Accounting Information Systems and System of Systems:

Assessing Security with Attack Surface Methodology

Pythagoras Petratos Alessio Faccia
Blavatnik School of Government Coventry University
University of Oxford Priory St.
120 Walton St, Oxford OX2 6GG, UK, Coventry CV1 5FB, UK
+44 1865 614343 +971 504256750
p.pythagoras@yahoo.com alessio.faccia@gmail.com

ABSTRACT many benefits to accounting and finance, at the same it gave rise
Accounting Information Systems are playing the protagonist role to new threats.
in enterprise. This is because they provide the necessary financial There have been observed a continuous increase in both the
information required by law. At the same time there is an number and impact of cyberattacks. Cybersecurity is affecting
increasingly cyber security risk for AIS, which can be considered more and more accounting, which can be considered part of
part of critical infrastructure, in that sense assessing cybersecurity critical infrastructure. It is therefore necessary to assess the
risks is essential. The contribution of the paper is twofold. Firstly, security of Accounting Information Systems, in order to increase
in this paper the authors apply the attack surface methodology and resilience. Legislation aims to assure accounting information.
further develop it to assess such risks. Secondly, the attack surface Every company should fill their annual accounts with the tax
methodology has been expanded to include related systems to AIS. authorities. Since these accounts are checked by the government,
they should be accurate, otherwise the company could be subject
CCS Concepts to penalties, errors and frauds. Legislation also often requires the
Security and privacy ➝ Human and societal aspects of auditing for many types of companies, therefore the auditors must
security and privacy ➝ Economics of security and privacy be able to interpret and analyse also the adequacy of the IT
systems. Thus, it can be argued that Accounting and AISs are the
Keywords most important systems within the enterprise. Of course, other
Cybersecurity, Accounting Information Systems, ERP, Cloud, Big systems related to AISs are also important since they feed into
Data, System of Systems, Risk Management, Accounting and them information, and they are discussed later in connection to
Finance, Economics. AISs. However, the ultimate system reporting to government is
the Accounting Information System of an enterprise. In that sense
1. INTRODUCTION it can be considered to be at the top of a pyramid (See Figure 1).
Accounting systems can be considered the most critical element of
an enterprise. They manage the essential financial information, Security in AIS is essential to guarantee the accuracy of
represented in the annual statement of accounts (financial accounting information and prevent fraud.
statement), required by the government for any business entity to
continue its operation. Failure to provide such information or
inability to ensure that this information is accurate can result in
severe repercussions for the enterprise. The digital revolution
transformed traditional accounting that is now based on
Accounting Information Systems (AISs). It is hard in today’s
world to run a business without at least a basic software for
accounting purposes. Larger enterprises are using more advanced
and complex systems, including accounting functions as on-line
payments, but also cloud services, big data and integrated
Enterprise Resource Planning (ERP). While digitization brought
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that
copies bear this notice and the full citation on the first page. Copyrights
for components of this work owned by others than ACM must be Figure 1. Business Information Systems.
honored. Abstracting with credit is permitted. To copy otherwise, or
Additional regulation was created in order to further ensure the
republish, to post on servers or to redistribute to lists, requires prior
specific permission and/or a fee. reliability and protection of data, privacy and prevent from frauds,
Request permissions from Permissions@acm.org. misconducts and errors. Two renown paradigms can be
ICCBDC 2019, August 28-30, 2019, Oxford, United Kingdom highlighted, the Sarbanes - Oxley Act and the so-called European
© 2019 Copyright is held by the owner/author(s). Publication rights SOX set of Directives. Sarbanes-Oxley Act Law enacted on July
licensed to ACM. 30th, 2002 by the United States government in response to the
ACM ISBN 978-1-4503-7165-0/19/08…$15.00 accounting scandals of Enron, Tyco and other companies, with the
http://doi.org/10.1145/3358505.3358513 aim of restoring the trust of the nation and the world, particularly
of investors in the corporate sector, setting new codes of self- critical infrastructure, like government facilities sector and the
regulation and legal obligations. These obligations concern: the transportation system sector. If for example cyberattacks prevent
certification of all financial information; the transparency of payments to AISs then customers cannot use government services
accounting records; the preparation of internal controls for the or travel.
regularity and traceability of financial information; the personal
and objective responsibility of the CEO (Chief Executive Officer) Hardly a week goes by without yet another report of a high-profile
and the CFO (Chief Financial Officer) for financial statement cyber security breach affecting companies worldwide and cyber
disclosure; the increase in penalties for false accounting and other security is now part of the day job for accountants [2]-[3].
