ProtectingSmall and Medium Enterprises: A Specialized Cybersecurity Risk Assessment Framework and Tool
Round 1
Reviewer 1 Report
Comments and Suggestions for AuthorsThe objective of the authors is to create an effective cybersecurity risk assessment framework specifically for Small and Medium Enterprises (SMEs). The authors first identified common threats and vulnerabilities and categorized them according to their importance. Then, they analyzed popular frameworks such as the NIST CSF and ISO 27001/2 to identify relevant areas for SMEs. Finally, they explored and incorporated novel techniques tailored to SMEs in order to create an effective framework. The framework was also developed as a tool, providing an interactive and dynamic environment.
The authors should explicitly highlight the contributions of the paper in comparison to existing frameworks and explore additional related work.
The framework should be tested with a diverse range of SMEs to evaluate its clarity, scope, and practicality, considering varying employee skills in cybersecurity.
Multiple URL-based classification algorithms have been proposed in the literature; it is interesting to highlight the specific contribution of this paper.
The threat model is limited to malware and phishing. It is unclear how the framework will address more advanced threats.
Author Response
| Reviewer | Comments | Our Answer |
| Reviewer 1 | The objective of the authors is to create an effective cybersecurity risk assessment framework specifically for Small and Medium Enterprises (SMEs). The authors first identified common threats and vulnerabilities and categorized them according to their importance. Then, they analyzed popular frameworks such as the NIST CSF and ISO 27001/2 to identify relevant areas for SMEs. Finally, they explored and incorporated novel techniques tailored to SMEs in order to create an effective framework. The framework was also developed as a tool, providing an interactive and dynamic environment. | |
| The authors should explicitly highlight the contributions of the paper in comparison to existing frameworks and explore additional related work. | We would like to sincerely thank the reviewer for their valuable comments and suggestions. In response to the feedback, we have expanded the introduction to explicitly highlight the contributions of our paper in comparison to existing frameworks. Specifically, we have elaborated on the comparative analysis of the NIST CSF and ISO 27001/2 frameworks, emphasizing their applicability to SMEs. Additionally, we have included further discussion on related work in the field of SME cybersecurity and the novel techniques incorporated into our framework. These revisions aim to clarify our contributions and provide a broader context for our research. Thank you again for your constructive feedback, which has helped us improve the clarity and depth of our paper. | |
| The framework should be tested with a diverse range of SMEs to evaluate its clarity, scope, and practicality, considering varying employee skills in cybersecurity. | We thank the reviewer for their valuable feedback. The quantitative assessment of the framework through a pilot assessment for SMEs has been discussed in a separate section (7.5) | |
| Multiple URL-based classification algorithms have been proposed in the literature; it is interesting to highlight the specific contribution of this paper. | We would like to thank the reviewer for their insightful comment. In response, we have extended the section on the URL classifier to highlight the specific contributions of our approach compared to existing URL-based classification algorithms. We have added details about the unique aspects of our model, such as its novel feature set, superior accuracy, and practical user interface. We hope these additions address the reviewer's concerns and provide a clearer understanding of the contributions of our work. Thank you again for your valuable feedback. | |
| The threat model is limited to malware and phishing. It is unclear how the framework will address more advanced threats. | We thank the reviewer for their valuable feedback. Indeed, the threat model is limited to malware and phishing for the scope of this research. In the section 9 (Limitations and Future Work), it is discussed that the research focused on the top three threats, and that extensions would have to be made to the framework to allow it to address more advanced threats. |
Author Response File: 
Author Response.pdf
Reviewer 2 Report
Comments and Suggestions for AuthorsThe topic is relevant, and the technical aspect of this study is quite interesting. However, the scientific component has some important vulnerabilities. Some methodological steps are not properly explained.
Improvement suggestions:
1. Authors note “around 62% of Australian small and medium enterprises (SMEs) being victims of cybercrimes”. However, the impact of cyberattacks in these companies is not addressed.
