• Home

Categorize Significant Global Threat Sources, Objectives, and Capabilities



The new v11.0 release of MITRE ATT&CK contains a beta version of Sub-Techniques for Mobile. The current, stable Mobile content can be accessed via the v10 release URL.

GROUPS


Overview


admin@338


Ajax Security Team


ALLANITE


Andariel


APT-C-36


APT1


APT12


APT16


APT17


APT18


APT19


APT28


APT29


APT3


APT30


APT32


APT33


APT37


APT38


APT39


APT41


Aquatic Panda


Axiom


BackdoorDiplomacy


BlackOasis


BlackTech


Blue Mockingbird


Bouncing Golf


BRONZE BUTLER


Carbanak


Chimera


Cleaver


Cobalt Group


Confucius


CopyKittens


CostaRicto


Dark Caracal


Darkhotel


DarkHydrus


DarkVishnya


Deep Panda


Dragonfly


DragonOK


Dust Storm


Elderwood


Equation


Evilnum


Ferocious Kitten


FIN10


FIN4


FIN5


FIN6


FIN7


FIN8


Fox Kitten


Frankenstein


GALLIUM


Gallmaker


Gamaredon Group


GCMAN


Gelsemium


GOLD SOUTHFIELD


Gorgon Group


Group5


HAFNIUM


HEXANE


Higaisa


Honeybee


Inception


IndigoZebra


Indrik Spider


Ke3chang


Kimsuky


Lazarus Group


LazyScripter


Leafminer


Leviathan


Lotus Blossom


Machete


Magic Hound


menuPass


Moafee


Mofang


Molerats


MuddyWater


Mustang Panda


Naikon


NEODYMIUM


Night Dragon


Nomadic Octopus


OilRig


Operation Wocao


Orangeworm


Patchwork


PittyTiger


PLATINUM


Poseidon Group


PROMETHIUM


Putter Panda


Rancor


Rocke


RTM


Sandworm Team


Scarlet Mimic


Sharpshooter


Sidewinder


Silence


Silent Librarian


SilverTerrier


Sowbug


Stealth Falcon


Strider


Suckfly


TA459


TA505


TA551


TeamTNT


TEMP.Veles


The White Company


Threat Group-1314


Threat Group-3390


Thrip


Tonto Team


Transparent Tribe


Tropic Trooper


Turla


Volatile Cedar


Whitefly


Windigo


Windshift


Winnti Group


WIRTE


Wizard Spider


ZIRCONIUM

GROUPS


Overview

A-B


admin@338


Ajax Security Team


ALLANITE


Andariel


APT-C-36


APT1


APT12


APT16


APT17


APT18


APT19


APT28


APT29


APT3


APT30


APT32


APT33

Categorize Significant Global Threat Sources, Objectives, And Capabilities

For this assignment, you will categorize the content in open sources  such as MITRE ATT&CK and its implications plus options & their  “Groups,” the Verizon DBIR, CISCO Cyberthreat reports, Cisco Talos,  Crowdstrike, DHS’s CISA advisories, and other leading quality Internet  sources. Add peer-reviewed research literature to select current  insights published within the last 2 years.

In your assignment, be sure to address the following:

  • Combine your selection of known global threat sources, objectives,  and capabilities to form a reasonable baseline of concerns for one  specified organization that has no less than 10,000 employees or has a  financial budget exceeding $1 billion.
  • Identify the critical industry for the organization.
  • Avoid the assumption that one should focus on a few recent cyber incidents or tactics.
  • Pursue the value at risk for the organization, not popular conceptions.

A formal paper is suitable for delivery to the CIO and CISO and their  teams of your specified organization. You should act as a consultant  (internal or external to the organization) in formulating your response.  Add no less than one table beyond the narrative content provided above.

Length: 6 pages, not including title and reference pages, include at least one table

References: Include a minimum of 6 scholarly references. You can cite  4 from the course, but also cite at least 2 different peer-reviewed  academic research studies relevant to your approach for this assignment.  These specified references should not be in this course and have been  published in the last two years.

The completed assignment should address all of the assignment  requirements, exhibit evidence of concept knowledge, and demonstrate  thoughtful consideration of the content presented in the course. The  writing should integrate scholarly resources, reflect academic  expectations and current APA standards, and include a plagiarism report.