tax offenses; the establishment of the Public Company Accountancy firms face high risk of cyberattacks from multiple
Accounting Oversight Board, like a supervisory board on the vectors and is essential that cybersecurity becomes a higher
financial statements of listed companies. priority [4]-[5]. Accountant firms are a prime target for cyber-
attacks [6]-[8]. The larger the value in AIS, the larger the threat
The most well-known and most critical part of SOX is Section becomes. Thus, accounting firms and other financial institutions
404, which affirms the principle of managements’ responsibility are attractive to cyber-attackers [2]-[3]. However the recent
in maintaining a solid internal control system to guarantee the cyberattack on Wolters Kluwer NV can be considered an
reliability of financial reporting and attest to its effectiveness. The inflection point on AIS security. The Dutch company offers
SOX Act has imposed the documentation of the accounting services to many of the world’s small and mid-sized accounting
processes, the precise definition of the controls, the planning and firms run but also 93% of Fortune 500 companies are its
execution of tests for the evaluation of their effectiveness and the customers, experienced some of its cloud-based software
implementation of a process of continuous improvement. applications offline [9]-[13]. This can signal significant cyber
Although at the beginning the adaptation to the SOX had been risks for accounting firms but also cyber systemic risks. Thus an
very challenging, after a few years, the management began to innovative approach to assess AIS, and related cloud big data and
appreciate the benefits, so as to extend the management methods other systems, cyber security is imperative.
to other processes. SOX was in fact a standard that inspired many
other subsequent norms, including European ones. We can 2. LITERATURE REVIEW
consider the SOX as the first example, on a large scale, of a The authors intend to focus their attention on AISs as they
regulation that dealt with the impact on companies in positive constitute the essential basis of every information system,
terms, imposing the best practices already known and therefore the functions and operating cycles that are managed by
consolidated but not applied by all companies so far. the AIS must be those on which to pay particular attention. The
priority of the defense of computer systems from cyber-attacks
In Europe, a series of Directives have been approved which, if must consequently start from the analysis of the AIS to then
systematically considered, are identified as “Euro-SOX”, the protect all other functions (software modules) connected with
European Union’s equivalent to the US Investor Protection Act, them. The authors proceed to analyze the specific literature
with the aim to restoring investor confidence in the EU: (a) reviews related to all the systems involved in the analysis.
European Union’s Financial Services Action Plan (FSAP); (b) 4th
directive Annual Accounts of specific type of companies 2.1 Accounting Information Systems
(78/660/EEC); (c) 7th directive Consolidated accounts The components of accounting systems are single parts that allow
(83/349/EEC); (d) 8th directive of Company Law 1984 the overall system to manage financial data, to translate it into
(84/253/EEC); (e) 2006 (2006/43/EC); (f) Consolidated useful information, and to communicate it to stakeholders. In
Admissions and Reporting directive (CARD) (2001/34/EC); (g) order to analyse the accounting system it can be useful to consider
Transparency directive (2004/109/EC); (h) Insider Dealing it in terms of how it relates to the accounting cycle. Each part of
directive (1989/592/EEC) & The Market Abuse directive the -system is considered to complete some steps in the cycle in
(2003/6/EC). order to prepare and deliver financial statements.
Another example of a rule that affects information protection is The accounting information systems (see Figure 2), according to a
the GDPR (General Data Protection Regulation - EU Regulation scrupulous analysis of the existing and recent literature review
2016/679), a European regulation of Anglo-Saxon origin, which [14]-[18], can be divided into the following subsystems:
does not prescribe security measures that are valid for all, but
imposes an approach based on risk. It is a controversial law, but in (a) Financing cycle [19]-[21], records and reports information
reality it should be considered positively, both by citizens and by relating to stock, debt, bond and dividend transactions. The
company managers. The regulation sets out principles that are acquisition of external financing and payments made to
ethically unexceptionable, such as the lawfulness of obtaining data investors or lenders will fall under this cycle. Transactions
from people, their minimization with respect to the purposes of may be less frequent here if companies do not use external
the processing and their integrity and confidentiality. funds for their operations. It the counterpart to the
expenditure, human resource and revenue cycles. It covers
Due their importance AIS can be considered part of the critical the period from raising Financial resources to their
information infrastructure. This can be considered especially repayment.