2. It is stated “However, several cybersecurity frameworks…” The word “however” is not correctly employed. Authors can delete the “however” word and the rest of the sentence remains correct.
3. Authors note that NIST Cybersecurity Framework, ISO27001/2, Essential Eight, and PCI-DSS frameworks are excessively complex. Why are they complex?
4. Authors note that “Moreover, there are numerous threats to SMEs which can be categorized as physical, psychological, and technical.” This can of threats are different for large organizations?
5. Research gap is not enough explored. There are recent similar studies, published in 2023 and 2024, that the authors have not explored such as:
https://www.preprints.org/manuscript/202408.1691/v1
https://onlinelibrary.wiley.com/doi/full/10.1111/risa.14092
https://malque.pub/ojs/index.php/mr/article/view/3887
https://www.emerald.com/insight/content/doi/10.1108/978-1-83753-190-520231007/full/html?skipTracking=true
6. I would like to have more insights regarding security frameworks. Only look to benefits and disadvantages is not enough. It is important to briefly present their focus and key components.
7. Table 2 can be more completed if the authors explore other frameworks such as: CIS Controls (Center for Internet Security Controls), COBIT (Control Objectives for Information and Related Technologies), and ISO/IEC 27701.
8. Why Figure 1 is relevant?!?
9. SMEs are currently using cloud services which rise also cybersecurity issues. However, this point was not explored by the authors.
10. Who have performed the SWOT analysis presented in Table 3. The researchers or the external expert?
11. How do you have chosen the external expert? It is noted “Upon consultation with an individual with experience in the cybersecurity field…” This kind of observation lacks scientific rigor.
12. How many employees participated in the usability tests? How are they chosen?
13. Flask is a micro web framework. However, this concept was not presented and its useful for developing the tool is not justified.
14. Authors state “Figure 4 shows that the model has a reliable performance across different categories, meaning that it can be used by SMEs.” I have not seen this kind of information in Figure 4.
15. Authors note “Future work can be done to develop more quantitative feedback…” I also realize that get more qualitative feedback from SMEs owners and leaders could be relevant.
16. A better connection between the role of framework and tool should be established.
17. Scientific exploration of the topic needs to be improved. Number of references can be increased.
Author Response
| Reviewer 2 | The topic is relevant, and the technical aspect of this study is quite interesting. However, the scientific component has some important vulnerabilities. Some methodological steps are not properly explained. Improvement suggestions: |
|
| 1. Authors note “around 62% of Australian small and medium enterprises (SMEs) being victims of cybercrimes”. However, the impact of cyberattacks in these companies is not addressed. | We appreciate the reviewer’s valuable feedback regarding the impact of cyberattacks on SMEs. In response, we have expanded the introduction to provide a more detailed discussion of the severe consequences that SMEs face as a result of cyberattacks. This includes the significant financial costs, operational disruptions, and reputational damage that can adversely affect SMEs. We have included specific data on the financial impact, operational challenges, and long-term reputational effects to offer a comprehensive view of the risks SMEs encounter. We hope this detailed expansion addresses the reviewer’s concerns effectively. Thank you for your insightful input. | |
| 2. It is stated “However, several cybersecurity frameworks…” The word “however” is not correctly employed. Authors can delete the “however” word and the rest of the sentence remains correct. | We have removed the word “however” as suggested by the reviewer. Thank you for pointing this out. | |
| 3. Authors note that NIST Cybersecurity Framework, ISO27001/2, Essential Eight, and PCI-DSS frameworks are excessively complex. Why are they complex? | Thank you for your comment, we explained what do we mean by complex to be implemented by SMEs refer to page 2 in intoruction section. | |
