Welcome to the Machine (WTTM): A Cybersecurity Framework for the Automotive Sector

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

1. The contribution of this manuscript needs to be restated in the Introduction section

2. Are the manuscript’s keywords appropriate? For example: the keyword Cybersecurity.

3. The authors mention security; it is recommended that they compare their approach with more recent and relevant studies in this area: Exploring clean label backdoor attacks and defense in language models.

4. The manuscript contains multiple instances of redundant abbreviation definitions; for example, terms like WTTM do not need to be defined more than once.

Author Response

We would like to sincerely thank the reviewer for their thoughtful and constructive feedback. Below, we provide detailed responses to each comment and highlight the corresponding revisions made to improve the manuscript.

1. “The contribution of this manuscript needs to be restated in the Introduction section.”

Response:

We appreciate this suggestion and have revised the Introduction to more clearly and explicitly present the main contributions of the manuscript. The revised version now includes a paragraph summarizing the novelty and scope of the WTTM framework, with emphasis on its modular structure, integration of machine learning, and alignment with current automotive cybersecurity standards

2. “Are the manuscript’s keywords appropriate? For example: the keyword Cybersecurity.”

Response:

We acknowledge the reviewer’s concern regarding the choice of keywords. After careful consideration, we have refined the keyword list to enhance specificity and relevance. While the term “Cybersecurity” remains essential due to its centrality in the paper, we have supplemented it with more focused keywords such as “automotive cybersecurity,” “cyber risk assessment,” “self-assessment frameworks,” “machine learning,” and “ISO/SAE 21434.” This ensures better discoverability and alignment with the core themes of the manuscript.

Change location: Updated in the Keywords section on page 1.

3. “The authors mention security; it is recommended that they compare their approach with more recent and relevant studies in this area: Exploring clean label backdoor attacks and defense in language models.”

Response:

We thank the reviewer for this insightful suggestion. Although our work is centered on the automotive domain and focuses on organizational-level cyber risk assessment rather than adversarial AI threats, we agree that drawing conceptual parallels with emerging research on clean-label backdoor attacks provides valuable context. Accordingly, we have incorporated a brief discussion in the Discussion section that references the recent work of Zhao et al. (2024) on CBat and CBatD, explaining the conceptual distinction between reactive adversarial defenses and WTTM’s proactive, organizationally grounded approach.

Change location: Added in the Discussion section, lines 471 -478

 

4. “The manuscript contains multiple instances of redundant abbreviation definitions; for example, terms like WTTM do not need to be defined more than once.”

Response:

We agree with the reviewer’s observation and have thoroughly reviewed the manuscript to remove redundant definitions of acronyms, including WTTM, OEM, ISO/SAE, and others. Now, each abbreviation is defined only upon its first use and reused consistently thereafter.

Change location: all document

We are grateful for the reviewer’s thoughtful recommendations, which have significantly improved the clarity and quality of the manuscript. All changes have been marked in the revised version for ease of reference.

Sincerely,

Enrico Picano

Reviewer 2 Report

Comments and Suggestions for Authors

The manuscript is well organized into background, framework description, and validation/results sections, which makes it easy to follow. The flow from identifying gaps in existing frameworks to introducing WTTM is logical. Consider tightening the narrative to emphasize the key innovative elements. Ancillary implementation details might be shortened or moved to an appendix, unless they are crucial for supporting a claim in this paper. This will help readers focus on the validated parts of the work. Double-check that each in-text reference number matches the intended source. Mis-citations can mislead readers or give the impression of carelessness in scholarship.

1) The WTTM-Q self-assessment questionnaire is a central contribution, but its empirical validation is determined by a limited sample (N = 43 organizations). This sample calls into question the robustness of the six-domain factor structure and the stability of metrics like Cronbach’s alpha. Moreover, it appears that the authors performed both Exploratory and Confirmatory Factor Analysis on essentially the same dataset . Validating a six-factor model with only 43 responses (and without an independent confirmation sample) risks overfitting and inflated goodness-of-fit. If a new sample is not feasible, consider using cross-validation or splitting the data (e.g., perform EFA on part of the responses and CFA on the rest) to ensure the questionnaire’s structure holds beyond a single small group. This will lend greater credibility to claims of high construct validity and internal consistency.

2)The paper would benefit from clearer descriptions of participant selection and data collection procedures for the questionnaire. Currently, there is no information on who the 43 respondents were (e.g., industry professionals, academics, specific roles) or how they were recruited and surveyed. 

