Marquette Business

Professor’s research covers intersection of accounting and cybersecurity

The word “curious” comes up often when Assistant Professor of Accounting Dr. Zhijian He describes his research. What connections can he find, what can the data reveal and, most important, what is being overlooked? 

Given his subject matter, his curiosity has multi-million-dollar implications. 

He, who goes by “Chris” to his colleagues at Marquette, explores commonalities among companies that experience cybersecurity breaches, hoping to shed light on the multifaceted economic impact they have. He started his research as a doctoral student at Florida Atlantic University, but in some ways the undertaking began years ago, when He was employed at a manufacturing company and the systems suddenly crashed. 

“For that production day or two, it was really hard for accountants to make estimates. Timecards are not correct, inventory is not correct. Nothing is correct. How much product did we produce? How much inventory did we use? How many employees do we have to pay?” 

Fortunately, that episode wasn’t a breach, and the system was back up and running again without much damage done, but it got He thinking about how much worse would it be if the company’s data had been compromised?. 

In the ensuing years, hacks and security breaches are increasingly big news, with high-profile incidents at companies like Target, Google, Sony, PlayStation and Yahoo. By one estimate, the global average cost of just one data breach climbed to $4.45 million in 2023. What began as curiosity became the focus of He’s research.

Expanding cybersecurity beyond IT 

Born in Guangzhou, China, He moved to Canada to attend college, earning his bachelor’s and master’s degrees in accounting from the University of Northern British Columbia. From there, he embarked on a series of jobs in Canada, working in public accounting and industry while collecting experience in audit, tax and management roles. After earning his doctorate, he joined Marquette in 2020 as assistant professor of accounting. 

He admits that cybersecurity and accounting aren’t often put together, but his research makes a strong case that they should be. “Accounting professionals are at the forefront of cybersecurity as guardians of sensitive financial data for individuals, businesses, and organizations,” He says. 

While there is plenty of concern about cybersecurity already, He’s findings argue for expanding that concern beyond short-term to long-term consequences, and beyond internet technology practices to broader company practices. “We’re trying to look beyond the obvious things.”  

Findings from his research underscore his point: 

  • Research and development (R&D): Companies experiencing cybersecurity breaches tend to curtail their research and development (R&D) expenditures, demonstrating the broader operational impact of such incidents. 
  • Supply chain partners: Cybersecurity breaches within a firm can extend to supply chain partners, leading to increased instances of real activities-based earnings management. He’s findings demonstrate a ripple effect that deserves more attention, and that market participants should understand. 
  • Perceived pay inequity: Data shows an association between perceived pay inequity and heightened risks of cybersecurity breaches. He’s data cannot yet explain why this is true, but it could suggest, for instance, that employees who feel underpaid in comparison to executives might take less care with security. 

Ultimately, He hopes the empirical evidence deepens our collective knowledge of the system’s vulnerabilities and their potential consequences. 

“The findings advocate for a more vigilant and informed approach to cybersecurity, emphasizing its role in protecting not just the financial data but also the overall financial health and resilience of the organization,” He says. 

Digging into more data  

“Chris is a great colleague,” says Dr. Kevin Rich, chair of the accounting department. “He has published extremely well; his research output is at the top of our unit right now. And he’s a lot of fun to work with.” 

Rich said He’s real-world experience pays off both inside and outside the classroom. “He’s got a really interesting worldview, given his background. Chris has experience in just about all of the traditional accounting roles.”  

He’s cybersecurity research also benefits the department in ways beyond publishing. A teaching module He developed explains the fundamentals of information security that today’s students need to know: network security, incident response, disaster recovery and different types of cyber threats such as malware, phishing and ransomware. 

As He digs further into data comparing breached and non-breached companies, his curiosity shows no sign of ebbing. One current area of interest is how C-suite characteristics can offer insights and patterns. 

“We have done a lot of things to look at the characteristics of the CEO and CFO and how this impacts firms’ performance,” He said. “Historically, we look at things like gender, age, background, whether they have an accounting background and whether they are risk-takers. But what we are trying to look at now is their IT competencies.” 

Just as IT competency is playing a bigger role in the C-suite, He sees it playing a bigger role in any accountant’s job. 

“Accountants handle sensitive data,” He says. “They may handle all the payroll information or all the banking information. If that’s getting leaked to hackers, the consequences would be pretty detrimental.”  

In addition to adhering to basic security protocols, He sees his colleagues as essential to educating, informing and encouraging best practices. 

“Just making sure the books are accurate isn’t enough.” 

Keeping your data safe 

He shared some tips for keeping data safe at home and at work. 

For the workplace: 

Cybersecurity training and awareness: Regularly train employees on cybersecurity best practices and awareness. This should include recognizing phishing emails, the importance of strong passwords, and safe internet browsing habits. 

Strong passwords and multi-factor authentication (MFA): Ensure that all employees use strong, unique passwords for each of their accounts and enable MFA wherever possible. This adds an extra layer of security beyond just passwords. 

Regular software updates and patch management: Keep all software and systems up to date with the latest security patches. Cyber attackers often exploit vulnerabilities in outdated software. 

Secure Wi-Fi networks: Ensure that your Wi-Fi network is secure, encrypted, and hidden. Use strong network passwords and consider a VPN for additional security, especially for remote workers. 

Firewalls and antivirus software: Use firewalls to shield your Internet connection and use reputable antivirus software to protect against malware. 

Data backup and encryption: Regularly back up data and ensure that sensitive data is encrypted. This protects against data loss and breaches. 

Incident response plan: Have a cybersecurity incident response plan in place. This plan should outline the steps to take in the event of a cyber-attack or data breach. 

For home: 

Many of the tips relevant to organizations (such as strong passwords) are relevant at the personal level. In addition, individuals should:  

Secure your home network: Change the default username and password on your home router, use WPA2 or WPA3 encryption, and regularly update the router’s firmware. 

Be cautious with emails and links: Do not click on links or open attachments in emails from unknown sources. Be wary of phishing attempts. 

Secure your Internet of Things (IoT) devices: Change default passwords, regularly update firmware, and use network segmentation to isolate IoT devices from critical devices. 

Educate family members: Teach family members, especially children, about safe internet practices, including the risks of sharing personal information online and recognizing suspicious online behavior. 

Use VPN for remote access: If you access your work network from home, use a virtual private network (VPN) to create a secure connection.