Decision-Making Model for Risk Assessment in Cloud Computing Using the Enhanced Hierarchical Holographic Modeling

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

1. The writers need to fill in the GAPS by reviewing the related work. This allows for the objectives to be framed based on GAPS.

2. So many researchers are working on the same domain, with the novel models with various data. To what extent the proposed work was novel?

3. How the EHMM addresses the multi-dimensional risks of cloud-computing environments.

4. How the integration of CRITIC and EWM generates balanced weights.

5. How the weighted values are transformed to a membership matrix. Explain how fuzzy set theory is used to organise risk assessments with uncertainties and ambiguities.

6. In this section, the writer provides a general explanation of the fuzzy set. It is necessary to explain how fuzzy set theory is organised and how it expresses subjective judgements.

7. Explain the various parameters of the dataset clearly about the correlation and about the target class. Could you please clarify what is needed about the set of factors associated with this class {a1, a2, a3, a4}? so that the readers can easily understand. 

8. A clear explanation is needed on how it is utilised to assess the extent of influence that risk factors have on assets, threats, and vulnerabilities.

9. Explain how the membership matrix is built by using each of the EWM.

10. What are the parameters considered when evaluating the equations?

11. Justify the given statement. "The CRITIC allows the values of the decision matrix to be transformed based on the concept of the ideal point."

12. How the values were generated for the tables. How they were evaluated.

13. How to calculate intricate numbers through the application of a straightforward mathematical expression.

14. An explanation is needed for tables 9 and 10. Discussion section should be cited with the latest articles.

 

Author Response

Author's Reply to the Review Report (Reviewer 1):
1. The writers need to fill in the GAPS by reviewing the related work. This allows for the objectives to be framed based on GAPS.
Response (1): Thank you for the comment. We have revised Section 3 to include a new paragraph highlighting explicit gaps in previous HHM, SEBCRA, QUIRC, and game-theory models. This addition clarifies that prior works lacked cross-domain dependency analysis and did not address transfer-operation risks or uncertainty integration, which motivated our EHHM framework.

2. So many researchers are working on the same domain, with the novel models with various data. To what extent the proposed work was novel?
Response (2): The novelty is now emphasized in both the abstract and introduction. We specify that EHHM introduces a new domain, dual objective weighting, and fuzzy-based integration, establishing an original multidimensional approach to cloud risk assessment.

3. How the EHMM addresses the multi-dimensional risks of cloud-computing environments.
Response (3): Added clarification in Section 5 explaining how EHHM handles multidimensionality by decomposing risks across four interconnected domains and quantifying their cross-dependencies.

4. How the integration of CRITIC and EWM generates balanced weights.
5. How the weighted values are transformed to a membership matrix. Explain how fuzzy set theory is used to organise risk assessments with uncertainties and ambiguities.
6. In this section, the writer provides a general explanation of the fuzzy set. It is necessary to explain how fuzzy set theory is organised and how it expresses subjective judgements.
Response (4, 5, 6): Section 5.2 now contains a new paragraph for the “Integration Process” detailing how EWM and CRITIC weights are merged and how fuzzy logic converts them into membership degrees, thereby managing uncertainty and subjective variance.

7. Explain the various parameters of the dataset clearly about the correlation and about the target class. Could you please clarify what is needed about the set of factors associated with this class {a1, a2, a3, a4}? so that the readers can easily understand. 
8. A clear explanation is needed on how it is utilised to assess the extent of influence that risk factors have on assets, threats, and vulnerabilities.
Response (7, 8):We expanded Section 5.1 with a detailed clarification of the parameters, their association with assets, threats, and vulnerabilities, and how expert scoring produced the membership matrices.

9. Explain how the membership matrix is built by using each of the EWM.
10. What are the parameters considered when evaluating the equations?
Response (9, 10): Added explicit explanation in Section 5.2.1 describing parameters and procedure for constructing the membership matrix from normalized entropy weights.

11. Justify the given statement. "The CRITIC allows the values of the decision matrix to be transformed based on the concept of the ideal point."
Response (11):We justified the use of the ideal-point transformation in Section 5.2.2 to clarify its role in generating standardized relative deviations within CRITIC.

12. How the values were generated for the tables. How they were evaluated.
13. How to calculate intricate numbers through the application of a straightforward mathematical expression.
Response (12, 13): Added methodological clarification noting that all tables derive from MATLAB-based computation of equations (1–15), where trapezoidal functions simplify numerical processing.

14. An explanation is needed for tables 9 and 10. Discussion section should be cited with the latest articles.
Response (14): Added explanatory text following Tables 9 and 10 to clarify the meaning of correlation, rank, and integrated weighting schemes. Revised the Discussion section with detailed interpretation of sensitivity results and incorporated recent 2023–2025 references (Chandrasiri & Meedeniya 2025; Wang et al. 2024; Li & Zhao 2023; Khalid et al. 2024) to align the study with current research developments.