3) The idea of converting questionnaire outputs into an automated risk classification is interesting, but the execution raises concerns. Using entirely synthetic or hypothetical data means the model’s reported performance may not reflect real-world behavior. There is a risk that the experts’ labeling criteria or any biases in how those scenarios were constructed will carry through to the model. To improve confidence in the classifier, the authors should validate it on actual organizational data or at least on additional held-out scenarios beyond those hand-crafted by the experts. If real automotive industry data are scarce, consider augmenting the study with a cross-validation over the cases (to ensure the model’s stability) or using simulation techniques to diversify the hypothetical profiles further. Detailing how the data were split into training vs. testing (or if cross-validation was used) is essential for reproducibility. 

4) Generally, the data provided  do support the main claims of the paper. However the statement that “the platform’s resilience has been rigorously proven through extensive testing, including realistic attack simulations and validation in complex, dynamic operational environments.” is a strong assertion, but the paper offers no evidence or references for these simulations and operational tests – they are neither described nor quantified. Either provide at least a summary of results from these attack simulations (if available) or remove/soften the claim. For instance, the authors could say the platform “has been initially tested in simulations” rather than “rigorously proven,” unless they include evidence. All claims in a scientific paper should be backed by either the presented data, literature references, or explained reasoning. Ensuring this will enhance the paper’s credibility.

5) While the breadth is good, the paper could improve on connecting WTTM to prior work to emphasize novelty. However, beyond a qualitative comparison, there is little evidence showing how WTTM fills those gaps better than previous frameworks. To substantiate WTTM’s novelty, consider adding a concise comparative summary – perhaps a table or a paragraph – that lists key features of existing frameworks (ISO 21434, EVITA, HEAVENS, etc.) versus WTTM. Emphasize unique elements.

5) A framework that claims lifecycle coverage, incident response via VSOC, and compliance alignment should at least address forensic readiness and EDR/DSSAD interfaces, because post-incident attribution, legal defensibility, and regulatory obligations hinge on evidence capture, retention, integrity, and controlled access. EDR is already mandated in the EU for M1/N1.  
What to add (essential): 
Forensic readiness requirements in WTTM and WTTM-Q: chain of custody, time-sync, secure logging, retention periods, role-based retrieval, hashing/signing, and evidence segregation vs. operational logs; reference ISO/IEC 27037 (evidence handling) and 27043 (incident investigation). Cite or take into consideration at least one review (i) and one framework (ii) to adopt such as (examples):

(i) Strandberg, Kim, Nasser Nowdehi, and Tomas Olovsson. "A systematic literature review on automotive digital forensics: Challenges, technical solutions and data collection." IEEE Transactions on Intelligent Vehicles 8.2 (2022): 1350-1367.

(ii) Cantelli-Forti, Alessandro, et al. "Insights from field experience: digital forensics of event and voyage data recorders in transportation systems accident investigation: A. Cantelli-Forti et al." International Journal of Information Security 24.4 (2025): 163.

The work has substance. Some of the remarks may require repeating the study to add samples or variables (e.g., digital forensics). If this is not feasible, I recommend citing the missing topics in the Related Work and/or adding a clear Limitations section that delineates the study boundaries and, optionally in a Future Work section, outlines how to close these gaps.

--
Decision: Major revision.  Promising and relevant contribution, but validation is insufficient: small sample (N = 43) with EFA/CFA on the same data, and model trained on 115 expert-labeled hypothetical profiles rather than real deployments. Forensic readiness and EDR/DSSAD aspects are not addressed. Recommend publication after expanded empirical validation or, at minimum, an explicit Limitations section, regulatory mapping, and clearer disclosure of split/CV procedures and alternative model results.

Author Response

We would like to sincerely thank the Reviewer for their insightful and constructive feedback. We have carefully considered each comment and have revised the manuscript accordingly to improve the clarity, methodological rigor, and scientific contribution of our work. Below, we provide a point-by-point response to each concern, highlighting the actions taken in the revised manuscript.

 

Comment 1

 

“The WTTM-Q self-assessment questionnaire is a central contribution, but its empirical validation is determined by a limited sample (N = 43 organizations)… Validating a six-factor model with only 43 responses (and without an independent confirmation sample) risks overfitting… consider using cross-validation or splitting the data…”

 

Response:

We thank the Reviewer for highlighting this important methodological concern. We fully acknowledge the limitations related to the use of a relatively small sample and the original application of both EFA and CFA on the same dataset. In response, we have revised our validation strategy by adopting a data-splitting approach. Specifically, the original sample was randomly divided into two independent subsets:

• Exploratory Factor Analysis (EFA): n = 22
• Confirmatory Factor Analysis (CFA): n = 21

 

This revised procedure mitigates overfitting and improves the robustness of the reported factor structure. Updated psychometric results (KMO, Bartlett’s test, explained variance, fit indices) are now presented in Section 3.4, along with recalculated Cronbach’s alpha values (all above 0.81). We also explicitly acknowledge the limitations due to sample size and highlight the need for further replication in larger studies. We believe this significantly improves the credibility of our construct validity claims.