effective for the financial services sector [1]. The Financial (b) Expenditure cycle [22][23], that can be summarized in
Services Sector includes numerous institutions, as banks, three basic activities: (a) ordering goods, supplies, and
providers of investment products, insurance companies, other services; (b) receiving and storing these items; and (c)
credit and financing organizations, each of them utilizing an AIS
paying for these items. These activities mirror the activities
to perform operations as payments, credit, trading and keeping
in the revenue cycle.
records of transactions. Therefore, AIS is central to the financial
services sector. Cybersecurity risks related to the AIS can be (c) Payroll cycle [24]-[28], can be identified in the following
considered systemic risk if there are cascading failures, let us say sub-processes: (a) pre-payroll; (b) time calculation; (c) wage
in stock market trading and associated AIS. It is also used in other
 and deduction calculation; (d) paycheck processing; (e) the management of a company, and necessary to report the
payroll accounting; and eventually (f) additional duties. company’s results to stakeholders [37]. The role of AIS is vital in
(d) Production cycle [29]-[31], that includes four basic handling an organization and executing an internal control system.
activities: (1) product design; (2) planning and scheduling; The investment in an AIS is essential and usually its benefits
(3) production operations; and (4) cost accounting. exceed its costs [38].
(e) Revenue cycle [32]-[34], can be divided into four basic
2.2 Accounting and related information
business activities: (a) sales order entry, (b) shipping, (c)
billing, and (d) cash collection. These activities mirror the systems (SoS – System of Systems)
activities in the expenditure cycle. A system of systems approach can be considered as a mix of
methods examined along with their effectiveness in solving
problems in different real-world problem contexts [39]. The
Accounting Information System, according to this concept should
be considered in its main functions interrelated to other tasks
performed by other information systems useful for a company.
Focusing on the nature of the analysed systems’ composition [40],
the authors selected the ones that involved the information
technology, it can therefore be stated without doubt that those
systems are all those software, useful for companies, that, in most
cases, are based on hardware platforms shared in servers. The
centrality of AIS cannot be questioned as, since the origin of IT,
the first software solutions provided to companies were simply
useful AIS to facilitate financial accounting tasks. Subsequently,
further useful solutions appeared in the market to manage the
various strategic corporate functions, even if not required by law.
Currently, financial statements and tax reports must necessarily be
Figure 2. Accounting Information System. prepared in an electronic format (XBRL or similar) to be able to
All these subsystems, to ensure maximum efficiency, must be submit them to the tax authorities, therefore it is not possible to do
connected to a single relational database, from which, in output, without a, at least basic, AIS. Over time, with the proliferation of
additional systems are generated. Those sub-systems provide additional useful software useful for companies, integrated
financial information (General Ledger and Financial reporting) or solutions called ERPs have appeared. Usually, these solutions
non-financial information (Management reporting) to both have a modular structure, and the module that no one can do
internal and external stakeholders [35]. without is that of accounting. In the digital economy, however,
two fundamental needs have arisen: (a) the ability to manage an
The information processed in these subsystems is necessary and immense amount of data and (b) the opportunity to constantly
required by law, their dissemination, at a general and aggregate connect users to the system without high investments in hardware.
level is necessary in order to guarantee limited liability to
shareholders of those companies that are forced to prepare and
publish financial statements. The overall result obtained by these
systems, which is summarized in the financial statement, is made
public for reasons of transparency, while the detail of the internal
procedures of the company (which constitutes a valuable know-
how, and from which the final published values arise) must be
kept strictly confidential. It is therefore useful to underline and
remember that the only thing that must be made public of this
process, managed by the accounting information system, is only a
single output represented by the financial statement, while the
analytical, partial, intermediate and disaggregated values for the
purposes of process analysis, must always be kept secret.
Accounting systems encompass confidential information that
should be kept safe and secure. The consequences of illegal access
can be devastating. The reliability of accounting information
could be irreversibly affected if data is changed or deleted on
purpose or by chance, also generating legal penalties.
Figure 3. System of Systems.