Author Response File: Author Response.docx

Reviewer 2 Report

Comments and Suggestions for Authors

1. 

Comments on the Quality of English Language

1. The abstract and introduction both fail to make evident the uniqueness of the study. Basic details on the contribution and integrated technique are provided. However, the text should appropriately explain why it was chosen and what the benefits of the suggested technique are, along with the precise literature.
2. Another obstacle is the literature review; it is hard to understand the theoretical basis of the research problem as well as the research gap of the suggested approach. 
3. Narrate the evaluation procedure or methodology of the prescribed technique more clearly. The general framework is not aligns well with the description of methodology and case study evaluation. Rectify it.
4. Validate the approach through comparative and sensitivity analysis.
5. There are so many notations, labels, and codes, explain them clearly.
6. Could the authors elucidate more on the computation and interpretation of the integrated weight measures? In what manner do these measurements improve the precision of risk assessment?
7. In what manner can the suggested framework facilitate new endeavors and enhance informed risk awareness within dynamic cloud environments? Are there case studies or actual examples illustrating its efficacy?
8. What are the primary limits of the EHHM technique, and how may future research mitigate these challenges?
9. How does the framework address asymmetric information among stakeholders, and what processes exist to guarantee impartial involvement in the risk assessment process?
10. The whole manuscript needs expert guidance in writing. For example, "The new domain contains new 198 factors called factors (relative advantage, cost reduction, security, IT employee skills, and 199 perceived control)." 
11. The structure of the manuscript is very weak. Revise it.

Author Response

1. The abstract and introduction both fail to make evident the uniqueness of the study. Basic details on the contribution and integrated technique are provided. However, the text should appropriately explain why it was chosen and what the benefits of the suggested technique are, along with the precise literature.
Response (1): We appreciate the reviewer’s observation regarding the need to emphasize the uniqueness of the study. Accordingly, a new paragraph titled “Novelty and Rationale of the Study” has been added at the end of the Introduction section. This paragraph explicitly highlights the originality of integrating EWM and CRITIC with six hybrid aggregation models, explains the rationale behind selecting this technique, and clarifies its methodological and practical benefits. Relevant recent studies (2023–2025) have also been cited to reinforce the contribution and contextualize its advancement over existing literature.
The abstract has been rewritten to explicitly highlight the originality of the proposed EWM–CRITIC hybrid framework, the rationale for integrating the methods, and the benefits of the approach in enhancing objectivity, consistency, and decision transparency.

2. Another obstacle is the literature review; it is hard to understand the theoretical basis of the research problem as well as the research gap of the suggested approach. 
Response (2): Abstract and Introduction have been revised to clearly articulate the uniqueness of the EHHM model, specifying its three core contributions: (1) new transfer-operation domain, (2) dual-objective weighting (EWM + CRITIC), and (3) fuzzy-logic integration for uncertainty quantification.

3. Narrate the evaluation procedure or methodology of the prescribed technique more clearly. The general framework is not aligns well with the description of methodology and case study evaluation. Rectify it.
Response (3): We improved Section 5 and Figure 1 explanations to ensure consistency between the conceptual framework and methodological description.

4. Validate the approach through comparative and sensitivity analysis.
Response (4): Added a new sensitivity/comparative analysis section showing that EHHM results are consistent across weighting variants and outperform baseline HHM models in accuracy and stability.

5. There are so many notations, labels, and codes, explain them clearly.
Response (5): We checked it again.

6. Could the authors elucidate more on the computation and interpretation of the integrated weight measures? In what manner do these measurements improve the precision of risk assessment?
Response (6): We thank the reviewer for highlighting the need to clarify the computation and interpretation of the integrated weights. A new explanatory paragraph titled “Interpretation of Integrated Weights” has been added in Section 5 (5.3). It describes how the six aggregation operators (RSSq, MAX, AM, GM, HM, MIN) combine entropy and CRITIC weights, distinguishing between averaging-based and extremity-based mechanisms, and explains how this integration improves precision by stabilizing variability among domains.

7. In what manner can the suggested framework facilitate new endeavors and enhance informed risk awareness within dynamic cloud environments? Are there case studies or actual examples illustrating its efficacy?
Response (7): We appreciate the reviewer’s request for clarification on the framework’s practical significance and evidence of efficacy. To address this, we have added a new paragraph titled “Practical Implications and Application Potential” at the end of the Discussion section. This addition explains how the proposed framework supports informed risk awareness and adaptive decision-making in dynamic cloud settings, highlights potential application areas (security, compliance, workload optimization), and refers to case-based validation using the DS1–DS3 experimental datasets, which demonstrated measurable performance improvements over conventional methods.

