Impact of Critical Infrastructure Cyber Security on the Sustainable Development of Smart Cities: Insights from Internal Specialists and External Information Security Auditors

Question

Response

Modifications made

1. All the cited contributions are basic security practices already approved by several standards, such as the ISO 27000 series. What does your survey add as new practices that are not already existing in security standards?

Standards such as ISO 27000 set a general framework for safety management, but do not take into account the differing views and priorities of internal and external stakeholders.

We found that internal professionals (e.g. CISOs) focus on protecting reputation and operational continuity, while external auditors emphasise compliance. These differences can make coordination difficult if they are not accounted for.

Our findings suggest that companies should consider these differences when developing integrated cyberattack recovery strategies.

While standards such as ISO 27000 address general incident management principles, they do not adequately emphasise the use of reputation management tools.

2. Emphasising the role of reputation management (H1):

While standards such as ISO 27000 address the general principles of incident management, they do not adequately address the use of reputation management tools.

We have shown that reputation tools can partially compensate for financial losses after cyberattacks, especially in the context of publicly traded companies.

This finding emphasises the need to incorporate reputational tools into strategic cyber resilience planning.

Standards such as ISO 27000 do not address the cross-border role of international organisations such as the EU in critical infrastructure protection.

We investigated how EU involvement affects the protection of infrastructure located outside its jurisdiction but owned by European companies.

This allows for the development of new approaches to cross-border coordination and risk management.

Sections 1 and 4 have additional changes highlighted in red color

2. The second contribution: "Identify the need for the integration of regulatory frameworks to establish a unified cybersecurity standard." My question is, what do current standards lack based on your survey? In the discussion section, the authors do not mention new practices that are not included in current standards.

Our research has identified several key aspects that are not fully covered by current standards such as ISO 27000 and other international regulatory frameworks:

Addressing the different perceptions and priorities of internal and external professionals:

Standards focus on processes and technology, but rarely take into account differences in task perceptions between internal stakeholders (e.g. CISOs) and external auditors. These differences can hinder effective implementation of the standards in practice.

Reputation management as an element of cyber resilience:

Existing standards tend to focus on the technical side of recovering from cyberattacks. However, our analysis shows that reputation management plays a key role in restoring the trust of customers and partners after incidents. This aspect is undervalued in current standards.

Cross-border coordination and the role of the EU:

The standards do not provide mechanisms for effective collaboration between countries and organisations across jurisdictions. Our study emphasises the need to strengthen cross-border coordination, especially in the context of protecting infrastructure owned by the EU but located outside its borders.

Section 6 have additional changes highlighted in red color

Question

Response

Modifications made

1. Sample Size and Participant Selection:

– We acknowledge the reviewer’s concern regarding the sample size of 120 participants across 3 companies. However, we emphasize the specialized nature of the PayTech industry and the stringent requirements for certification and compliance, particularly in the domain of online payments and cybersecurity standards. The survey is deliberately limited to professionals with a high level of competence in order to ensure the reliability and accuracy of the estimates obtained. This approach avoids subjective and insufficiently substantiated answers characteristic of less qualified respondents.

– The selected companies—Mall Group (Czech Republic), Worldline S.A. (Belgium), and Advantio Ltd (Ireland)—are leaders in the PayTech sector, and their operations have a global reach, particularly in the European market. These companies represent critical infrastructure, handling vast volumes of financial transactions and payment processing.

Mall Group—One of the largest e-commerce platforms in the Czech Republic, managing thousands of transactions daily.

Worldline S.A.—A multinational corporation processing 90% of payments in Belgium and operating widely across Europe.

Advantio Ltd—A specialized cybersecurity company responsible for certification and compliance auditing in the PayTech industry, issuing licenses necessary for conducting online transactions and ensuring regulatory compliance.

– The inclusion of both internal stakeholders (e.g., CISOs, reputation managers) and external auditors reflects the diverse perspectives critical to understanding cybersecurity preparedness, recovery strategies, and reputation management.

Sections 1 and 6 have additional changes highlighted in green color

2. The authors have two research questions:

RQ1:

RQ2:

It is not clear why those research questions are important. For example, is there any harm in having different viewpoints from internal and external employees, if any?

- The research questions address critical gaps related to differences in perceptions between internal and external stakeholders regarding cyber-attack recovery strategies and the role of the European Union (EU) in protecting infrastructure located abroad.

- Understanding these differences is essential because misalignment in viewpoints can impact:

- Crisis response effectiveness

- Risk assessment methodologies

- Coordination between internal teams and external auditors

- Reputation management practices

- Specifically, financial services companies that are designated as critical infrastructure under EU law must comply with stringent cybersecurity requirements and work closely with EU authorities during cyber incidents.