| 4. Authors note that “Moreover, there are numerous threats to SMEs which can be categorized as physical, psychological, and technical.” This can of threats are different for large organizations? | We have addressed the reviewer’s comment by extending the discussion to clarify that the threats categorized as physical, psychological, and technical are not unique to SMEs but are also faced by large organizations. We have noted that while the types of threats are similar, the scale and impact may differ due to varying levels of resources and security measures between SMEs and large organizations. Thank you for your valuable feedback. | |
| 5. Research gap is not enough explored. There are recent similar studies, published in 2023 and 2024, that the authors have not explored such as: https://www.preprints.org/manuscript/202408.1691/v1 https://onlinelibrary.wiley.com/doi/full/10.1111/risa.14092 https://malque.pub/ojs/index.php/mr/article/view/3887 https://www.emerald.com/insight/content/doi/10.1108/978-1-83753-190-520231007/full/html?skipTracking=true |
Thank you for your insightful suggestion. We have reviewed and included all the recommended studies to address the research gap, with the exception of the preprint, which is our own work. These additions help to strengthen our analysis and provide a broader context for our findings | |
| 6. I would like to have more insights regarding security frameworks. Only look to benefits and disadvantages is not enough. It is important to briefly present their focus and key components. | Thank you for your valuable feedback. In response to your comment on security frameworks, we have expanded our discussion to include a brief overview of their focus and key components, as well as their benefits and disadvantages, providing a more comprehensive perspective. Additionally, Table 2 has been updated to incorporate more frameworks, including CIS Controls (Center for Internet Security Controls), COBIT (Control Objectives for Information and Related Technologies), and ISO/IEC 27701. We have also added more attributes to the table, such as Advantages, Disadvantages, Focus, and Key Components, to offer a more detailed comparison. |
|
| 7. Table 2 can be more completed if the authors explore other frameworks such as: CIS Controls (Center for Internet Security Controls), COBIT (Control Objectives for Information and Related Technologies), and ISO/IEC 27701. | Thank you for your valuable feedback. In response to your comment on security frameworks, we have expanded our discussion to include a brief overview of their focus and key components, as well as their benefits and disadvantages, providing a more comprehensive perspective. Additionally, Table 2 has been updated to incorporate more frameworks, including CIS Controls (Center for Internet Security Controls), COBIT (Control Objectives for Information and Related Technologies), and ISO/IEC 27701. We have also added more attributes to the table, such as Advantages, Disadvantages, Focus, and Key Components, to offer a more detailed comparison. |
|
| 8. Why Figure 1 is relevant?!? | Figure 1 illustrates how to use the framework and tools effectively, as well as provides basic cybersecurity tips and training for employees. This is relevant as it supports the practical implementation and understanding of the framework discussed in the paper. Thank you for your question. | |
| 9. SMEs are currently using cloud services which rise also cybersecurity issues. However, this point was not explored by the authors. | We appreciate the reviewer’s feedback regarding the use of cloud services by SMEs and the associated cybersecurity issues. In response, we have extended the section on common threats and vulnerabilities to include the specific challenges related to cloud services. We have discussed the security issues introduced by cloud adoption, such as data exposure, misconfigurations, and third-party risks. We hope this addition addresses the reviewer's concern and provides a more comprehensive overview of the cybersecurity landscape for SMEs. Thank you for your valuable input. in section 3.1 | |
| 10. Who have performed the SWOT analysis presented in Table 3. The researchers or the external expert? | thank you again for pointing this issue. We have added a setence clearly mentioning that the swot analysis was conducted by us page 16. | |
| 11. How do you have chosen the external expert? It is noted “Upon consultation with an individual with experience in the cybersecurity field…” This kind of observation lacks scientific rigor. | Regarding the selection of the external expert, your observation is noted. The phrase 'Upon consultation with an individual with experience in the cybersecurity field' has been revised to ensure greater scientific rigor in the selection process. Additionally, updated data has been included in Section 7.3 (page 16) to enhance the accuracy and reliability of the analysis. | |
