This paper examines the intersection of accounting and information security, arguing that these traditionally separate organizational functions are deeply interdependent. Drawing on survey data from Paladin Technologies and established risk analysis methodologies, the paper demonstrates how accounting principles β including asset valuation, depreciation, present value calculation, and cost-benefit analysis β can be applied to quantify the financial impact of security threats. Using a hypothetical company, XYZ Corporation, as an illustrative case, the paper walks through annual loss expectancy (ALE) calculations, asset categorization, threat and vulnerability identification, and the prioritization of countermeasures. It concludes that the combined expertise of accounting and IT departments offers organizations a powerful framework for justifying and directing security investments.
In a report issued by Paladin Technologies, Inc., entitled "Security Metrics: Providing Cost Justification for Security Projects," 273 organizations were surveyed on the topic of security. The report illustrates in quantifiable terms the depth and reach of intrusion detection on the financial viability of organizations. The combined reported losses from the firms surveyed totaled $265.6 million in 1999. The highest loss categories were theft of intellectual capital, financial fraud, and sabotage.
The average annual financial loss of firms surveyed was estimated at $40 million. Forty-three percent of respondents were able to quantify financial losses, and seventy-four percent were able to acknowledge financial loss. Ninety percent detected cyber attacks within the most recent twelve-month period, and seventy percent reported serious breaches other than viruses, laptop theft, and employee abuse of network privileges. In a related survey of 643 security professionals regarding the types of attacks they had identified or encountered:
To view these statistics in context, among those surveyed, 93% maintained websites. Of those: 64% reported website vandalism; 43% conducted e-commerce, of whom 60% reported denial of service incidents; 19% suffered unauthorized access or misuse in the last twelve months; 32% did not know whether unauthorized access or misuse had occurred; 35% acknowledged more than one incident; 19% reported more than ten incidents; 8% reported theft of transaction information; and 3% reported financial fraud.
Losses of a financial nature are most likely to be immediately recognized by the accounting function. For public companies, direct fluctuations in stock price, financial fraud, declines in profitability, and increases in expense levels will command the attention of accounting staff. In addition, unauthorized access to sensitive financial data β such as executive compensation levels, profit margins, and financial forecasts β could be disastrous to the reputation of an organization.
Intrusion detection poses various classes of threats to information security, each with its own types of ramifications. Among them are the following.
Disclosure (snooping β i.e., passive wiretapping and monitoring of communications) can result in the release of private information to various public sectors. An early release of financial results, real or false, could cause stock prices to plummet. Depending on the situation, if released figures fall short of previously published forecasts, investors may withdraw funds, consumers may not invest in the company's stock, and product sales could even be affected.
Modification β an example of active wiretapping where the attacker injects something into a communication or modifies parts of it (sometimes called alteration) β can have many adverse ramifications for a company. Internal communications can contain information regarding trade secrets, product secrets, competitive intelligence, strategy and tactics, marketing plans, production plans, and more. If this information is leaked to competitors or consumers, it can alter sales dramatically and have a lasting, irreversible impact on an organization's profitability.
Spoofing occurs when authority is delegated, either voluntarily or fraudulently, for one person to represent another, often involving access to that person's available resources. For instance, if the human resources manager is on vacation and an assistant has obtained his or her password and gained access to files containing executive compensation data, a breach of confidentiality can quickly propagate throughout the organization if the assistant does not exercise appropriate discretion.
Conversely, the human resources manager may be trying to access the executive compensation file to process a quarterly bonus payment, only to find herself locked out of that directory for no apparent reason. If the manager is on a deadline, this becomes an operational emergency.
The delay of access can be as costly to productivity as outright denial. Any process that slows down, becomes backlogged, or fails to deliver in a timely manner carries a financial cost. For example, when a system is running concurrent processes and the queue becomes overloaded, the CEO's time-sensitive financial report may be delayed while the customer service department processes a high volume of payments β both equally important activities competing for the same resources.
Denial of service can result from an intentional attack or from limits on system resources. When it is a true attack, it is characterized by the complete cessation of processing rather than merely extended wait times, and by requests arriving in abnormally large volumes. A true denial of service attack is intended to disable resources entirely and is insidious in nature. Inability to access systems is a security problem regardless of whether the origin is intentional or not.
When we think of intrusion detection, we don't often equate it with accounting. In most organizations, the accounting function is separate from the information technology function. They have long been considered different disciplines, but this is far from the truth. The reasoning behind keeping them separate has been that allowing a person too much cross-functional knowledge increases the potential for abuse: when an employee has knowledge of the internal procedures of two or more key operational departments, access levels multiply exposure risk. Hence, information technology and accounting have historically occupied opposite ends of the corporate spectrum.
This separation is often painfully misunderstood and only reconciled at great cost. Accounting is concerned with everything that touches money. Regardless of the industry, a business's primary goal is profit, and the technical infrastructure on which any organization operates is intrinsically intertwined with its financial viability. Accounting should be aware, at a minimum, of the risk for exposure inherent in its financial systems and cognizant of the policies and procedures necessary to prevent unauthorized access to sensitive financial data. Other departments should likewise be aware of the analytical and cost-justification support that accounting can provide. Accounting maintains a present and historical record of the organization's resources and can provide accurate monetary valuations when called upon. When another department is considering an expansion, a security system, or any measure with financial impact, accounting can contribute meaningful subject-matter expertise to the analysis.
Many companies consider accounting and finance one and the same. In practice, they are slightly different. Consider the analogy that finance is the act of cooking a meal, while accounting represents the ingredients that go into preparing it. Accounting, like cement, is the foundation that must be poured before building a house β it is the input for finance. From a financial perspective, the only business we are, or should be, in is the business of making money. In order to effectively maximize profitability, the risk/reward relationships of a firm's technology choices must be closely scrutinized.
Traditionally, the function of accounting has been to record transactions that have already occurred for the purpose of financial reporting. The accounting structure, however, is more complex: it consists of a system of checks and balances and a policy framework designed to protect some of the corporation's most sensitive and valuable information. Once accomplished through paper ledgers and journals, accounting today is conducted on computer systems that are vulnerable to attack. While publicly held companies publish their financial position openly, any unwelcome early release of financial figures can be detrimental to stock prices and company valuation. Misinformation can be equally dangerous. Privately held companies are often structured that way in part because of the desire to keep financial records closely held and unavailable to competitors.
For these reasons, accounting departments have become far more sophisticated than in the era of recording simple debits and credits. Today, accounting involves analysis and cost-based decision making. The accounting department is often called upon to participate in cost-benefit analysis, vendor selection, implementation of financial systems, budget approvals, and organization-wide oversight. In smaller organizations or those without a centralized information systems department, accounting may play an even greater role with respect to information security. Regardless of how the accounting role is structured, one thing is certain: anything that affects the bottom line will ultimately pass through accounting. The same cannot be said of all other departments.
"Security policies, mechanisms, and ROI frameworks"
"Metrics and analytics for measuring security costs"
"Campbell, Summers, Boran, and Pfleeger models reviewed"
"ALE calculations and countermeasure cost justification"
You’re 26% through this paper. Sign up to read the remaining 4 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.