Trends and Challenges Regarding Cyber Risk Mitigation by CISOs—A Systematic Literature and Experts’ Opinion Review Based on Text Analytics

Round 1

Reviewer 1 Report

As a starting point in the evaluation of this paper it is important to begin by highlighting two points: the theme addressed in this article is of high importance and relevance, especially given the situation experienced in recent years of the pandemic COVID-19. Although the problem addressed is related to sustainability, I have some doubts whether it fits properly into the types of sustainability of this Journal. I leave that assessment to the editors.

Although the acronym CISO is known, when it appears for the first time in the text it should appear in full followed by the respective acronym in parentheses: Chief Information Security Officer (CISO).

The paper is well written, with a clear and objective language and a logical structure. The objectives of the study are also clear as well as the proposed methodologies.

Regarding the methodologies, the study analyses scientific articles and expert opinion columns. The author explains in detail the differences of contents in these two types of sources. However, since this is a scientific study, it is important that the author presents the safeguards and limitations of the source related to expert opinion columns, since it is a type of content and analysis that is not necessarily scientific, having a tendency for greater subjectivity and partiality. With this, I do not intend to state that it is not a legitimate source - which it is - but, it is important that the author clarifies these limitations, distinguishing what was considered and not considered in this analysis.

On page 31, the author writes:
"In general, the results show that both the scientific literature and the experts’ attitude toward CISOs indicate that companies do not tend to invest in the latter’s skills and training above a certain amount of money." 
- if possible, it would be important if the author could clarify what this value is (an approximate average value).

Author Response

Dear Reviewer, Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 2 Report

The aim of this study is to investigate the relationship between the CISOs’ level of cyber security-related preparation to mitigate cyber threats and the recent 19 evolution of cyber threats. Hereafter, you can find my comments line-by-line:

Line 51] “Black Hackers” should be “Black-Hat Hackers”.
Line 83] In relation to "Legacy software" you should also consider they are missing patches for recently found vulnerabilities.
Line 87] Not only in SCADA. Lack of encryption and "authentication" makes life easier for hackers also in the IT domain (e.g., Man-In-The-Middle attacks).
Section 1.1] You missed "Phishing Attacks".
Line 157] What do you mean by "number of total publications"? Is it related to the author or to the journal?
Table 2] What do you mean by "SQL"? What do you mean by "Bypass"?
Line 219] Java or Javascript?
Figure 1] Please provide an explanation for Figure 1. It is not clear to the reader.
Line 236] Java or Javascript?
Line 289] Java or Javascript?
Line 294] Please provide an explanation of "specificity score". Not only as a note at line 320.

I believe the paper is globally good, but I still have one main concern. The data analysis approach seems a bit unclear and fragmented over the sections. I would like to see a single block diagram to summarize the analysis approach starting from the scientific papers and public articles up to the statistics calculation. 

Author Response

Dear Reviewer, Please see the attachment.

Author Response File: Author Response.pdf