| 12. How many employees participated in the usability tests? How are they chosen? | We thank the reviewer for their valuable feedback. Around 10 employees participated in the usability tests and they were chosen at random. Ethical clearance was also granted by the home institution. Clarification has been added in the corresponding section. | |
| 13. Flask is a micro web framework. However, this concept was not presented and its useful for developing the tool is not justified. | We appreciate the reviewer’s comment regarding the use of Flask. We have extended the discussion to explain that Flask, as a micro web framework, was chosen for its simplicity and flexibility, which are beneficial for integrating the pre-trained model and developing the tool. We also addressed how the tool and model will need to be adjusted based on the specific needs and dataset of the SME. Additionally, we explained the focus on phishing as a strategic approach to enhance overall security. Thank you for your valuable feedback. | |
| 14. Authors state “Figure 4 shows that the model has a reliable performance across different categories, meaning that it can be used by SMEs.” I have not seen this kind of information in Figure 4. | We would like to thank the reviewer for pointing out the need for further clarification regarding our statement on Figure 4. We have revised the explanation to provide a more detailed analysis of how the model’s performance metrics demonstrate its reliability across different categories and its applicability for Small and Medium-sized Enterprises (SMEs). In particular, Figure 4 presents the precision, recall, and F1-scores for four categories: benign, phishing, defacement, and malware. The model achieves consistently high precision (0.96 to 1), recall (0.97 to 1), and F1-scores (0.97 to 0.99) across all categories. These metrics indicate that the model is highly effective at identifying relevant threats with minimal false positives (high precision), while also ensuring that actual threats are rarely missed (high recall). The balanced F1-scores further emphasize the model's robust performance in distinguishing between benign and harmful categories. These performance metrics demonstrate that the model is well-suited for SMEs, as they suggest that it can be relied upon to handle a variety of cyber threats without requiring extensive resources or fine-tuning. We have included this detailed reasoning in the text to address the reviewer’s concern and provide clearer justification for the model’s applicability in the context of SMEs. |
|
| 15. Authors note “Future work can be done to develop more quantitative feedback…” I also realize that get more qualitative feedback from SMEs owners and leaders could be relevant. | We appreciate the reviewer’s suggestion to include qualitative feedback in future work. We have integrated this feedback into the future work section, highlighting the importance of obtaining qualitative insights from SME owners and leaders, in addition to quantitative metrics. This approach will help in understanding practical challenges and user experiences, ensuring a more comprehensive evaluation of the tool and framework. Thank you for your valuable recommendation. | |
| 16. A better connection between the role of framework and tool should be established. | Thank you for your valuable comment. To address this, a brief connection has been made between the framework developed and the tools used in its creation. This ensures a clearer understanding of the role each tool played in the development process | |
| 17. Scientific exploration of the topic needs to be improved. Number of references can be increased. | We appreciate the reviewer’s feedback. We have extended the related work section and added more references throughout the text to enhance the scientific exploration of the topic. These additions reflect the expanded discussion and underscore the relevance and value of the new content. Thank you for your insightful suggestion. |
Author Response File: Author Response.pdf
Reviewer 3 Report
Comments and Suggestions for AuthorsThank you for the manuscript.
Kindly see my review in the attached PDF.
Comments for author File: Comments.pdf
The English language and grammar are fine.
