a letter that responses all the previous questions from the reviewers. Thus, I cannot ensure whether all the questions are addressed by the authors. The authors should provide a letter that answer the questions of the reviewers point by point. The authors only answered part of the questions. |
Thank you for your comments and detailed recommendations, which you provided earlier. They have helped us improve the quality of the paper. We have carefully reviewed all your remarks and prepared a response to each point: Use of Abbreviations: Punctuation Errors on Page 2: Formulas and Their Formatting: Division of the 'Discussion' Section: Our research focuses on comparing the approaches of internal and external specialists to recovering from cyberattacks, as well as analyzing their interaction and role in ensuring the sustainable development of smart cities. In this case, 'Discussion' and 'Conclusion' are closely linked, as the conclusions directly follow from the analysis of the presented data and lead to practical recommendations. Separating these parts might disrupt the logical flow, which is crucial for comprehensive understanding. The study is application-oriented, where conclusions about the necessity of collaboration between internal and external specialists are based on the analysis of their interaction. Such separation could weaken the emphasis on key aspects and practical recommendations. To enhance the clarity and accessibility of the key findings, we have included a table in the 'Conclusion and Discussion' section. This table consolidates the primary results of the study, including its scientific novelty, practical significance, achieved objectives, and recommendations for future research. The table is highlighted in red for ease of review. Literature Review:
|
We hope that the revised version of the manuscript meets your expectations.
Sincerely, Authors
Author Response File: Author Response.pdf
Reviewer 2 Report
Comments and Suggestions for AuthorsThe authors have satisfactorily addressed my concerns.
Author Response
Dear Reviewer,
Thank you for your positive feedback and for confirming that we have satisfactorily addressed your concerns. We truly appreciate your time and valuable recommendations, which have helped us improve our paper.
Sincerely,
The Authors
Reviewer 3 Report
Comments and Suggestions for AuthorsThe authors addressed most of the concerns in my previous review and convinced my that even with existing drawbacks, their work is valid and provides a contribution to the research field.
To finalize the manuscript, I recommend adding the Table with the final conclusions from the survey, so they can be consolidated in one place.
Author Response
Dear Reviewer,
Thank you for your insightful suggestion to include a table summarizing the main conclusions from the survey. We agree that consolidating the findings in a single table enhances the clarity and accessibility of the key results.
In response to your recommendation, we have added a table to the revised manuscript, which is highlighted in red for your convenience. This table summarizes the main aspects of the study, including its scientific novelty, practical significance, achieved objectives, and recommendations for future research. The table ensures that the conclusions are presented in a structured and concise format, making them easily accessible to readers.
We appreciate your valuable feedback, which has helped improve the overall quality and presentation of our paper. Should you have any further suggestions or need additional clarifications, we are happy to address them.
Sincerely,
The Authors
Author Response File: Author Response.pdf
Round 3
Reviewer 1 Report
Comments and Suggestions for AuthorsThe authors have well answered all the questions of this reviewer.