Categorize Significant Global Threat Sources, Objectives, and Capabilities

1

BUCHAREST UNIVERSITY

OF ECONOMIC STUDIES

FACULTY OF ACCOUNTING

AND MANAGEMENT

INFORMATION SYSTEMS

Proceedings of the 14th International

Conference

Accounting and

Management Information Systems

AMIS IAAER 2019

June 5 – 6, 2019

Bucharest University of Economic Studies

6, Piața Romană, 1st District,

Bucharest, 010374 Romania

ISSN 2247-6245

ISSN-L 2247-6245

2

ORGANIZING COMMITTEE

from the Faculty of Accounting and Management Information Systems,

Bucharest University of Economic Studies

Liliana Feleagă Department of Accounting and Audit

Cătălin Albu Department of Accounting and Audit

Nadia Albu Department of Accounting and Audit

Adrian Anica-Popa Department of Financial Analysis and Valuation

Dana Boldeanu Department of Management Information Systems

Daniela Calu Department of Accounting and Audit

Raluca Gușe Department of Accounting and Audit

Dragoș Mangiuc Department of Accounting and Audit

Elena Nechita Department of Accounting and Audit

Andrei Stanciu Department of Management Information Systems

INTERNATIONAL SCIENTIFIC COMMITTEE

Anna Alon University of Agder, Norway

Keryn Chalmers Swinburne University of Technology, Australia

Charles Cho York University, Canada

Robert Faff University of Queensland, Australia

Liliana Feleagă Bucharest University of Economic Studies, Romania

Andrei Filip ESSEC Business School, France

Sidney Gray University of Sydney, Australia

Allan Hodgson University of Queensland, Australia

Sebastian Hoffmann University of Edinburgh, UK

Rania Kamla Heriot-Watt University, UK

Giovanna Michelon University of Bristol, UK

Per Olsson ESMT Berlin, Germany

Katherine Schipper Duke University, USA

Donna Street University of Dayton, USA

3

Contents

Foreword 7

PS1 Corporate disclosure
Chairperson: Giovanna Michelon, University of Bristol, UK

8

Corporate governance disclosure in banking sector: A content

analysis

Oana Marina Bătae

Liliana Feleagă

9

Analysis of annual reports according to ESG dimension

Alexandra-Oana Marinescu
27

PS2 Audit and ethics
Chairperson: Costel Istrate, Alexandru Ioan Cuza University of Iași,

Romania

41

The dynamics of audit market under the adoption of International

Financial Reporting Standards
Marta Tache

42

Internal audit – A key process for diminishing the risk of fraud

Mihai Păunică

Cristina Iovu

52

PS3 Law 1
Chairperson: Raluca Dimitriu, Bucharest University of Economic Studies,

Romania

66

On company change in Romanian business law

Cristina Cojocaru
67

The role of the European Ombudsman in the European Union

Ioana Nely Militaru
75

The excessive publicity and formalities of the fiduciary operations in

Romania, and their impact over fiducia

Günay Duagi

83

PS4 Performance management
Chairperson: Irena Jindrichovska, Metropolitan University in Prague, Czech

Republic

98

Adoption and benefits of management accounting practices: A

Lebanese study

Hassan Nassereddine

99

PS5 Law 2
Chairperson: Cristina Cojocaru, Bucharest University of Economic Studies,

Romania

111

Termination of the employment contract during the probationary

period

Raluca Dimitriu

112

The legal protection law of working women in international

conventions and Jordanian labour
124

4

Ibrahim Al-haj-eid

PS6 Audit
Chairperson: Rania Kamla, Heriot-Watt University, UK

137

Impact of the auditors’ characteristics and of the audited firm on

the audit quality: Evidence from the Romanian regulated market

Mihai Carp

Costel Istrate

138

PS7 Accounting and finance 1
Chairperson: Robert Faff, University of Queensland, Australia

154

Effects of West Texas intermediate crude oil on stock markets

(Romania, Austria, Hungary, Bulgaria, The Czech Republic and

Poland)

Ștefan Daniel Armeanu

Camelia Cătălina Joldeș

155

PS8 Financial structure and intangibles
Chairperson: Allan Hodgson, University of Queensland, Australia

164

The financial structure influence on the cost of capital

Rodica Baciu

Petre Brezeanu

165

PS9 Accounting education 1
Chairperson: Alina Almășan, West University of Timișoara, Romania

176

Students’ perception of the current economic environment: Case of

Romania

George-Aurelian I. Tudor

Ioan Codruț E. Țurlea

177

Student perceptions of varying methods in the accounting classroom

Jonathan Lyons
189

PS10 Accounting education 2
Chairperson: Keryn Chalmers, Swinburne University of Technology,
Australia

203

New coordinates of accounting academic education. A Romanian

insight

Victoria Stanciu

Irina Bogdana Pugna

Mirela Gheorghe

204

Exploring the entrepreneurship perception of accounting master

students

Cristina Lidia Manea

Elena-Mirela Nichita

Alina Mihaela Irimescu

221

PS11 Accounting and finance 2
Chairperson: Elvira Scarlat, IE University, Spain

238

Does the par value of share influence the success of IPOs?

