Introduction
Doing business in an online environment requires real-time processing of information. This case applies for a supermarket based in Hong Kong and doing its business online. It needs to develop the capacity to process information in both a speedy and efficient manner. This strategy calls for integration of automated accounting information processing systems. Organisations make vital decisions based on consumers’ information such as their spending and preferences patterns. Scientific studies are also based on the findings of the collected data whose analysis offers the appropriate information. Nations make vital decisions concerning requisite policies that can address social problems such as poverty. They have to collect and analyse a large amount of data. Hence, similar to the supermarket, relying on human decision makers in making accounting-related decisions can delay the processes of data analysis to facilitate decision-making. Acknowledgement of this challenge will compel the supermarkets in Hong Kong to integrate information management systems into their decision-making processes.
This paper assumes the position of a systems accountant of a large established Hong Kong-based supermarket that specialises in the sale of fresh produce. With a specific reference to the company’s accounting information system, it critically evaluates the type and nature of the risks and security threats that such a company faces in today’s online business environment. It then explains the control procedures and security strategies and/or measures that are necessary for the company to protect it from such risks and threats.
Accounting Information Systems
In the Hong Kong-based supermarket, processing of data to facilitate decision-making process is important. This process begins with data collection followed by data classification. The Accounting Information System (AIS) serves these functions, although it focuses on financial information. Romney and Steinbert (2012) define accounting information systems as a structure for gathering, recording, storage, and processing of data that is required to make organisational decisions. Accounting information systems comprise ‘hardware, software, brainware, procedures, databases, and network communications technology’ (Alzoubi 2011, p. 10). Hence, effective functionality of the AIS at the supermarket will occur after proper integration of these components. Hence, poor integration and implementation of various components of the AIS, including the functionalities of human decision makers in the implementation process, contribute to the failure in the functioning of AIS. Such failure constitutes a major risk to an organisation whose business operations are conducted in an online environment, which requires real-time availability and reliability.
The Institute of Certified Management Accountants (ICMA) asserts that management accountants deploy their professional knowledge and skills to prepare and present financial information in a way that makes it possible to arrive at requisite decisions on policy formulation, planning, and control (Clinton & Anton 2006). Thus, decisions made by management accountants focus on the future increased performance of an organisation. Hence, it is important to mitigate risks and threats to accounting information systems to minimise the likely cases of fraud that target the supermarket.
The systems accountant has a role to play in developing and implementing investment appraisals. The task involves evaluating the attractiveness of any investment proposal by deploying various methods, including the ‘average rate of return, payback period, internal rate of return, and net present value among others’ (Clinton & Anton 2006, p.788). Elements of investment appraisal are crucial in forecasting organisational performance. For example, using the break-even analysis, accountants can determine the quantities necessary for sale to ensure sustained performance without necessarily making profits. For the Hong Kong-based supermarket, this situation requires the availability of information and its storage in a secure manner. As discussed in the next sections, developing strategies for lowering or mitigating threats and risks such as cyber attacks for accounting information systems requires an understanding of the risks and threats that can impair the availability and reliability of the system.
Type and Nature of Risks and Security Threats
The discovery of new technologies has changed the way AIS has been deployed by business entities of all sizes. Indeed, technology has attracted the transition from paper-based ledgers and journals to the use of automated accounting systems in business processes. Issues such as the proliferation of microcomputers and the successful development of software applications such as Peachtree, QuickBooks, and the customisation of accounting information-processing needs of an organisation have increased the range of the available options for automation of accounting processes at the Hong Kong-based supermarket. The availability of high-speed internet connectivity provides room for conducting online sales for fresh produce. However, this situation subjects the accounting information system to complete online transactions and/or store data to various threats and risks.
A major risk and threat to the Hong Kong-based supermarket is cyber insecurity. Research in the field of cyber security fails to clarify on the common utilisation of the terminologies. It also differs on how and what is meant to be achieved by measures that enhance cyber security. Research Councils (2011, p. 2) defines cyber security research as ‘any research that seeks ultimately to make electronic systems and activities they support less likely to suffer harm and disruption because of deliberate attacks’. This process involves active and defensive measures to enhance security of network systems of the supermarket.
Problems of cyber threats are critical to the accounting information systems of the Hong Kong-based supermarket. Similar to other organisations doing business in an online environment, the supermarket depends on the interconnectedness of computers. Albanese et al. (2011) recognise the nature of this risk by arguing that cyber insecurity constitutes a major concern in the modern world, which relies on information flow through interconnected computers and network systems. The internet has altered the way business is conducted in the modern revolutionary world since people are served through virtual systems. Many organisations have endeavoured to hike their productivity while at the same time enhancing their customer satisfaction by embracing internet-based technology.