RQ1:

Differences in viewpoints between internal specialists (e.g., information security managers, reputation managers) and external auditors can significantly affect the following aspects:

The effectiveness of recovery strategies:

Internal specialists have a deeper understanding of the company's operational processes, which makes their approach more adapted to current conditions. However, external auditors bring an independent perspective based on common standards and best practices. Differences in these approaches can hamper consistency and slow the recovery process.

Risk of underestimating threats:

If internal and external experts have different perceptions of the scope or nature of threats, this can lead to inadequate preparation for cyberattacks.

Coordination and teamwork:

Coherence between internal and external parties is critical to responding quickly to incidents and minimising damage.

Thus, understanding these differences is necessary to develop integrated recovery strategies that bring together internal and external perspectives.

RQ2:

The second research question concerns the EU's role in protecting critical infrastructure outside its jurisdiction. This has several key implications:

The cross-border nature of threats:

Cyberattacks often target companies operating outside the EU but with close ties to the European market. Protecting such infrastructure is important for the economic stability of the EU.

Need for uniform standards:

External auditors and internal specialists may have different perspectives on the need to comply with EU standards outside its jurisdiction. These differences may affect the implementation of security measures.

Reputational risks:

For companies operating in an international context, inconsistency in reputation management approaches can lead to a loss of trust from partners and customers.

In addition, the article provides a link to a source that substantiates the relevance of this issue

Leroy, I. (2022) ‘The relationship between cyber-attacks and dynamics of company stock. The role of Reputation Management’. Int. J. Electronic Security and Digital Forensics, Vol. 3(1), 24–25. ISSN: 17519128

Section 1.2 have additional changes highlighted in green color

3. Hypothesis Testing and Findings

H0:

Differences in the perceptions of cyber-attack recovery professionals (IR, RM, CISO) and external auditors are critical as they affect the alignment of response strategies, risk minimisation and reputation management. The study found that internal professionals emphasise reputational and operational aspects, while external auditors focus on compliance. These differences can hinder operational recovery if not addressed.

H1:

Our hypothesis is based on the assumption that reputation tools mitigate reputational and financial risks. This is particularly important in the context of cyberattacks, where market reactions may be associated with a loss of trust. The results show that reputational tools help to partially offset losses in shareholder value, but their effectiveness requires further analysis.

H2:

Hypothesis H2 has been adjusted to clarify its focus. It now refers to the need for EU involvement in the protection of critical infrastructure owned by EU companies but located outside the jurisdiction. Such companies play an important role in the global economy and their security affects the sustainability of the EU.

Section 3 have additional changes highlighted in green color

4. Why it is essential to consider viewpoints of EU companies on cyber-attacks outside EU jurisdiction?

The consideration of EU companies' viewpoints on cyber-attacks outside EU jurisdiction is crucial for several reasons:

Global Interconnectedness of Critical Infrastructure:

Many companies based in the EU operate critical infrastructure and financial services globally. These companies rely on interconnected networks that transcend national and regional boundaries. A cyber-attack targeting operations outside the EU can have cascading effects on services and supply chains within the EU, ultimately affecting its economic stability and security.

Protection of EU-Owned Assets Abroad:

EU companies often own or manage critical infrastructure in regions outside the EU. For example, energy networks, PayTech systems, and logistics hubs operated by EU-based firms play a pivotal role in global trade and finance. The security of these assets is essential for maintaining the operational integrity and competitiveness of EU firms.

Impact on EU’s Global Reputation:

Cyber-attacks on EU entities abroad can harm the EU’s reputation as a leader in regulatory and cybersecurity frameworks. By actively engaging in the protection of EU-owned infrastructure worldwide, the EU can demonstrate its commitment to fostering resilience in a globalized economy.

Alignment of International Standards:

Cybersecurity threats often exploit gaps in international regulations and enforcement. By addressing cybersecurity challenges beyond its jurisdiction, the EU can promote the adoption of robust security standards globally, which in turn strengthens protections for EU companies.

Economic and Social Stability:

Many EU companies provide critical services (e.g., financial transactions, digital payments, and energy) to regions outside the EU. Cyber-attacks on these services can disrupt local economies and communities, creating geopolitical instability that indirectly affects the EU’s strategic interests.

