AIS Attacks and Failures: Who to Blame| | ACC 564: Accounting Information Systems12 August 2012 | Abstract This paper explores accounting information system attacks and failures and the party that is to blame. The paper will include the following requirements: 1. My position on whether the firm and its management team should or should not be held liable for losses sustained in a successful attack made on their AIS by outside sources. I will include two (2) facts to support my position. 2. Suggestions for who should pay for the losses incurred, to whom, and why. 3.
My opinion regarding the role, if any, the federal government should have deciding and enforcing remedies and punishment. I will include two (2) facts to support my opinion. 4. An evaluation on how AIS can contribute or not contribute to the losses. This assignment will use technology and information resources to research issues in accounting information systems. AIS Attacks and Failures: Who to Blame Take a position on whether a firm and its management team should or should not be held liable for losses sustained in a successful attack made on their AIS by outside sources.
Include two (2) facts to support your position. Security controls are safety measures to avoid, counteract or minimize security risks. The firm and management team is responsible for effectively implementing preventative, detective, and corrective controls in order to prevent, identify, and limit the extent of damage from occurring, in progress, or caused by the incident. If adequate security controls are in place then the firm and management team should not be held liable for losses sustained in a successful attack made on their Accounting Information System (AIS) by outside sources.
However, if a firm and its management team have not implemented an adequate security control system, then they should be held liable for losses sustained in a successful attack made on their (AIS) by outside sources. Access controls are essential for protecting the confidentiality, relevance, and reliability of data and information. One threat that could occur during the data collection process is for someone with an understanding of the company’s computers and computer networks to “hack” into the computer system, employing a variety of techniques.
A few of these techniques include password cracking, phishing, spreading a virus, social engineering or denial-of-service attacks. Physical access controls, such as placing locks on doors or computers, are a preventive control intended to prevent an unauthorized intruder. Similar to physical access controls are application or logical access controls, such as the use of user names and passwords, antivirus software, and firewalls, are also used to protect data and information from unauthorized users.
A good example of both physical access and logical access intrusion is in court case United States v. Aaron Swartz, Aaron Swartz allegedly entered the wiring closet at MIT and downloaded information in order to conduct an academic study, with the use of a technique called “MAC address spoofing (Lindsay, 2011). ” Potentially, the content downloaded could cost MIT several thousand dollars, should the thief choose to sell or distribute the information. Although physical and logical access controls are used by management to prevent an intrusion, no system is perfect.
There is always the threat that someone with a more advanced understanding of the computer network will successfully attack. The firm and management are responsible for implementing detective controls in order to identify and characterize the intrusion. These controls provide evidence that the preventive controls are functioning as designed. Implementing certain procedural controls, such as security awareness and training, sounding an alarm, running system checks, log monitoring, system audits, and file integrity checks are some techniques for detecting an intrusion.
If the firm has not properly implemented detective controls, then the intruder can continue, possibly causing the company and company customers millions. Once an intrusion has been detected, the firm and management should have in place a system of corrective controls in place to limit the extent of any damage caused by the intrusion, including recovering the organization to normal working status as efficiently as possible. Some corrective controls include backup data restoration, anti-virus, operating system upgrades, server isolation, use of hot sites, and vulnerability mitigation.
A lack of corrective controls could permanently close down operations. Since the system is hardly impervious to either internal or external attacks, due diligence by management for implementing appropriate security controls should limit the number of successful attacks on the system. Although the firm and management team should not be held liable for losses sustained in a successful attack made on their (AIS) by outside sources, the firm may ultimately be obligated or feel obligated to compensate customers for any losses.
Suggest who should pay for the losses incurred, to whom, and state why. In the event of a successful attack on a company’s AIS by outside sources, there are two main costs that the company will incur. These include recovery costs and reputational costs. Recovery costs include conducting an investigation, evaluating “how” the attack occurred, formulating a plan for system changes, implementing system changes, and other costs associated with bringing the company back to normal.