Author Response
|
Reviewer 3 |
The article addresses the creation of a cybersecurity risk assessment framework for SMEs. Common threats and vulnerabilities were identified. The case was made that traditional frameworks catering to large companies are too complex and don’t scale well for smaller enterprises like SMEs. The advantages and disadvantages of the popular frameworks, notably NIST CSF and ISO 27001/2, were identified. A new framework for SMEs was subsequently developed, and snippets of the framework (e.g. Figure 1 and Figure 2) were shown and briefly discussed. The framework was implemented as a running system. The framework's user experience (UX – usability) was tested among stakeholders, and its corresponding advantages and disadvantages were noted. Participants found the technical language and lack of depth challenging. I have the following feedback on the manuscript. |
|
|
|
Section 2.2: The research questions are wordy and many for a manuscript this length. Also, make sure you return to each of these at the appropriate place and consider to what extent you have answered each one. |
We appreciate the reviewer’s feedback regarding the number of research questions. To streamline the manuscript and focus more concisely, we have consolidated the research questions into three key questions that address the main aspects of the study. This revision helps in maintaining clarity and relevance throughout the manuscript. Thank you for your constructive suggestion. We appreciate the reviewer's suggestion to ensure that each research question is addressed appropriately. In response, we have added a new subsection titled "Addressing Research Questions" that explicitly connects each research question to the relevant sections of the manuscript. This subsection reviews how our findings align with and answer each research question, providing clarity on the contributions of our research. Thank you for your constructive feedback, which has helped improve the clarity and completeness of our work. |
|
|
Section 3.1.1 concerns employee attitudes, but Table 1 indicates different categories of challenges. Consequently, the contents of Table 1 should be discussed and linked to employee attitudes, which is what that section is about. |
We appreciate your insightful comment regarding the alignment between Section 3.1.1 and the contents of Table 1. To address this, we have introduced a new Section 3.1.2 that specifically discusses the categories of challenges presented in Table 1 and their connection to employee attitudes. This addition ensures a clearer linkage between the table and the section's focus. Thank you for your valuable feedback. |
|
|
Section 3.2. Review of Popular Frameworks should be fleshed out. Amongst others, these frameworks should be shown (diagrams, tables, etc.) so the reader can see what they look like. Then, the authors of this article should conduct their own, first-hand analyses of these structures instead of simply relying on what others have said about the frameworks. In the same way, Section 3.3 should be fleshed out, and the new information in Section 3.2 should be used to provide a more thorough justification for answering RQ1 and RQ2. To some extent, these comments apply to Section 4.1 as well. |
We thank the reviewer for their valuable feedback. The frameworks have been described in more detail in both the text and the table. This allows for a more broader visualization of the similarities and differences between each framework. Their unique focuses and key components can also be observed. |
|
|
Picking up on the previous comment (point [3]), how do the frameworks in Section 4.2 link with those mentioned in Section 3.2, Section 3.3, and Section 4.1? The links among the discussions of these frameworks should be added. This would also strengthen the justification for RQ3 being answered in Section 4.2. |
We thank the reviewer for their feedback. The frameworks in section 3.2 exist to provide background information about popular frameworks that are used in the market. Brief descriptions of them are provided for context and to show how they do not completely cater to SMEs. Section 3.3 provides an overview of the key findings of the section, in terms of SME vulnerabilities and popular frameworks. Finally, section 4.1 has been updated to provide a clear link between the three sections. |
|
|
Section 5, Figure 1: Who developed this figure? If not the authors, give a reference. |
Figure 1 illustrates how to use the framework and tools effectively, as well as provides basic cybersecurity tips and training for employees. This is relevant as it supports the practical implementation and understanding of the framework discussed in the paper. Thank you for your question. and it is developed by us showing our framework |
|
|
Line 212: “Secondly”. Where is the first part (“Firstly”)? Also, the discussions in these two paragraphs mention aspects I don't see in the Figure 1 framework, e.g., GDPR, legal aspects, MCA, etc. Make sure the discussions map onto what is in Figure 1. Or are you already referring to Figure 2? These uncertainties should be clarified/addressed. See also the use of MCA in line 255. |
Thank you for pointing out the confusion in the text. We acknowledge that the reference should be to Figure 2 and not Figure 1 in the discussion regarding GDPR, legal aspects, and MCA. The necessary correction has been made, and the flow of the argument has been clarified. Furthermore, we have removed "Secondly" to ensure consistency and proper structuring.242 |
|
|
Line 241: You mention the CIA in the Figure 2 framework, but where are the specific components of CIA in Figure 2? |
Thank you for pointing out the issue related to the Cia concept and how it is included within figure 2, plese note that we hve added 2 sentences mentioning clearly where is CIA integrated inside figure 2 please refer to page 10 of the updated manuscript. |