Distributed computing emerges as a magical key for facilitating business in the global market (Nandigam, Gudivada, & Kalavala 2005). In the process, the supermarket’s accounting information systems must interact with other organisations through their network systems. Nandigam, Gudivada, and Kalavala (2005) insists that during such interactions, an organisation’s information systems are exposed to attacks from malicious people who would have the intention to either disrupt information flow process, steal the information, or even damage the information. These threats and risks constitute the espionage and sabotage strategies of cyber attacks to the supermarket’s accounting information systems.
Cyber security through network threats is perhaps one of the largest threat and risk to the accounting information systems of the supermarket. However, minicomputer and hardware threats are equally important. Network threats entail unauthenticated accessibility to the supermarket’s data systems. This admission occurs through various access points in the interconnected network cloud, which is necessary for conducting an online business. As new technologies emerge, new threats appear. Before the supermarket can deploy an appropriate control technique, it is crucial to realise that new technologies pose a major risk to its networks. The system users can also introduce viruses in other malicious applications through the supermarket’s network.
Minicomputer environment introduces threats to the supermarket’s accounting information systems. Key areas of the threat include accidental or premeditated ‘bad’ data entry, improper duty segregation, and unofficial accessibility to the system by the supermarket’s employees. This threat is particularly common among new users who have not been well acquitted with the system ergonomic aspects. The outcomes of the threat include lowering the reliability of the information available in the accounting information systems in making crucial decisions for the operations of the Hong Kong-based supermarket.
Software and hardware threats involve system incompatibilities. Such challenges are likely to occur where a new technology leads to the development of new software applications to increase the security needs of the supermarket. Such applications may be incompatible with the current hardware or perform sub-optimally when installed in it. This case lowers the system’s availability by reducing the degree of confidence that the system will perform online business transaction at any time when required to do so.
Inadequate accounting information system security may arise from insufficient internal controls within the supermarket. This situation may occur where information systems personnel are the only officials who are given the responsibility of running and maintaining all the integrated information systems of the supermarket. MIS personnel are not intensively trained on the processes of internal controls compared to the accountants. However, since I am serving in the capacity of accounting information systems in the Hong Kong-based supermarket, challenges of internal controls have a lower probability of occurring.
Control Procedures and Security Strategies and/or Measures to deal with Risks and Security Threats
Mitigation strategies are important in dealing with insecurity risks in the Hong Kong-based supermarket’s networks, including overcoming cyber security threats. Human error challenges lower the availability and reliability of the accounting information system. Therefore, the security strategy for minicomputer threats entails educating users on the application and implementation of various complicated procedures of the system. Indeed, the introduction of new technologies, procedures, and practices demand users to eliminate the threat of bad data. This claim is largely true for integrated and automated systems. Fui-Hoon and Lee-Shang (2009) support this assertion by arguing that employees require training upon the introduction of a new MIS on how to share common practices together with information throughout an enterprise together with how to access and produce reports in real time. For high availability and reliability, buffer solutions are provided.
To reduce system incompatibility threats, the supermarket needs to use special hardware to perform optimally with expressly customised software that meets its needs. Such a system is also highly available since the hardware specification meets the software requirements as it (software) is specifically tailored for use by the supermarket’s hardware processing capability. Such compatibility can be enhanced through in-house construction of the software to meet the specification of an already procured hardware. It can also be sourced from a vendor who can customise it to fit the Hong Kong-based supermarket’s requirements. This option is preferred to reduce challenges that are associated with new MIS platforms such as system learning and the occurrence of bugs that may lead to failure of the system soon or after its implementation.
Considering that internal controls do not pose major challenges to the accounting information systems of the supermarket, much of the efforts should be channelled to mitigate cyber threats. In the world of increased flow of information and interactions between people through computer networks, organisations’ computer systems face immense challenges due to malicious attacks with the intention of disrupting operations, unauthorised access to organisational accounting information, and/or stealing an organisation’s information. These challenges have prompted many organisations and even nations to come out eloquently to express their concerns for their information systems through cyber attacks. In the effort to mitigate and develop resilience to cyber attacks, many organisations have resorted to conducting cyber situational analysis (SA). This strategy can work in managing the insecurity of the supermarket’s accounting information systems.