8. What are the primary limits of the EHHM technique, and how may future research mitigate these challenges?
Response (8): We thank the reviewer for requesting clarification regarding the limitations of the proposed EHHM technique and its future prospects. A new paragraph has been added to the Conclusion chapter. This section identifies the main constraints of the model—data dependence, static correlation assumptions, limited adaptive learning, and reliance on simulated datasets—and outlines possible solutions such as dynamic weight learning, real-time validation, and integration with explainable AI tools to enhance adaptability and interpretability in future work.

9. How does the framework address asymmetric information among stakeholders, and what processes exist to guarantee impartial involvement in the risk assessment process?
Response (9): We appreciate the reviewer’s concern regarding stakeholder asymmetry and impartiality in the assessment process. To clarify, a new paragraph titled “Stakeholder Asymmetry and Impartiality Mechanisms” has been added at the end of the Discussion section. This paragraph explains how the proposed EWM–CRITIC integration ensures objectivity through data-driven weighting, transparent computation, and multi-stakeholder validation loops that collectively mitigate bias and guarantee equitable participation in cloud risk evaluation.

10. The whole manuscript needs expert guidance in writing. For example, "The new domain contains new 198 factors called factors (relative advantage, cost reduction, security, IT employee skills, and 199 perceived control)." 
11. The structure of the manuscript is very weak. Revise it.
Response (10, 11): The manuscript was thoroughly revised for academic language, clarity, and structural consistency following MDPI formatting.

Reviewer 3 Report

Comments and Suggestions for Authors

The manuscript proposes an Enhanced Hierarchical Holographic Modeling (EHHM) framework integrated with Entropy Weight Method (EWM), CRITIC, and fuzzy set theory for risk assessment in cloud computing.

• While the integration of these methods is interesting, the novelty is somewhat incremental. The paper should more clearly articulate how EHHM substantially advances over existing HHM-based or fuzzy logic-based risk assessment frameworks.
• A comparative analysis with existing risk assessment models (e.g., SEBCRA, QUIRC, game-theoretic approaches) is missing, which limits the evidence for the model’s superiority.
• The datasets used are not sufficiently explained. One is from experts ([16]) and another includes added client-side factors, but the sample size (15 experts) is small and raises questions of representativeness.
• The use of fuzzy membership functions is described, but justification for selecting trapezoidal vs. triangular functions is weak. Why not Gaussian or bell-shaped functions?
• The integration of EWM and CRITIC is mentioned, but the mathematical fusion process is not fully transparent. How exactly are the weights combined before applying fuzzy logic?
• The results are mostly numerical tables (membership matrices, correlation, ranks, weights), but no clear visualization or sensitivity analysis is provided.
• The final risk score of 0.074233 is reported, but the interpretation is weak. What does this number mean in a practical decision-making context? How does it compare with baseline methods?
• No validation is presented. Without benchmarking against real-world cloud incidents, attack simulations, or other models, the reliability of the results is uncertain.
• The discussion section highlights advantages of EHHM but is self-congratulatory and does not adequately discuss limitations.
• The paper briefly notes subjectivity and expert dependence, but does not discuss: Scalability in multi-tenant or hybrid cloud settings, Adaptability to rapidly evolving threats such as zero-day attacks, and computational complexity of applying the proposed model in real-time.

Author Response

1. The manuscript proposes an Enhanced Hierarchical Holographic Modeling (EHHM) framework integrated with Entropy Weight Method (EWM), CRITIC, and fuzzy set theory for risk assessment in cloud computing.

2. While the integration of these methods is interesting, the novelty is somewhat incremental. The paper should more clearly articulate how EHHM substantially advances over existing HHM-based or fuzzy logic-based risk assessment frameworks.
Response (2): The Introduction was expanded and contains the research novelty and contribution.

3. A comparative analysis with existing risk assessment models (e.g., SEBCRA, QUIRC, game-theoretic approaches) is missing, which limits the evidence for the model’s superiority.
Response (3): A new subsection 6.2 “Comparative Validation” was added, quantitatively contrasting EHHM with SEBCRA, QUIRC, and CCRAM, demonstrating superior stability and lower normalized risk scores.

4. The datasets used are not sufficiently explained. One is from experts ([16]) and another includes added client-side factors, but the sample size (15 experts) is small and raises questions of representativeness.
Response (4): Section 5.1 was expanded to clarify dataset purpose and representativeness, identifying the 15-expert panel as a pilot for proof-of-concept and noting plans for larger, Delphi-based validation.

5. The use of fuzzy membership functions is described, but justification for selecting trapezoidal vs. triangular functions is weak. Why not Gaussian or bell-shaped functions?
Response (5): A justification for trapezoidal membership functions was added in Section 5.2.4, emphasizing computational efficiency, interpretability, and stability versus Gaussian alternatives.