|
|
Section 5.4. Threat Classification: The naming of this grouping is rather high level. Instead, you should more explicitly refer to the naming of the components in the framework, the same way you discussed the Business level and its two subdivisions, i.e., much more discussion of the Figure 2 framework by explicitly referring to the framework's components should be conducted. |
Thank you for your feedback. We have updated the terminology in Section 5.4 to "Threat-based Risk Assessment" to better reflect the terminology used in Figure 2. This change ensures consistency in the naming conventions and enhances the clarity of our discussion on the framework's components. We have also provided a more detailed discussion of Figure 2 and its components to explicitly align with the updated terminology. |
|
|
Your numbered list 1 – 11, pages 9 – 10: Did you synthesise these entries yourself, or is this a standard list in the extant literature? This should be explained. It seems to me that several references should be added to justify the selection of the individual items in this list. |
We thank the reviewer for their valuable feedback. A mixture of both techniques was used for the URL classification feature selection. Clarification has been added in the corresponding section. |
|
|
Section 7.2: I like the idea of using a SWOT analysis to evaluate the utility of an artefact. |
Thank you for your positive feedback on the use of the SWOT analysis in Section 7.2. We appreciate your recognition of this approach and believe it provides valuable insights into the utility of the artefact. Your input is greatly valued. |
|
|
Line 391 – 392: “Upon consultation with an individual with experience in the cybersecurity field, the following evaluation of the framework was made.” Question: Did you formally survey this individual? If so, did you have ethical clearance from your home institution to do so? |
Regarding the selection of the external expert, your observation is noted. The phrase 'Upon consultation with an individual with experience in the cybersecurity field' has been revised to ensure greater scientific rigor in the selection process. Additionally, updated data has been included in Section 7.3 (page 16) to enhance the accuracy and reliability of the analysis. |
|
|
Section 7.4. Usability Testing: Which framework did you show the participants to “read”? Was it Figure 2? If so, how would they be able to evaluate its usability (UX) sensibly? Presumably, they also ran the software? So, what is it they were “reading”? This must be thoroughly explained. |
We thank the reviewer for their feedback. The participants were reading the framework shown in Figure 1, the framework itself. They tried the software with different links to see how it was working. This has been made more clear within the section. |
|
|
Section 7.5. Proposed Pilot Assessment: As I understand, this is, in fact, future work, so I suggest you move this section into your Future Work section? |
We appreciate your feedback and have integrated the suggestions into the revised Future Work section. We acknowledge the need for more quantitative feedback to measure the effectiveness of the framework and tool. To address this, we have included a proposal for a pilot assessment that will be conducted over 6-8 months. This pilot assessment will involve SMEs from various industries, ensuring a diverse dataset that can provide valuable quantitative data on the framework’s performance.
Additionally, we have recognized the importance of obtaining qualitative feedback from SME owners and leaders. Such feedback will help us understand the practical challenges and user experiences associated with the tool, offering deeper insights that quantitative measures alone might not capture. We plan to conduct detailed interviews and surveys with SME stakeholders to gather this valuable information.
These additions aim to enhance the robustness of the framework by incorporating both quantitative and qualitative evaluations, thus improving its overall effectiveness and usability.
|
|
|
Lines 513 – 515: “How[-]ever, with the large number of frameworks available that may possess better techniques for certain threats, emphasizing a need for periodic review. ” This seems to be not a full sentence. Verb missing. |
Thank you for your valuable feedback. We have revised the sentence to include the missing verb, ensuring clarity in our discussion of the need for periodic review of cybersecurity frameworks. The updated sentence now reads: "However, with the large number of frameworks available that may possess better techniques for certain threats, there is an emphasis on the need for periodic review." We appreciate your attention to this detail and believe this revision enhances the readability and accuracy of our manuscript. |
|
|
NB General: The case is made that current frameworks are too complex for smaller companies like SMEs to use, and complexity and financial constraints are cited as reasons. However, I would like to see a better motivation for this. I suggest you look at the characteristics of SMEs, and then map these SME needs onto where the larger frameworks fall short. This ties up with point [3] above. |
Thank you for your comment, we explained what do we mean by complex to be implemented by SMEs refer to page 2 in intoruction section. |
|
|
Lines 46-47: “A survey conducted 46 by Heikkila et al. (2016)”. Add the square bracket notation to cite this one. I noticed several other occurrences of this. Please check each APA/Harvard-like citation in the manuscript |
Thank you for pointing out the issue with the citation format. We have corrected the citation for "Heikkila et al. (2016)" and ensured that the square bracket notation is applied where necessary. We have also reviewed the entire manuscript and adjusted all APA/Harvard-like citations to meet the required format.