According to the Frequently reported internet crimes from the
FBI’s internet crime compliant center, in 2018 the most prevalent
crime types reported by victims were Non-Payment/Non-Delivery, 3. METHODOLOGY
Extortion, and Personal Data Breach. The top three crime types Therefore the authors use the attack surface methodology to
with the highest reported loss were BEC [Business Email assess the cybersecurity threats to Accounting Information
Compromise], Confidence/Romance fraud, and Non- Systems (AIS) in the enterprise environment. The hypothesis
Payment/Non-Delivery [36]. tested is rather simple and is based on the premise that ‘the larger
the attack surface, the more insecure the system’ [41]. While the
In conclusion, AIS is an integrated framework that uses resources attack surface methodology has been applied to other topics, it is
to transform economic data into financial information useful for the first time it is applied in the context of AIS. This is a main
innovation and contribution of the paper. Another key The attack surface methodology offers many advantages for the
contribution is that the methodology of attack surfaces is examination of AIS and AIS related SoS. First of all, it can be
expanded to include System of Systems (SoS) rather than only rather easily applied. We can basically assess the security of
individual AISs. It can be argued that similar attack surface systems based on first principle that the larger the attack surface
methodological expansions concerning enterprises had occurred in the larger the insecurity. Secondly, this methodology has been
the past [42]. In that sense, this methodology is also used for the developed over the years and has been extensively applied and
security assessment and comparison of SoS. AIS related SoS tested in different systems and versions. Moreover, it has
comprise of numerous systems, in which AIS has the protagonist dimensions which can be adapted and developed to a variety of
role (Figure 3). environments. Another advantage is that the attack surface
methodology can be conveniently extended to SoS, with the
SoS usually include Cloud Computing, primarily to store data, and addition of few new dimensions. Thus, it is a relative simple a
Big Data Analytics systems to process data and identify useful methodology for assessing Accounting Information
opportunities to improve company performance and prevent fraud. Systems.
Big data and Cloud computing today are important resources in
the business strategies of companies and more and more 4. FINDINGS AND CONCLUSIONS
companies, particular SMEs, have adopted and currently are using
cloud computing while bigger corporations have developed big 4.1 Accounting Information Systems and
data centers, private cloud or hybrid cloud [43]. Corporate data is Attack Surface assessment
evolving into Big Data [44]. Therefore AIS related systems are Having already briefly presented the attack surface methodology,
become continuously more important. Consequently, as the AIS in this section the authors try to find if the attack surface
related SoS grow, the attack surface is likely to increase and methodology can be applied to AIS. There are three broad attack
cybersecurity could diminish. surface dimensions; i) targets and enablers ii) channels and
protocols, and iii) access rights [45]. AIS features all these
3.1 Accounting Information Systems dimensions. Another additional attack surface approach has been
One of the first papers on attack surface methodology attempted also implemented: the entry and exit point framework. Simply,
to answer a fundamental question, to measure and compare the entry points and exits of a system are the ways that data
security between system A and system B with respect to a given respectively use to enter in and exit from its environment [41].
number of yardsticks, called dimensions [45]. Another key The latter approach can be considered very useful for the business
objective is to determine the security between new releases and analysis, since any AIS has numerous entry and exit points. These
earlier versions of a system. Subsequent literature on attack can be easily observed by focusing on the red triangle in Figure 1
surfaces compares different versions of operating system [41] and and also in Figure 2. Taking as an example the revenue cycle, it
servers [41]. In this paper the authors compare and suggest how to can be noticed the presence of entry point, like sales order, where
measure security between different Accounting Information data move from the environment into the system. Conversely, in
Systems and also AIS versions. the expenditure cycle the activity of ordering goods is an exit
point.