Current models of computer network defence and Cyber SA are organised around the domain of being self-ware. They do not extend beyond their platform domains. The focus is on blocking enemies from accessing an organisation’s information systems. This strategy presents an immense danger since an enemy is given time to figure out some strategies of attack that may penetrate the security systems of the supermarket. Indeed, firewalls, IPS, and IDS operate on such platforms with all computer networks defence components being fed into the SA. However, to enhance the security of the Hong Kong-based supermarket’s accounting information systems, this case is a credible basis for making cyber security decisions. The SA or computer network defence is a one-domain focus. Therefore, its activities are laid squarely on a single domain, which they own. Another essential trait of the current cyber security systems is that they do not interact with the enemies (attackers). The main concern is defending but not responding to attacks.
Another approach to enhancing SA in response to cyber attacks is through the deployment of Endsly’s self-awareness model. Nevertheless, this model is still not adequate for effective protection of supermarket’s accounting information systems from malicious attacks. The model focuses on approaching the cyber security challenges from only one dimension. Besides being passive in nature, it largely depends on the information that is generated from its domain. To this extent, an active model for enhancing cyber security is necessary. Such a model requires the interaction between the supermarket’s information systems with the enemy. It does not focus on blocking the enemy. This way, the supermarket acquires an opportunity to learn about the intents of the enemy. However, since the supermarket should not open its information to risks, such an approach needs to be adopted through a deceptive server. Strategies such as offensive hacking can then be deployed to incapacitate the enemy permanently. However, this move needs to taken while complying with legal restrictions since it relates to invading other organisations’ information and network systems without their consent.
An effort to enhance the security of the supermarket’s network systems, firewalls system matches its rules with the incoming traffic. Hence, firewalls possess only the capacity to detect potentially risky situations that involve malicious malwares as they get into an organisation’s system, as opposed to detecting them after entering into a network system (Mattord 2008). Hence, the overall intention of developing firewalls is to block potentially dangerous traffic from getting into the system.
Intrusion Detection System (IDS) is largely passive. The IDSs watch data packets going through the system without blocking them. Much like firewalls, the IDS has numerous rules with which it matches the data packets for attacks. When potential attacks are detected, the system raises an alarm to the administrator (Amoroso 2007). No means of responding to attacks is effected by the IDS. The IPS operates by waiting in-line in the traffic flow into a network for possible attacks where it shuts all attempted attacks that flow through the network wire. Additionally, the IPS can terminate connections in the network by blocking target access from the user account, IP addresses, or any other network that is associated with attackers (Anderson 2009). Similar to the other two approaches (firewall and IDS), the IPS also does not give the supermarket an opportunity to study the behaviour of the attackers. Besides, it does not offer a mechanism for counter attacking. Hence, the IPS is a passive mechanism for enhancing cyber security.
Conclusion
The online business has opened a Hong Kong-based supermarket’s accounting information systems to network threats, especially cyber-attacks. Although the supermarket can successfully mitigate internal risks by putting in place internal controls for information sharing and access, external threats such as cyber-attacks present a major challenge. Considering that the current SA models in computing environment focus on blocking the enemy, the supermarket needs to adopt an interactive approach to the enemies. Although offensive hacking is open to scrutiny on the ground of ethical and moral considerations of executing it, the current strategies for enhancing and protecting the Hong Kong-based supermarket’s information and network systems from attacks are the infective and hence the need for efficient systems to detect and control the threats that the supermarket faces.
References
Albanese, M, Jajodia, S, Pugliese, A & Subrahmanian, S 2011, Scalable analysis of attack scenarios: Proceedings of the 16th European Conference on Research in Computer Security, Springer-Verlag Berlin, Leuven, Belgium.
Alzoubi, A 2011, ‘The Effectiveness of the Accounting Information Systems under the Enterprise Resources Planning (ERP)’, Research Journal of Finance and Accounting, vol. 2, no. 11, pp. 10-19.
Amoroso, E 2007, Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, Traps, and Response, Intrusion.Net Books, New Jersey, NJ.
Anderson, P 2009, Computer Security Threat Monitoring and Surveillance, Anderson Co., New Jersey, NJ.
Clinton, D & Anton, V 2006, ‘Management Accounting-Approaches, Techniques, and Management Processes’, Cost Management, vol. 5, no. 3, pp. 786-793.
Fui-Hoon, F & Lee-Shang, J 2009, ‘Critical Factors for Successful Implementation of Enterprise Systems’, Business Process Management Journal, vol. 7, no. 3, pp. 285-296.
Mattord, V 2008, Principles of Information Security, Course Technology, Oxford University Press, Oxford.
Nandigam, J, Gudivada, N & Kalavala, M 2005, ‘Semantic Web Services’, Journal of Computer information systems security, vol. 21, no. 1, pp. 50-63.
Research Councils 2011, An RCUK Green Paper for Cyber Security Research, Research Councils, London.
Romney, M & Steinbert, P 2012, Accounting Information Systems, Pearson, Upper Saddle River, NJ.