Tadeusz Dudycz
239

5

The determinants of ownership in M&As: An analysis of the stake

purchases in Romanian acquisitions

George Marian Aevoae

Roxana Dicu

Daniela Mardiros

253

The 4 quick solutions – First step towards a definitive VAT

system/to reduce the VAT gap across the EU

Rodica Ghiur

Petre Brezeanu

Mariana Vizoli

270

PS12 IFRS
Chairperson: Anna Alon, University of Agder, Norway

286

Voluntary financial disclosure in compliance with the International

Financial Reporting Standards in Romania

Mihai Păunică

Aureliana-Geta Roman

Mihaela Mocanu

287

Challenges for Romanian IFRS adopters – conflicting legislation

regarding the interim dividend

Mirela Păunescu

Adriana F. Popa

297

IFRS compliance in Romania: An institutional analysis on

pharmaceutical companies

Silvia Petre

309

PS13 Emerging issues
Chairperson: Konrad Grabiński, Cracow University of Economics, Poland

325

Participatory budgeting in public sector entities: Framework

development

Gabriela Lidia Tănase

Aurelia Ștefănescu

Ileana Cosmina Pitulice

326

Adoption and implementation of IPSASs in Cyprus: A lesson to

learn

Amar Sayed Ahmad

340

Stock and flow in accounting. Balance sheet and income statement

approaches

Daisuke Suzuki

354

PS14 CSR
Chairperson: Charles Cho, York University, Canada

364

Multidisciplinary approach of sustainable performance – financial

performance nexus. The perspective of energy industry corporations

Camelia Iuliana Lungu

Cornelia Dascălu

Chirața Caraiani

365

PS15 Non-financial reporting
Chairperson: Sebastian Hoffmann, University of Edinburgh, UK

388

6

Sustainability reporting in the mining sector

Irena Jindrichovska

Margarita Korkhova

389

The adoption of integrated reporting in Lebanon

Malak Bou Diab
405

The evolution of integrated reporting practices – empirical evidence

from recognized reporters

Alina Bratu

417

PS16 Finance
Chairperson: Andrei Filip, ESSEC Business School, France

435

Comparability of statements of cash flows: Evidence from Baltic

countries

Vaiva Kiaupaite Grushniene

Lehte Alver

436

Assessing comparability of accounting information using panel data

analysis, in the case of Romanian listed companies
Ioan-Bogdan Robu

455

Detecting earnings management using Benford’s law: The case of

Romanian listed companies

Costel Istrate

467

Measuring the level of accounting conservatism in financial reports

and its impact on the market value of banks are not applying IFRS
Dhiaa Sabah Alazzawi

Ileana Nișulescu-Ashrafzadeh

488

PS17 Management Information Systems
Chairperson: Victoria Stanciu, Bucharest University of Economic Studies,
Romania

503

The challenges and difficulties in the implementation of ERP

systems in Syria

Hasan Alkoutaini

Sherzad Ramadhan

504

The main factors in analysing the deployment of Cloud ERP in

order to create a competitive advantage
Lavinia Costan (Popa)

Gabriela Pascu (Popescu)

512

Impediments of an environmental SAP rollout process inside a sales

and distribution enterprise: Analysis and lessons learned from the

Romanian case
Viorel Costin Banță

Dana-Maria Boldeanu

520

Current security threats in the national and international context

Lavinia Mihaela Cristea
532

7

FOREWORD

It was with great pleasure that we host at the Bucharest University of Economic Studies,

Romania, another edition of our traditional Accounting and Management Information

Systems International Conference, on June 5-6 2019.

Owing to the great collaboration that we continue to have with our international

partners, this year’s edition was again co-organized together with the International

Association for Accounting Education and Research (IAAER). IAAER’s participation

at AMIS IAAER 2019 meant not only the attendance of numerous IAAER officers, but

also an increased participation to the organization of the conference’s plenary and

regular panels and sessions. As such, the international presence has continued to

strengthen and significantly contribute to a great conference experience for delegates.

During the conferences, two plenary panels, four regular panels and 17 parallel sessions

were organized, for a total of 56 papers that were scheduled. 130 participants from 16

countries registered and contributed to the debates in either panels or sessions.

