Security of accounting information systems : A cross-sector study of UK companies

Riad, Nancy Ibrahim 2009. Security of accounting information systems : A cross-sector study of UK companies. PhD Thesis, Cardiff University.

PDF - Accepted Post-Print Version Download (17MB)

Abstract

The issue of information systems (IS) security has received considerable attention from both academics and professionals. Information systems security has become a major part of core business processes in companies of all sizes and types, and it has become more vital than ever for companies to have an organised, efficient, and proactive security approach to their IS. Despite this importance, a number of significant gaps exist in the academic literature. Most of the previous studies have dealt with IS security or information security in general, without particular attention to accounting information systems (AIS) security. Security research is fragmented, and most previous studies lack an overall and comprehensive view of AIS security issues. Each study has tended to deal with a particular security dimension. In addition, much research on IS security has been overwhelmingly focused on the technical aspects with limited consideration given to non-technical issues such as security policy, training and awareness, risk assessment or security budget. In an attempt to fill these gaps, the current study presents an integrated view of AIS security in UK companies by addressing both the technical and non-technical aspects of security. The current study aims to investigate the AIS security level among UK companies in different industry sectors by investigating the sources and types of AIS security threats, the different types of controls implemented to prevent or reduce security threats, and the existence of a management framework for AIS security within UK companies in different sectors. To achieve the research objectives, the current study employed quantitative and qualitative approaches using a postal questionnaire and semi-structured interviews. The first stage involved sending a postal questionnaire to the IT managers of 800 UK listed companies in different industry sectors. A total of 104 responses were received, of which 65 responses were usable for statistical analysis. The second stage involved conducting nine interviews with IT managers of UK companies. The results indicated that some activities and practices forming the AIS security management framework are well known and undertaken by the majority of UK companies regardless of the industry sector for example AIS security policy, security risk assessment, security incident handling procedures, and a business continuity plan. However, security training and awareness program, security budget, and the British Standard for Information Security (BS 7799) are the most neglected security practices in the majority of companies. The results also showed that UK companies suffer from different types of security incidents however, many incidents go unreported because of the fear of negative publicity and the majority prefer to maintain their brand and to deal with these incidents internally. The results also revealed that employees are now the most common source of AIS security threats facing UK companies. In addition, the results suggested frequent occurrence of some types of security threats, for instance, employees' errors such as unintentional destruction of data by employees, spamming and malware attacks, and employees' sharing of passwords. Moreover, the majority of companies are paying more attention to software, hardware, input, and output security controls. However, more effort must be devoted to organisational and personnel controls.

Item Type:	Thesis (PhD)
Status:	Unpublished
Schools:	Business (Including Economics)
ISBN:	9781303189388
Date of First Compliant Deposit:	30 March 2016
Last Modified:	16 Oct 2014 14:52
URI:	https://orca.cardiff.ac.uk/id/eprint/55840

Actions (repository staff only)

Edit Item