Section 1, 3 have additional changes highlighted in green color

5. Questionnaires contained only 7 questions, which is another concern on the quality of the work done…

We thank you for your comment on the brevity of the questionnaire and seek to clarify our approach to its structure. The choice of the 7-question questionnaire was based on the following considerations:

Use of Likert scale (Likert scale):

Our questionnaire is based on Likert scale which is widely used in social sciences to measure opinions and attitudes. It is a technique that produces standardised and reliable data even with a small number of questions.

The Likert scale allows for a focus on specific aspects (e.g. cybersecurity and reputation management), which reduces the likelihood of subjective interpretation of the results.

Research examples show that short questionnaires are effective for professional groups with limited time, such as auditors and IT specialists.

Expert survey methodology:

This research relies on the opinions of highly qualified experts, including CISOs and external auditors. The methodology of expert interviews justifies the use of short, structured questions because:

The experts are highly competent and do not require additional explanations.

The focus of the questionnaire allows key insights to be gathered without unnecessary complexity.

Approaches such as the Delphi method also involve the use of short questionnaires.

Minimising cognitive load:

We sought to minimise the cognitive load on respondents given their limited time. A simple questionnaire design avoided survey fatigue and increased participation rates.

The use of ‘Agree - Disagree’ scales reduced the likelihood of perceptual errors and simplified data processing.

Future improvements:

We recognise that future research would benefit from expanding the questionnaire by adding questions that examine aspects of the hypotheses from different perspectives. This would allow for a deeper understanding of the issues under study.

Section 4 have additional changes highlighted in green color

N

Remark

Response

1

Although the author made some modifications, the use of abbreviations in some parts is still not standardized. For example, the abbreviation, Chief Information Security Officers (CISOs), has been defined many times.

We have conducted a thorough review of the text to address the excessive use of abbreviations and their repeated definitions. The abbreviation "Chief Information Security Officers (CISOs)" has been expanded and explained only once in the appropriate section, as well as some other abbreviations. In subsequent mentions, they are used without further expansion. These changes are aimed at improving readability and avoiding redundancy.

2

In scientific writing, variable symbols should be written in italics. Therefore, the formulas in this paper need to be improved.

We have reviewed the use of variables in the formulas and made adjustments to ensure that the variables are italicized in accordance with the requirements of scientific writing style.

3

This reviewer does not find a letter that responses all the previous questions from the reviewers. Thus, I cannot ensure whether all the questions are addressed by the authors. The authors should provide a letter that answer the questions of the reviewers point by point. The authors only answered part of the questions.

Thank you for your comments and detailed recommendations, which you provided earlier. They have helped us improve the quality of the paper. We have carefully reviewed all your remarks and prepared a response to each point:

Use of Abbreviations:
We have reviewed the use of abbreviations in the paper. All abbreviations are now defined only once at their first mention. Redundant definitions have been removed to improve readability.
Additionally, definitions of previously undefined abbreviations, such as PM² and NIS2, have been added. These changes can be found in Section 1.2.

Punctuation Errors on Page 2:
All punctuation errors, including those noted on Page 2 and in other parts of the text, have been corrected. We conducted a thorough review to ensure the text complies with the standards of scientific writing.

Formulas and Their Formatting:
All formulas in the paper are now numbered. Variables have been italicized, and their meanings and contextual explanations have been added to the text.
We also checked the correctness of subscripts and superscripts to ensure they comply with the requirements of scientific writing.

Division of the 'Discussion' Section:
We considered your suggestion to create a separate 'Discussion' section. However, given the specifics of our paper, where discussion and conclusions are closely interconnected, we decided to keep these parts combined in the 'Conclusion and Discussion' section.

Our research focuses on comparing the approaches of internal and external specialists to recovering from cyberattacks, as well as analyzing their interaction and role in ensuring the sustainable development of smart cities. In this case, 'Discussion' and 'Conclusion' are closely linked, as the conclusions directly follow from the analysis of the presented data and lead to practical recommendations. Separating these parts might disrupt the logical flow, which is crucial for comprehensive understanding.

The study is application-oriented, where conclusions about the necessity of collaboration between internal and external specialists are based on the analysis of their interaction. Such separation could weaken the emphasis on key aspects and practical recommendations.

To enhance the clarity and accessibility of the key findings, we have included a table in the 'Conclusion and Discussion' section. This table consolidates the primary results of the study, including its scientific novelty, practical significance, achieved objectives, and recommendations for future research. The table is highlighted in red for ease of review.

Literature Review:
We have reviewed the literature section and included additional sources relevant to the context of the study. In particular, we have added a reference to the article by Z. Yu et al., "A Survey on Cyber–Physical Systems Security" (IEEE Internet of Things Journal, vol. 10, no. 24, pp. 21670–21686, 15 Dec. 2023).