6. The integration of EWM and CRITIC is mentioned, but the mathematical fusion process is not fully transparent. How exactly are the weights combined before applying fuzzy logic?
Response (6):Section 5.2.3 was expanded with an explicit fusion equation and explanation of normalization to enhance mathematical transparency.

7. The results are mostly numerical tables (membership matrices, correlation, ranks, weights), but no clear visualization or sensitivity analysis is provided.

8. The final risk score of 0.074233 is reported, but the interpretation is weak. What does this number mean in a practical decision-making context? Response (8):How does it compare with baseline methods?
Section 7 was expanded with a clear interpretation of the 0.074233 risk score, contextualized against baseline models (QUIRC, SEBCRA) and real-world implications.

9. No validation is presented. Without benchmarking against real-world cloud incidents, attack simulations, or other models, the reliability of the results is uncertain.
Response (9):A benchmarking and preliminary validation subsection 6.2 was added, and future work is committed to testing with ENISA and OWASP datasets to establish empirical reliability.

10. The discussion section highlights advantages of EHHM but is self-congratulatory and does not adequately discuss limitations.
Response (10): We add paragraphs in conclusion talking about the limitations

11. The paper briefly notes subjectivity and expert dependence, but does not discuss: Scalability in multi-tenant or hybrid cloud settings, Adaptability to rapidly evolving threats such as zero-day attacks, and computational complexity of applying the proposed model in real-time.
Response (11): A dedicated paragraph titled “Scalability, Adaptability, and Computational Complexity” has been added at the end of Section 7 (Discussion). It explains how EHHM scales across multi-tenant and hybrid cloud environments through parallel sub-matrix computation (O(n²) complexity), supports incremental weight updates for dynamic threats, and can integrate reinforcement-learning modules for real-time adaptability.

 

Round 2

Reviewer 1 Report

Comments and Suggestions for Authors

1. If the writers explain more clearly the proposed model EHHM. It will sound good.
2. The conclusion section can be reduced as per the results obtained.

Author Response

Comment 1:
If the writers explain more clearly the proposed model EHHM, it will sound good.

Response 1:
We thank the reviewer for this helpful suggestion. The explanation of the Enhanced Hierarchical Holographic Modeling (EHHM) framework has been thoroughly revised and expanded in Section 4 (Enhancement of HHM (EHHM)) to ensure clarity and conceptual depth. The updated section now provides a structured description of the four-layer hierarchy (operations, technology, support, and transfer) and explicitly defines the new transfer-operation domain, which captures client–provider dynamics through factors such as service quality, cost reduction, IT employee skills, and perceived control.
Furthermore, we clarified the integration of Entropy Weight Method (EWM), CRITIC, and fuzzy set theory, explaining how these components collectively enhance objectivity, handle uncertainty, and minimize expert bias in risk evaluation. The revised text also emphasizes how EHHM extends the original HHM to account for inter-domain dependencies, asymmetric information, and dynamic relationships in modern cloud environments.
These additions make the model’s structure, purpose, and novelty clearer, directly addressing the reviewer’s concern and improving the overall interpretability of the proposed framework.

 

Comment 2:
The conclusion section can be reduced as per the results obtained.

Response 2:
We appreciate this constructive recommendation. The Conclusion (Section 8) has been revised and shortened to align more closely with the presented results. Repetitive methodological explanations and generalized statements were removed, while the section now focuses on three concise aspects:
- Core outcome: the EHHM achieved a normalized cumulative risk score of 0.074233, validating its reliability and consistency;
- Comparative advantage: the framework demonstrated improved robustness and lower residual risk than existing models (SEBCRA, QUIRC, and CCRAM); and
- Future direction: emphasizing adaptive, data-driven extensions using reinforcement learning and explainable AI

Author Response File: Author Response.docx

Reviewer 2 Report

Comments and Suggestions for Authors

I appreciate the authors for their significant revision work by addressing the recommended review comments.

Author Response

We sincerely thank the reviewers for their encouraging and positive feedback. We greatly appreciate the acknowledgment of our revision efforts and are pleased that the updated manuscript satisfactorily addresses all the recommended comments. We are grateful for the reviewers’ recommendation for acceptance and their valuable contributions to improving the quality and clarity of our work.

Reviewer 3 Report

Comments and Suggestions for Authors

All the comments are incorporated. The manuscript can be accepted in the present form.

Author Response

We sincerely thank the reviewers for their encouraging and positive feedback. We greatly appreciate the acknowledgment of our revision efforts and are pleased that the updated manuscript satisfactorily addresses all the recommended comments. We are grateful for the reviewers’ recommendation for acceptance and their valuable contributions to improving the quality and clarity of our work.