3.2 AIS Related System of Systems
However, modern AIS are interconnected to other systems and The attack vectors also apply to AIS. Open sockets, services run
often highly integrated. As already presented in the literature by default dynamic web pages are only few of the attack vectors
review, Cloud and Big Data systems can be considered some of that can be used for AIS security assessment. The attack surface
numerous other systems related to an AIS. In that sense it would method has another key advantage: attack vectors can change,
be an omission to just focus only on the analysis of AISs. A more according to the type of system. For example, Heumann, Keller,
holistic security approach would be to examine AISs related SoS and Türpe [46] construct metric using a real vector space of
(Systems of Systems). This is naturally a higher level of weighted parameters in which every possible attack surface is
abstraction and an extension of the comparison between one represented by an attack surface vector and measurements are
system and different updated versions. It should be noted that mapped based on a set of rules and principles. These components
while most of the dimensions remain the same, more dimensions for web applications use the degree of distribution, page creation
should be added in order to capture the relations among different method active content, cookies, access rights etc. [46]. Such
systems including AIS related SoS. analysis can be very useful since web services are important
features of AIS [47]. Similarly they can represent expansions of
Thus, the 17 attack vectors to measure the opportunities of attacks attack vectors according to the characteristics of the AIS and AIS
[45], later increasing to 20 [45] can be employed. Moreover, other related systems (SoS). Another major advantage of the attack
approaches to attack surface methodology identifying the surface calculation is that it can be summarized in independent
resources, attack classes, and other abstract dimensions (i.e. contributions from a set of channel types, a set of processes
method, data, channel), as well as other features, can be equally targets, a set of data targets, and a set of process enables, all of
used in assessing AIS and AIS related SoS. However, in the latter them subject to the constraints of access rights [45]. In a sense,
it is useful to introduce some new dimensions. One important this approach allows to decompose the systems. This might be
dimension is how much these systems are interconnected and particularly useful in AIS which is constituted from various cycles
integrated. The interconnectedness of systems assists in the and activities. At the same time this simplified approach comes at
transmission of cyberattacks and associated cascading effects. the cost of reducing the number of interactions among different
Consequently, another dimension is the ease of that attack vectors services channels and channels [45]. This brings us to the
are penetrating and transmitted between systems. A final discussion below which tries to emphasize some interactions,
dimension is the effect of cascades, how cyberattacks can be especially in the context AIS related systems.
amplified by passing from one system to another and create
systemic failures.
4.2 AIS related Systems (SoS) and attack allowed to obtain a broad and precise understanding of the
systems analysis and the risks associated with cyber-attacks.
surface Having identified the AIS as the main sensitive source of
It would be a significant omission to analyse AIS in isolation. information for each system, future research will therefore now be
While initially AIS might have developed only for accounting able to focus on these to implement information security systems.
purposes, they do interact with other systems and they has been
often integrated into more complex enterprise solutions. Figure 1 5. REFERENCES
and Figure 2 display that AIS can be part of integrated Enterprise [1] https://www.dhs.gov/cisa/critical-infrastructure-sectors
Resource Planning systems (ERPs) and interact with numerous
other types of systems. The attack surface methodology can be [2] https://www.accaglobal.com/ie/en/student/sa/features/cyber.h
also applied to more complex systems, as ERPs including AIS. tml
ERP systems can be considered to represent the business-critical [3] Gordon, L. A., & Loeb, M. P. (2006). Managing
infrastructure and they are affected more by threats due to wider cybersecurity resources: a cost-benefit analysis (Vol. 1). New
attack surface [48]. Some authors [49] have successfully applied York: McGraw-Hill.
in practice a general method for measuring attack surfaces to [4] https://www.icaew.com/about-icaew/news/press-release-
enterprise software written in Java. In that sense it can be archive/2017-press-releases/regions-2017/tv-cyber-attack
concluded that attack surface methodology can be applied to other
systems as ERPs although more research is needed towards this [5] Chabinsky, S. R. (2010). Cybersecurity strategy: A primer
direction. for policy makers and those on the front line. J. Nat'l Sec. L.
& Pol'y, 4, 27.
However, the biggest challenge is AIS related SoS. These are
systems that are loosely integrated. Enterprises might acquire [6] https://www.ft.com/content/f52f6fee-ccf4-11e6-864f-
systems from different vendors. Therefore, more systems can 20dcb35cede2
significantly increase the attack surface of AIS. This can be [7] Gordon, L. A., Loeb, M. P., & Lucyshyn, W. (2003). Sharing
viewed in Figure 2 in which the AIS is interacting with numerous information on computer systems security: An economic
other systems as cloud, databased and big data. In addition, Figure analysis. Journal of Accounting and Public Policy, 22(6),
3 displays interactions with other systems of enterprises or 461-485.
financial institutions. The creation of more complex system of [8] Gordon, L. A., Loeb, M. P., Lucyshyn, W., & Richardson, R.
systems within the enterprise but also interacting with other (2005). 2005 CSI/FBI computer crime and security
enterprises and critical infrastructure significant raises the risk of survey. Computer Security Journal, 21(3), 1.
cyberattacks and also systemic cyber risks [50]. We are proposing
an expansion of the attack surface methodology to be applied in [9] https://www.bloomberg.com/news/articles/2019-05-11/a-
SoS. There can be three additional dimensions that can enrich and massive-accounting-hack-kept-clients-offline-and-in-the-
extent the application of attack surface analysis on AIS related dark
SoS and critical infrastructure. One important dimension is how [10] Brender, N., & Markov, I. (2013). Risk perception and risk
much these systems are interconnected, another how easy is the management in cloud computing: Results from a case study
transmission of cyberattacks and associated cascading effects of Swiss companies. International journal of information
among systems and thirdly how cyberattacks can be amplified by management, 33(5), 726-733.
passing from one system to another and create systemic failures.