 

Comment 2

 

“The paper would benefit from clearer descriptions of participant selection and data collection procedures…”

 

Response:

We fully agree and have clarified the participant profile and recruitment process in Section 3.3. The revised paragraph now reads:

 

“The initial statistical validation of the WTTM-Q was conducted on a sample of 43 respondents selected through purposive sampling. Participants were industry professionals working in the automotive and embedded systems sectors, with direct experience in cybersecurity, functional safety, and compliance processes. Recruitment was carried out via professional networks, industry events, and direct outreach to partner organizations involved in safety-critical development projects. Respondents completed the questionnaire anonymously using an online survey platform, and consent to participate in the study was obtained.”

 

Comment 3

 

“Using entirely synthetic or hypothetical data means the model’s reported performance may not reflect real-world behavior…”

 

Response:

We appreciate the Reviewer’s concern regarding the limitations of using synthetic data. In response, we revised Sections 4.1 and 4.2 as follows:

• We now explicitly acknowledge the limitations of synthetic profiles and their impact on generalizability.
• We clarify that all profiles were independently labeled by a multidisciplinary panel of experts, and consensus labeling was used to reduce bias.
• The manuscript now states our intention to validate the model on real organizational data in future work or expand the dataset via simulation-based augmentation.
• Finally, we detail the modeling protocol, including the use of stratified 80/20 train-test splitting and 5-fold cross-validation.

 

These changes strengthen the transparency and reproducibility of our approach.

 

Comment 4

 

“The platform’s resilience has been rigorously proven through extensive testing… but the paper offers no evidence or references…”

 

Response:

We thank the Reviewer for pointing out this overstatement. We agree that the original phrasing exceeded the scope of the presented data. We have revised the sentence (Section 4.3) as follows:

“The platform has been initially tested through simulations and expert-reviewed scenarios to assess its resilience under representative attack conditions.”

This reformulation more accurately reflects the current state of validation and improves scientific precision.

 

Comment 5

 

“To substantiate WTTM’s novelty, consider adding a concise comparative summary – perhaps a table – that lists key features of existing frameworks…”

 

Response:

We appreciate this suggestion and have acted on it by adding Table 2 in the Discussion section, which provides a structured comparison of WTTM against established frameworks such as ISO/SAE 21434, EVITA, HEAVENS, and SAE J3061.

This table emphasizes WTTM’s unique characteristics, including:

• Integrated risk assessment and machine learning-based classification
• Modular, domain-specific assessment structure
• Embedded supply chain evaluation
• VSOC integration for monitoring and automation

 

This addition helps better position WTTM’s contributions and underscores its practical relevance.

 

Comment 6

 

“A framework that claims lifecycle coverage, incident response via VSOC, and compliance alignment should at least address forensic readiness and EDR/DSSAD interfaces…”

 

Response:

We fully agree and thank the Reviewer for the valuable references and suggestions. In response:

• We have updated the Discussion and Related Work sections to incorporate forensic readiness as a crucial aspect of future development.
• We cite both Strandberg et al. (2022) and Cantelli-Forti et al. (2025) in MDPI format to position our future plans in line with current research and practice.
• A new Limitations paragraph has been added, clearly stating that forensic readiness and EDR/DSSAD modules are not yet implemented in the current version of WTTM.
• Additionally, the Conclusion section outlines a dedicated Future Work paragraph that specifies:
• Plans to implement mechanisms for secure log collection, hashing/signing, and evidence segregation.
• Extension of the WTTM-Q questionnaire to cover forensic readiness.
• Compliance with ISO/IEC 27037 and 27043.
• Experimental validation in collaboration with industry partners.

 

We believe this comprehensive response demonstrates a clear roadmap to address the Reviewer’s concern and align the framework with evolving regulatory and forensic demands.

 

Once again, we thank the Reviewer for their detailed and constructive feedback. We believe the changes implemented in the revised manuscript significantly improve its methodological robustness, transparency, and relevance to both academic and industrial audiences.

 

Please let us know if further clarifications are needed.

 

Sincerely,

Enrico Picano

Reviewer 3 Report

Comments and Suggestions for Authors

Dear authors,

The topic of detecting suspicious and violent activities in videos is extremely topical, and the approach you presented - through a combination of PCA-HOG, Motion-HOG and 3D convolutional network - shows serious research potential.