We appreciate your attention to detail and believe these corrections improve the overall quality of the manuscript. |
|
|
Line 101: Replace “useless” with a more academic word. |
Thank you for your valuable feedback. We have revised the term "useless" to "compromised" in Line 101 to better reflect the academic tone of the manuscript. We appreciate your suggestion and believe this change enhances the clarity and precision of the text.
We are grateful for your attention to detail. |
|
|
Line 110: Replace “massive” with (e.g.) major. |
Thank you for your insightful comments. I have addressed the points you raised:
Line 101: The term "useless" has been replaced with a more academic word. Line 110: "Massive" has been replaced with "major." Line 355: Corrected to "an ML model." Line 368: Replaced the term "report" with "article." Line 564: Clarified that some terms listed are acronyms, not just abbreviations. I appreciate your attention to detail and valuable feedback. |
|
|
Line 355: “a[n] ML” |
|
|
|
Line 368: You are writing an article, not a “report”. |
|
|
|
Line 564: Some terms listed are not abbreviations but acronyms, e.g. ML – Machine Learning. |
|
Author Response File: Author Response.pdf
Round 2
Reviewer 2 Report
Comments and Suggestions for AuthorsI recommend some improvements in Table 1. It is not clear the link between common types of attacks and the SME vulnerabilities. Also, it is crucial to support each sentence in the literature. It misses several references.
Furthermore, abbreviations should be alphabetically ordered.
Author Response
| Reviewer | Comments | Our Answer |
| Reviewer 1 | I recommend some improvements in Table 1. It is not clear the link between common types of attacks and the SME vulnerabilities. Also, it is crucial to support each sentence in the literature. It misses several references. | We appreciate your valuable feedback regarding Table \ref{Vulnerabilities}. We have taken your suggestions into account and revised the table to clarify the link between the common types of attacks and the SME vulnerabilities. Additionally, we have added more references to support the statements in the text. Thank you for pointing this out, and we hope the changes address your concerns. |
| Furthermore, abbreviations should be alphabetically ordered. | Thank you for your valuable feedback. The abbreviations have now been reordered alphabetically as per your suggestion. We appreciate your attention to detail, and we have ensured that the entire list follows the correct order. Changes made: The abbreviations in Section X have been rearranged from A-Z to improve clarity and readability. |
Author Response File: Author Response.pdf
Reviewer 3 Report
Comments and Suggestions for AuthorsThank you for the revised manuscript.
The authors have comprehensively addressed my feedback.
I just found that light yellow text for the text that has been added very hard to read. So, going forward, please keep this in mind.
Comments on the Quality of English Language
The English language and grammar are fine.
Author Response
| Reviewer 2 | Thank you for the revised manuscript. The authors have comprehensively addressed my feedback. I just found that light yellow text for the text that has been added very hard to read. So, going forward, please keep this in mind. |
Thank you for your positive feedback and for taking the time to review our revised manuscript. We sincerely apologize for the inconvenience caused by the light yellow text. We were obliged to use the \texttt{textcolor} command in some cases because the \texttt{\hl} command was not functioning properly in LaTeX. However, as per your suggestion, we have now removed all highlights and colored text to ensure better readability. We appreciate your understanding and thank you again for your thorough review. |
Author Response File: Author Response.pdf