[11] Leavitt, N. (2009). Is cloud computing really ready for prime
There can be some recommendations resulting from the above time?. Computer, (1), 15-20.
discussion. First of all, as the risk of cyberattacks on AIS is [12] Rashid, A., & Chaturvedi, A. (2019). Cloud Computing
increasing it is necessary to be able to assess their cybersecurity. Characteristics and Services: A Brief Review.
Secondly, based mainly on first principles and related literature
we can suggest that the attack surface methodology can be applied [13] Singh, M., Kant, U., Gupta, P. K., & Srivastava, V. M.
to AIS and AIS related systems in order to assess security. (2019). Cloud-Based Predictive Intelligence and Its Security
Another recommendation is that integration of systems might Model. In Predictive Intelligence Using Big Data and the
reduce the attack surface. This is because there would be less Internet of Things(pp. 128-143). IGI Global.
entry and exit points. For example, payment systems can be [14] Hall, J. A. (2012). Accounting information systems. Cengage
integrated in order not to have alternative cloud or web Learning.
application for payments, that increase the attack surface. Future
[15] Romney, M. B., Steinbart, P. J., & Cushing, B. E.
research is necessary, since AISs are becoming more valuable and
(2000). Accounting information systems (Vol. 2). Upper
are part of critical infrastructure. Future research should focus on
Saddle River, NJ: Prentice Hall.
systems related to AIS and future technological challenges as
Cloud computing, Databases and Big Data, web services and [16] Simunic, D. A., & Biddle, G. C. (2019). The Big Four: The
enterprise applications integration [47]. Curious Past and Perilous Future of the Global Accounting
Monopoly.
4.3 CONCLUSIONS [17] Mohammed, A. L., Al-Hosban, A., & Thnaibat, H. (2018).
Applying the attack surface methodology and further developing The impact of the risks of the input of accounting
it to assess cyber risks, it has been clarified how in business information systems on managerial control, accounting
processes, in all systems in general, accounting information control and internal control in commercial banks in
systems are the most sensitive to cyber-attacks. AIS are therefore Jordan. International Journal of Business and
the most deserving of protection and attention. The main Management, 13(2), 96-107.
innovation introduced by this research was to expand the attack
surface methodology to include related systems to AIS. This path
[18] Ogneva, M., Piotroski, J. D., & Zakolyukina, A. A. (2018). (AIS) Alignment and Non-financial Performance in Small
Accounting fundamentals and systematic risk: Corporate Firm: A Contingency Perspective. In International
failure over the business cycle. Chicago Booth Research Conference on Computational Science and Its
Paper, (14-31), 14-37. Applications (pp. 382-394). Springer, Cham.
[19] Jones, J. P., Long, J. H., & Stanley, J. D. (2019). Pane in the [36] FBI, Internet Crime Report 2018.
Glass: A Review of the Accounting Cycle. Issues in [37] Wilkinson, J. W. (1991). Accounting and information
Accounting Education Teaching Notes, 34(1), 32-53. systems. John Wiley & Sons, Inc.
[20] Begenau, J., & Salomao, J. (2018). Firm financing over the [38] James, D., & Wolf, M. L. (2000). A second wind for
business cycle. The Review of Financial Studies, 32(4), 1235- ERP. The McKinsey Quarterly, 100-100
1274.
[39] Jackson, M. C., & Keys, P. (1984). Towards a system of
[21] Habib, A., & Hasan, M. M. (2018). Corporate Life Cycle in systems methodologies. Journal of the operational research
Accounting & Finance: A Review of the Literature. society, 35(6), 473-486
[22] Laitinen, E. K., & Laitinen, T. (2018). Financial reporting: [40] J. Boardman and B. Sauser, (2006). System of Systems - the
profitability ratios in the different stages of life meaning of of, 2006 IEEE/SMC International Conference on
cycle. Archives of Business Research, 6(11). System of Systems Engineering, Los Angeles, CA, 2006, pp.