Preceding the AMIS IAAER 2019 conference, IAAER and the Association of

Chartered Certified Accountants (ACCA) have co-organized, on June 3-4 2019, another

edition of their traditional Early Career Researchers Workshop. 21 early career

academics from Central and Eastern Europe have attended one day and a half of

presentations and trainings by 10 recognized international faculty from all over the

world. 10 of these early career academics have also presented their projects to these

very accomplished faculty members, and received timely and constructive feedback on

how to improve their work with a view to make it publishable by international journals.

All these activities would not have been possible without the very generous support of

our sponsors: ACCA and KPMG (Platinum Sponsors), CIMA (Gold Sponsor),

CECCAR, ANEVAR, Domeniile Sâmburești, Deloitte, V&TM, Boromir, TUV Austria

and Alintrans (Silver Sponsors), and AECCIG (our partner). Their continued support

honours us and helps us strive to offer an excellent conference experience to our

delegates.

In the end, I will also thank our team: Nadia Albu, Adrian Anica Popa, Dana Boldeanu,

Daniela Calu, Liliana Feleagă, Raluca Guşe, Dragoş Mangiuc, Elena Nechita and

Andrei Stanciu. They continue to volunteer their time to this important event in Central

and Eastern Europe.

We are very much looking forward to hosting everybody again at our university!

Professor Cătălin Albu,

Conference Chair

8

PS1 CORPORATE DISCLOSURE

Chairperson: Giovanna Michelon, University of Bristol, UK

Corporate governance disclosure in banking sector: A content analysis

Oana Marina Bătae

Liliana Feleagă

Analysis of annual reports according to ESG dimension

Alexandra-Oana Marinescu

9

Corporate governance disclosure in banking sector: A

content analysis

Oana-Marina Bătaea,1 and Liliana Feleagăa

a Bucharest University of Economic Studies, Romania

Abstract
Idea: The aim of this study is to analyse the level of disclosure of corporate governance

in banking sector accordingly to guidelines issued by European Banking Authority, for

a parent and its subsidiary.

Data: The sample consists of two banks, the focus being on the subsidiary, while the

parent is analysed for comparison purposes. The data were hand collected from

published reports on the official website of the banks for year ended 2017.

Tools: A content analysis is used in order to measure the degree of corporate

governance disclosures. Manual coding process was applied in order to be able to sort

data and classify it in input, intermediary and output data needed for the

accomplishment of the objectives.

What’s new? The results of the study show high values of corporate governance

disclosure index, reflecting the compliance with regulatory requirements and also the

alignment between a parent and its subsidiary.

So what? The impact of the study is represented by highlighting the alignment of group

entities.

Contribution: The study contributes to the literature by examining the level of

disclosure of corporate governance, emphasizing the requirements from EBA which are

mandatory to comply with, but voluntary to disclose.

Keywords: Corporate governance, banking sector, Romania, parent and subsidiary
alignment

1. Introduction

Over time, corporate governance has been considered a long-standing issue, the number

of publicized corporate problems which occurred in the late 1980s, at least in UK,

leading to the setting up of the Cadbury Committee and highlighting the following:

business failures, different practices of creative accounting, limited role of the auditors

and also a weak link between remuneration of the executive directors and performance

of the company (Short, 1999). The first major public document which took corporate

governance as its object is represented by the United Kingdom’s Cadbury Report of

1992, better governance becoming quickly a powerful promise (Erturk et al. 2004).

Cadbury (1992) defines corporate governance as being “the system by which

companies are directed and controlled”.

One of the main drivers of corporate governance is represented by the agency concept

based on the agency theory. This assumes the fact that a conflict might arise when the

objectives of the shareholders, named principal, are not the same as the ones of the

1 Corresponding author: Doctoral School in Accounting, Bucharest University of Economic Studies, 6

Piața Romană, 1st district, Bucharest, 010374 Romania.

10

executives who run the business using their managerial professional skills, named as

agent (Jensen and Meckling, 1976).

However, by the early 2000s, in the UK and US, corporate governance started to be

associated more often with disappointment in case of failure of different mechanisms

in 2002 related to prevention or detection of irresponsible behaviour in organizations

such as World Com or Enron, or protest held in 2003 by British media regarding the

limitation of “rewards for failure” (Erturk et al. 2004).

Heath and Norman (2004) sustain that the breakdown of governance in relation to

scandals from Enron era represents a failure of the companies and also of their

shareholders to be able to protect themselves against many agency problems.

