Next Article in Journal
Three-Dimensional Dynamic Positioning Using a Novel Lyapunov-Based Model Predictive Control for Small Autonomous Surface/Underwater Vehicles
Next Article in Special Issue
Mitigating DDoS Attacks in LEO Satellite Networks Through Bottleneck Minimize Routing
Previous Article in Journal
A Personalized Federated Learning Algorithm Based on Dynamic Weight Allocation
 
 
Article
Peer-Review Record

A Practical Human-Centric Risk Management (HRM) Methodology

Electronics 2025, 14(3), 486; https://doi.org/10.3390/electronics14030486
by Kitty Kioskli 1,*, Eleni Seralidou 1 and Nineta Polemi 1,2
Reviewer 1: Anonymous
Reviewer 2: Anonymous
Electronics 2025, 14(3), 486; https://doi.org/10.3390/electronics14030486
Submission received: 19 December 2024 / Revised: 21 January 2025 / Accepted: 23 January 2025 / Published: 25 January 2025

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

Dear Authors,

Please see my comments to your paper in the attached file.

Best of luck!

Comments for author File: Comments.pdf

Author Response

  • Lines 268-284: figure 2 should be revised as a type of representation to show the process itself, not just its components. That is, it should be clear what the flows are, what is circulating and in which direction and how the components of the model inter-relate

Response: Thank you for your valuable feedback. In response, we have updated Figure 2.

 

  • Lines 315-329: figure 3 must be revised because in its present form it does not describe the interaction between users, but only groups them by categories

Response: Thank you for your valuable feedback. In response, we have updated Figure 3.

 

  • Lines 343-348: please elaborate more on steps a) and b) in order to be clearer how to identify and measure the profiles of the potential adversaries (that is, to explain in more detail how concrete values are assigned to profiles based on the elements listed in that paragraph)

Response: The paragraph has been updated as follows:    

‘Measure the Adversaries Profiles (AP) using the scales in Table 3: Adversary traits from Table 2 are scored on a semi-quantitative scale (1-5) based on historical data, threat intelligence, and crowd-sourced insights. These individual trait scores are aggregated into a composite AP score, which is then categorized using Table 3 thresholds (e.g., Very High = 96-100%, High = 80-95%). Adversaries with higher AP scores represent greater sophistication and require advanced social and technical measures, such as ethical training and cybersecurity exercises, while lower scores suggest basic awareness and secure behavior interventions are sufficient. This approach ensures targeted and proportional risk treatment. ‘

 

  • Line 387: "A small and medium healthcare enterprise" is either "small" or "medium". I suggest using the phrase "A SME healthcare enterprise (HSME)

Response: This helpful adjustment has been made.

 

  • Lines 465-480: figure 4 does not show either the flow or the interactions between the components; I kindly suggest it be redesigned to clarify these elements

Response: Thank you for your valuable feedback. In response, we have updated Figure 4.

 

  • Line 487: please revise the wording: "The users that interact with the in our scenario are: 2 doctors, 2 patients, 1 nurses, ..."

Response: This helpful adjustment has been made.

 

  • Lines 557-564: in table 10, please give a more detailed explanation of how the respective values were included (for example: why skill level = 6? What does this value represent? Who assigns it? How do they assign it? You mentioned the use of various software, but for more clarity (because the article is about managing risks), please indicate who is going to make all these actions).

Response: The paragraph has been updated as follows:    

‘More specifically, the values for Skill Level, Motive, Opportunity, and Size are assigned using the OWASP risk rating methodology. Skill Level is determined by IT security professionals based on the technical expertise needed for an attack. Motive reflects the high motivation for attackers, assessed by security analysts considering the value of patient data. Opportunity is based on the accessibility of vulnerabilities, evaluated by system administrators. Size represents the potential impact of the attack, assigned by risk management teams and senior leadership through collaborative assessment.‘

 

  • Please consider the same detail requirement for tables 11, 12 and 13.

Response: Additional information has been included in the tables.

 

  • To explain in more detail (possibly with formula and values) how the HRM score was estimated for the presented scenario and what is the value obtained and where does it fit, taking into account the methodology presented at the beginning of the article.