[23] Yongjun, W. (2007). Expenditure Cycle: the Logical 6 pp.- doi: 10.1109/SYSOSE.2006.1652284
Beginning Point for the Construction of Government [41] Manadhata, P. K., Tan, K. M., Maxion, R. A., & Wing, J. M.
Budgetary Accounting Framework-Concurrently Nuclear (2007). An approach to measuring a system's attack
Proposition and Strategic Sequence about Government surface(No. CMU-CS-07-146). CARNEGIE-MELLON
Accounting Reform in China [J]. Accounting Research, 5. UNIV PITTSBURGH PA SCHOOL OF COMPUTER
[24] Weygandt, J. J., Kimmel, P. D., KIESO, D., & Elias, R. Z. SCIENCE.
(2010). Accounting principles. Issues in Accounting [42] Sun, K., & Jajodia, S. (2014, November). Protecting
Education, 25(1), 179-180. enterprise networks through attack surface expansion.
[25] Bodnar, G. H., & Hopwood, W. S. (2001). Accounting In Proceedings of the 2014 Workshop on Cyber Security
lnformation Systems. Analytics, Intelligence and Automation (pp. 29-32). ACM.
[26] Jones, J. P., Long, J. H., & Stanley, J. D. (2019). Pane in the [43] Claudiu Brandas Ovidiu Megan Otniel Didraga (2015)
Glass: A Review of the Accounting Cycle. Issues in Global Perspectives on Accounting Information Systems:
Accounting Education Teaching Notes, 34(1), 32-53. Mobile and Cloud Approach Procedia Economics and
[27] Warren, C., & Jones, J. (2018). Corporate financial Finance Volume 20, 2015, Pages 88-93
accounting. Cengage Learning. [44] Miklos A. Vasarhelyi, Alexander Kogan, and Brad M. Tuttle
[28] Maynard-Patrick, S., & Higgins, L. N. (2018). Gleam (2015) Big Data in Accounting: An Overview. Accounting
Lighting: A Collaborative Experiential Payroll Fraud Horizons: June 2015, Vol. 29, No. 2, pp. 381-396.
Case. Management Teaching Review, 2379298118811149 [45] Howard M., Pincus J., Wing J.M. (2005) Measuring Relative
[29] Vegera, S., Malei, A., Sapeha, I., & Sushko, V. (2018). Attack Surfaces. In: Lee D.T., Shieh S.P., Tygar J.D. (eds)
Information support of the circular economy: the objects of Computer Security in the 21st Century. Springer, Boston,
accounting at recycling technological cycle stages of MA
industrial waste. Entrepreneurship and Sustainability [46] Heumann, T., Keller, J., & Türpe, S. (2010). Quantifying the
Issues, 6(1), 190-210. attack surface of a web application. Sicherheit 2010.
[30] Woodward, D. G. (1997). Life cycle costing—theory, Sicherheit, Schutz und Zuverlässigkeit.
information acquisition and application. International journal [47] Belfo F., Trigo A., 2013, Accounting Information Systems:
of project management, 15(6), 335-344. Tradition and future directions, Procedia Technology. Vol. 9
[31] Romney, M. B., & Steinbart, P. J. (2011). Accounting Pages 536-546.
information systems. Prentice Hall Press. [48] Nunez, M. (2012). Cyber-attacks on ERP
[32] Annand, D., & Dauderis, H. (2018). Introduction to Financial systems. Datenschutz Und Datensicherheit-DuD, 36(9), 653-
Accounting. Valley Educational Services Limited. 656.

[33] Lu, X., & Wang, J. (2018). A Review of the Classification of [49] Manadhata, P. K., Karabulut, Y., & Wing, J. M. (2009,
Enterprise Life Cycle. Modern Economy, 9(07), 1169. February). Report: Measuring the attack surfaces of
enterprise software. In International Symposium on
[34] Glover, J. C., & Ijiri, Y. (2002). “Revenue Accounting” in Engineering Secure Software and Systems (pp. 91-100).
the Age of E‐Commerce: A Framework for Conceptual, Springer, Berlin, Heidelberg.
Analytical, and Exchange Rate Considerations. Journal of
International Financial Management & Accounting, 13(1), [50] Petratos, P. N. (2018). Systemic Cyber Risks and Defense:
32-72. Valuation, Innovation and Strategic Implications. Military
Cyber Affairs, 3(2), 6.
[35] Budiarto, D. S., Prabowo, M. A., Djajanto, L., Widodo, K. P.,
& Herawan, T. (2018, May). Accounting Information System