Towards the Design of a Collaborative Cybersecurity Networked Organisation: Identification and Prioritisation of Governance Needs and Objectives
Round 1
Reviewer 1 Report
This paper presents a study aimed to identify and prioritise network governance
issues. Authors identified 33 categories of governance issues and group them in
four tiers and priority level.
In addition, the author claims that the results of the study are currently used
to inform and orient the development of alternative models for governance of a
cybersecurity network and a set of criteria for their evaluation.
The paper study a very interesting area and it provides a very good
introduction and motivation. I really enjoyed reading it. The material and
methods sections seems to be based on 1) norms and regulations, 2) existing
networked organisations 3) academic publications 4) Interviews with
stakeholders. However I didn't find enough detail to corroborate of those
sources. How was interviewed? How relevant and representative are those that
were interviewed? Same applies for academic publications, etc.
Another major issue is that the paper is continuously using sentences like:
"Sixteen academic sources underline the importance of achieving cohesion.
Network cohesion builds on shared understanding and attitudes, negotiation
and agreement on rules of cooperation, planning and prediction process
shaped by negotiation, good level of alignment among the value systems of
the various members of the network, and other intangible elements, such as
reputation, friendship, interdependence, and trust."
and another example:
"Fourteen sources, or nearly a quarter of the ones under study, refer to the
need for longer-term view on collaboration.Some of the authors emphasise
prerequisites, such as having a common purpose, or coherence of the purposes
of collaborating partners, and shared goals."
The above paragraphs lacks of evidence. There is no enough detail to know and
double check the academic sources, which are those Sixteen? The whole paper is
written in a similar way.
Therefore, although part of this information can be found in the references
section, still a huge effort is required to find all those references and some
of them are nonexistent which prevents to replicate or validate both the
results and the discussion/conclusion section.
Other issues:
-------------
- Two of the 33 claimed categories are completely empty. Transparency and
Accountability and no justification is provided.
- Figures 2, 4 and 6 can be combined into one. Same for figures 1, 3 and 5.
This would help to quickly compare between academic literature, normative
documents and network organization while the individual values are still
visible.
- Try to avoid sentences like:
"A final draft list and a template in Excel format to present the analysis of
networked organisations were created as a result of these ‘crowdsourcing’
activities."
Author should point out the importance of using a specific way to store the
data and discuss its strength and weaknesses if appropriate.
- Discussion section should be renamed to Conclusions.
- Line 545, 555, 556 must be adjusted to the paragraph.
Author Response
In the attached response, the reviewer's comments and questions are in blue, and my response - in black.
Author Response File: 
Author Response.pdf
Reviewer 2 Report
1. In the abstract, you state: 'evolving from a Horizon 2020 project consortium'
you need to delete the references on your project form the abstract and throughout the article. This reference should be included in the acknowledgement.
2. This work is strongly related to EU. That is OK, but since this is an international journal and not a white paper, we need to see a comparison of some kind that would be applicable for the rest of the world. e.g. knowledge from EU perspectives, that can be applied to other regions of the world. I will make a few suggestions below on how you can address that easily, by comparing existing literate on this topic with your findings.
3. sub-sections 15 transparency, and 16 accountability, on pp.7 have been left out, you can either delete and reduce number of sub-sections, or add some text, but at present, it feel like there should be something there, but its missing.
4. from looking at your references and bibliography, it feel like most of your review has been on texts that are over 5 years old, and most of the recent texts come from web pages, although I have noticed that you have reviewed a few more recent articles, e.g. Accountability in the IoT: Systems, Law, and Ways Forward. Computer 2018. One quick and easy fix would be to include few of the top articles on your topic in the review and see how recent literature would relate to your findings. This would strengthen your article, improve chances of citations by relating your work with existing body of knowledge, and resolve the issues I mention in comment 2. I can suggest a few of the recent articles published in high ranking journals for you to consider reviewing and including in your list of references: on the difficulties of assessing cybersecurity: 'If you can't understand it, you can't properly assess it! The reality of assessing security risks in Internet of Things systems', on how to assess cyber risk: 'Future developments in cyber risk assessment for the internet of things', on how to standardise risk assessment: 'Future developments in standardisation of cyber risk in the Internet of Things (IoT)', and on the value vs risk of new technologies: 'Mapping the values of IoT'.
The corrections suggested should be overly extensive, maybe a few sentences, or a few paragraphs the most. Its not about blinking up more text, it's more about comparing your work, it would be very interesting to see how your findings compare with the existing literature mentioned above, on this subject. Since all of the articles I mention are funded by the EU projects, it would also help you in your future efforts of publishing good articles that emerge from specific project work, but are contributing to the improvement of the global body of knowledge.
The above comments would enhance your work by showing that you are aware of relevant and recent literature on related topics. There is too much disassociation in new literature, where authors keep coming up with new methods and models, that are disassociated with the existing models and do not explain even in one sentence how their work is related to the vast amount of similar methods/models in existing new literature. The comments above would help you eliminate such criticism and would contribute to existing knowledge by showing that your work is relevant to a wider aspect of issues that are current discussed in this field. This would also make your findings more citable, because researchers would be able to find the relationship between your work and existing knowledge on this and related topics.
Author Response
In the attached response, the reviewer's comments and questions are in blue, and my response - in black.
Author Response File: Author Response.pdf
Round 2
Reviewer 1 Report
The paper has been updated but references to the sixteen academic sources and
the 92 analyzed networks are still not included in the manuscript. Those should
be added in the annex and referenced in the text to help readers to understand
from were those numbers are coming.
The x and y axis of the figures should have a label
Author Response
** The paper has been updated but references to the sixteen academic sources and the 92 analyzed networks are still not included in the manuscript. Those should be added in the annex and referenced in the text to help readers to understand from were those numbers are coming. **
Both lists are provided as Supplementary material.
** The x and y axis of the figures should have a label **
I tried to add descriptions to the axes, bu the charts become too heavy. Therefore, I changed the captions to make more clear what is their meaning.