Below I highlight several suggestions that, in my opinion, could further improve the quality and clarity of the work:

• It might be useful to further clarify whether all the datasets you are using are comparable - in terms of video length, resolution, scene complexity, etc.
• It would be good to describe how the hyperparameter values were chosen, especially the learning rate and the number of iterations - whether they were experimentally determined or optimized by some procedure.
• I suggest you clarify how the data was split into training and test sets, as well as whether some form of cross-validation was used.
• Given that some of the videos come from different online sources, it would be helpful to indicate how you standardized the resolutions and quality of the video material.
• I think it would be very useful if you could show how much each component of your system (PCA-HOG, Motion-HOG, Conv3D) contributes - to see their individual importance.
  It might be a good idea to mention if any measures have been taken to avoid overfitting, given that you are working with several different datasets.
• It would be useful if you could consider implementing the system in real time - if only through simulation - to see if the system has sufficient performance for practical applications.
• It would be interesting to see how the model reacts to activities that are similar to violent (e.g. sports scenes) but are not actually violent - to estimate the number of false positives.
  Although the accuracy is shown, additional metrics such as precision, recall and F1-score would further illuminate the performance of the model, especially in the case of unbalanced classes.

Author Response

Dear Reviewer,

We sincerely thank you for the time and attention you dedicated to reviewing our manuscript.

We have carefully reviewed the comments you provided. However, we believe that some of the observations — particularly those referring to the use of video-based techniques (PCA-HOG, Motion-HOG, 3D convolutional networks) for detecting suspicious or violent activities — do not appear to relate to the content of our work, which focuses instead on cybersecurity in the automotive domain.

This may have been the result of a technical issue in the review management system.

In the meantime, we remain at your disposal for any further requests or clarifications from the editorial team.

With our kindest regards,

Enrico Picano

Round 2

Reviewer 1 Report

Comments and Suggestions for Authors

Thank you for your reply.

Author Response

Dear Reviewer,

Dear Reviewer 1,

I am very pleased that the work carried out has been appreciated. I would like to sincerely thank you for your comments and, more generally, for the review process, which has significantly contributed to improving the final outcome.

Best regards

Enrico Picano

Reviewer 2 Report

Comments and Suggestions for Authors

Thank you for incorporating the suggestions.
The study’s limitations are now clearly stated, and the research is better contextualized. However, issues remain concerning the references. References 16 and 17 list fabricated authors, inaccurate journal titles and invalid DOIs, indicating a likely LLM hallucination. All citations should be verified manually. Moreover, DOIs appear in inconsistent formats, and appending a period to the end of the hyperlink prevents direct clicking—consistently formatted links without trailing punctuation are recommended.

Author Response

Dear Reviewer,

I am very pleased that the work carried out has been appreciated. I have revised the bibliography, which indeed required further attention. I sincerely thank you for your comments and, more generally, for the review process, which has significantly contributed to improving the final outcome.

Best regards

Enrico Picano

Reviewer 3 Report

Comments and Suggestions for Authors

Dear Mr. Picano,

Thank you for your kind message and for clarifying the scope of your manuscript. It is indeed possible that some of my review comments referred to topics—particularly video-based techniques for activity detection—that are not directly related to your focus on automotive cybersecurity. This may have been the result of a technical or contextual oversight, and I sincerely apologize for any confusion caused.

In the spirit of constructive feedback, I would like to offer three suggestions that may further strengthen your work:

1. Expand empirical validation – Increase the number of real-world industry participants in validating the WTTM-Q to enhance external validity and reduce reliance on synthetic datasets, involving OEMs and suppliers from diverse regions.

2. Integrate forensic readiness earlier – Implement and test digital forensics modules (e.g., EDR/DSSAD interfaces, secure and verifiable log collection) within the current framework to demonstrate full end-to-end lifecycle coverage.

3. Provide deeper comparative analysis – Enrich the comparative table with quantitative metrics (e.g., implementation time, cost, degree of automation) based on pilot projects to clearly highlight WTTM’s advantages over standards such as HEAVENS and TARA.

I remain at your disposal should the editorial team require any further clarification or follow-up regarding the review process.

Kind regards,

 

Author Response

Dear Reviewer,

thank you very much for the valuable suggestions you provided, which will help improve not only the paper but also the overall structure of the research work. In what follows, I will try to address your comments point by point.

1.Expansion of empirical validation: I fully agree on the importance of increasing the number of industry participants involved in the validation of the WTTM-Q, including OEMs and suppliers from different regions. We have done our best to involve as many participants as possible in the validation process; however, project timelines and budget constraints did not allow us to go beyond the numbers presented in the paper. In the continuation of this research, we will make sure to devote even greater attention to this aspect.

2.Integration of forensic readiness at an earlier stage: we will proceed in this direction as our research progresses. Indeed, this was an aspect we had underestimated, and another reviewer also pointed it out. We have now included this suggestion among the future developments, highlighting the newly added text in red (see from line 564 to line 576).

3.Providing a more precise comparative analysis: I have improved the discussion section accordingly. The updated text, highlighted in red, can be found from line 495 to line 501.

Best regards