Reputational costs include the public’s perception of the company after the event. For instance, if a large company gets hacked and customer credit card information is stolen and charged, the public is going to inevitably blame the company. Although the company may not be at fault, it may provide compensation for losses in order to maintain or encourage a positive perception in the public mind. This example differentiates the “who should pay” versus the “who will pay. ” An example of this is with Trion Worlds, whose database was hacked in December, 2011.
The company sent out a warning to customers about the hacking, encouraging customers to change their passwords and allowed subscribers extra game play (LHStaff, 2011). If the company was negligent in designing and operating system controls, then the company should be liable for paying losses to both the company and the customers. Companies that collect customer information are obligated to keep this information private. By not implementing an adequate security system, the company is not employing appropriate business practices concerning the privacy of information.
In December 2011, the Stratfor Global Intelligence was hacked and information such as customer credit cards and client lists were stolen. It was noted that there was evidence that Stratfor lacked encryotion mechanisms for the storage of confidential client information, which was part of the reason for the breach. According to the article, the entire settlement is expected to cost the company approximately $1. 75 million (Paganinip, 2012). With the firm being held liable for losses incurred, this will set precedence for other firms to implement and maintain appropriate controls.
Depending on the country and the industry, there may be regulation standards that enforce the firm to hold certain insurances to mitigate the cost of security losses to both the company and the company’s customers. If an investigation finds that the company has followed appropriate due diligence, the firm’s insurance company may provide support for company losses. Give your opinion regarding the role, if any, the federal government should have deciding and enforcing remedies and punishment. Include two (2) facts to support your opinion.
It is my personal opinion that the federal government should play a limited role in placing regulations on companies. Limited government generally allows the market to produce more and better products at lower prices. However, I do believe that there are times when the federal government should regulate and enforce consequences on companies that are involved in a breach of customer information. In The Federal Trade Commission (FTC) is a law enforcement agency that is charged with consumer protection against firms that engage in unfair, deceptive, and fraudulent practices, all of which can potentially cause considerable harm to the consumer.
In the case where a firm is a victim of an attack on their AIS by outside sources, I do not consider this to be a cause that requires the involvement of the FTC, as this is not due to unfair, deceptive, or fraudulent practices. In an article published by KPMG, one of the top 4 accounting firms in the world, the majority of cyber crime incidents, particularly minor incidents, remain unsolved or are not investigated due to the lack of eForensic skills and expertise (KPMG, 2011).
One federal government agency that is intimately familiar with system breaches of large companies is the Federal Bureau of Investigation (FBI). The FBI is responsible for investigating cyber crime, as well as many other types of crime. Cyber crime is specific to areas such as computer intrusions, privacy/intellectual property theft, internet fraud, and identity theft. It is important that the federal government is involved with the investigation of the specialized criminals involved and enforcing the appropriate punishment.
In the case of cyber crime, this can take place both domestically and internationally and involvement by the federal government, including the FBI, allows these boundaries to be crossed in order to seize the criminal. As stated above, the involvement of the federal government in a successful attack will also reinstate a healthy fear in cyber criminals the seriousness of the crime. Allowing the federal government to impose heavy fines and jail time should confirm with the company the importance of implementing a strong internal control structure and be a deterrent to criminals.
Evaluate how AIS can contribute or not contribute to the losses. Accounting information systems (AIS) record, report, and analyze business transactions and events for the firm and management. If the firm has not properly implemented corrective controls, such as maintaining backups and other data retrieval techniques, then a hacked accounting information system could be detrimental to the company, due to its electronic nature. Threats to AIS that are not prevented, detected, or corrected, can destroy the relevance and reliability of financial information and on a large scale.
However, with properly implemented system controls, the AIS could prevent or detect an intruder, allowing the company to quickly react and limit losses.
References (1) Lindsay, Jay (July 19, 2011). General Format. Retrieved from http://www. huffingtonpost. com/2011/07/19/aaron-swartz-reddit-cofou_n_903573. html (2) LHStaff (December 23, 2011). General Format. Retrieved from http://lorehound. com/news/trion-worlds-customer-database-hacked/ (3) Paganinip (June 29, 2012). General Format. Retrieved from