Response: Additional information has been included.

 

  • The conclusions should state in more detail possible technical, managerial and educational implications, together with possible limitations and future research directions.

Response: The following additions/corrections have been made in the ‘Conclusions’ section:

‘From a technical perspective, the HRM methodology highlights the importance of integrating human-centric data into risk assessment tools, enabling a more comprehensive approach to mitigating risks. Managerially, organizations should focus on fostering a strong cybersecurity culture by implementing structured awareness programs and allocating resources to address human vulnerabilities. Educationally, this methodology underscores the value of continuous training initiatives tailored to the specific needs of employees, such as phishing recognition and secure data handling. However, the HRM methodology is not without limitations. The accuracy of adversary and user profile estimations depends heavily on the quality of available data and the reliability of socio-psychological evaluations. Furthermore, SMEs with limited resources may face challenges in implementing HRM comprehensively. Future research will focus on verifying the HRM methodology by conducting empirical studies in diverse SME sectors, evaluating its effectiveness in improving cybersecurity resilience. Additionally, pilot projects will be designed to assess the practicality and scalability of the proposed model in real-world settings. Refining socio-psychological profiling techniques, automating the integration of human element data into technical risk assessment tools, and exploring sector-specific adaptations of the HRM methodology will also be key directions for further work.’

Author Response File: Author Response.pdf

Reviewer 2 Report

Comments and Suggestions for Authors

The submitted article deals with Human-centric Risk Management (HRM) methodology. The topic of the paper is original and the methodology is proposed from existing ones with the addition of its own contribution. What would improve the clarity proposed in the article would be to not just refer to previous research by identifying the cited source, but at least simply describe the cited ones so that the "reader" does not have to trace the sources on the internet.

I noticed in the References that a lot of the sources are self-cited, but that's probably due to the authors referencing their previous research. As I said before, you need to add to the figures and tables whether they are citations or were created by the authors.

- the sources cited in line 56 are not listed in the References

- it would be appropriate to describe how other authors "view" the tool described in Chapter 1.2. HRM tools for estimating technical risks

- there is incorrect citation in lines 216, 221

- Mark figures and tables as your own work or indicate the cited source

- In Conclusion, the authors should describe whether the proposed model will be verified, or what further research will be done in the given area.

Author Response

  • What would improve the clarity proposed in the article would be to not just refer to previous research by identifying the cited source, but at least simply describe the cited ones so that the "reader" does not have to trace the sources on the internet.

Response: Thank you for your feedback. In response this has now been corrected.

  • The sources cited in line 56 are not listed in the References

Response: The reference list is updated accordingly.

  • It would be appropriate to describe how other authors "view" the tool described in Chapter 1.2. HRM tools for estimating technical risks

Response:

While the comment suggests incorporating perspectives from other authors regarding the tools described in Chapter 1.2, the main focus of this article is on the practical application of HRM methodology in SMEs, specifically in healthcare organizations. The tools mentioned (ENISA RM Toolbox, OWASP Risk Assessment Calculator, MISP, and Cyberwatching) are presented as widely available open-source resources that are commonly used in cybersecurity risk management. The article is not intended to perform a detailed review of each tool's reception in the academic or professional community, but rather to explain how these tools can be utilized to assess and mitigate risks in the context of the HRM framework. Additionally, the scope of the article is aligned with offering practical guidance for SMEs rather than an exhaustive academic critique of the tools' effectiveness in broader contexts.

  • There is incorrect citation in lines 216, 221

Response: This has now been corrected.

  • Mark figures and tables as your own work or indicate the cited source

Response: This has now been corrected in the relevant sections.

  • In Conclusion, the authors should describe whether the proposed model will be verified, or what further research will be done in the given area.

Response: Please do see our response to Reviewer 1, comment number 10.

Author Response File: Author Response.pdf

Round 2

Reviewer 1 Report

Comments and Suggestions for Authors

Dear Authors,

Thank you for the opportunity to revise your updated manuscript. The current form is more coherent and is improving the understanding of your research.

Good luck with the publication of your manuscript!

Back to TopTop