The main objective of an organization is to stick with the strategy that has been set up

and in order to be able to accomplish this, there are different standards, laws,

regulations, rules, policies and principles a company needs to adhere to.

In Romania, from a regulatory and conceptually point of view, corporate governance

became part of this country at the beginning of 2000, the delay being represented by

the result of a lot of inconclusive efforts that targeted juridical, social, political and

economic reforms (Feleagă et al. 2011).

In Austria, even though there is no legal definition of the corporate governance concept,

different studies emphasize a strengthening of corporate governance, triggered by a

more flexible structure which integrates new stakes and actors and contributes to “the

network character of contemporary corporatism” (Molina and Rhodes, 2002). Also,

universal banking in Austria had outlasted many changes over the time and since the

1989, when the collapse of communism occurred, Austrian banks have shown interest

in investing in CEE where, in a historical context, their traditional market has been

(European Association for Banking History E.V., 1994).

This interest was manifested also by Erste Group Bank (“EGB”) when started to control

Banca Comercială Română SA (“BCR”).

The aim of this paper is to measure the level of disclosure of different points which are

related to the guidelines on internal governance, more exactly EBA requirements, in

case of two representative banks, subsidiary and parent, BCR and EGB. These

requirements are mandatory to comply with, there existing a confirmation of

compliance issued by and transmitted after completion to EBA, however it is not

mandatory to disclose every sensitive information.

As secondary objectives, the following were also assessed: different EBA requirements

regarding internal governance which are disclosed in case of the parent and are not

disclosed by the subsidiary; different EBA requirements regarding internal governance

which are disclosed by the subsidiary and are not disclosed by the parent; a statistical

analysis regarding the reports in which the applicability of the requirements can be

found and also analysis of points which are disclosed in different reports in case of EGB

or BCR.

11

The rest of the paper is structured as follows: section two illustrates the literature

review, including the local context, followed by third section which presents research

methodology with details regarding the study approach, data used, data selected as a

sample, the manner through which data was collected and formulas which will be used

in the fourth section which highlights the results obtained. Last but not least, we present

conclusions and forward looking information already available for future research.

2. Literature review

As Ernst and Young (“EY”) mentions on its UK official website (2019), corporate

governance is central to the health and strength of the global economy.

Four definitions of corporate governance are presented by Huse (2007), these being the

“managerial”, “stakeholder”, “shareholder and supremacy” and “firm” definitions.

From the managerial perspective, corporate governance will design or employ different

systems and techniques that are able to secure the values and interests of management.

In shareholder and supremacy definition, the board is accountable to all shareholders,

including monitoring of managerial opportunism which can be avoided through co-

opting board members and managers by the shareholders through incentive systems

based on share options or share-holding. This definition is linked to the agency theory.

From the stakeholder perspective, corporate governance is defined as all the

relationships between all actors that can be decision makers and key influencers

exercising control over firm resources. Actors can be represented on the one hand by

primary actors who are usually shareholders, the board and management and on the

other hand by other participants such as clients, suppliers, employees and community

overall. The fourth definition reflects the fact that corporate governance is not only

about spreading the value to actors but also it is about creating value throughout the

value chain, with the purpose of facilitating cooperation and engaging in the collective

processes of discovery and search.

Appropriate measures of risk management, accountability of board of directors and also

senior management, accurate information flows, issues of transparency and regulatory

environment represent key matters in corporate governance (Arjoon, 2005).

As he mentions, from an ethical perspective, the key issues identified at the level of

corporate governance are the ones which involve different questions concerning

relationships and also building trust in society, within or outside the company.

Swammy and McMaster (2018) mention that a combination of laws and regulations,

strategy and business structure are the key drivers of the core structure of the board.

Also, it is mentioned that compliance guidelines, in particular for banks, were issued

by the Basel Committee on Banking Supervision, providing that a credit institution

should hold itself to very high standards on its business activities and should always

strive to notice the spirit as well as the letter of the law.

The cornerstone of a good governance for banks is represented by good regulation

which is oriented on curbing excessive risk taking (Mullineux, 2006).

European banks, following the financial crisis of 2007-2008, faced a variety of

challenges which still continue until now. These challenges include a slow recovery

from economic recession, European sovereign crisis and reputational and financial

12

consequences of different forms through which misconduct manifested (Bernasconi and

Lalmant, 2015).

They consider that following the European Banking Authority’s guidelines and the

adoption of the Capital Requirements Directive (“CRD IV”), European Union (“EU”)

wide regulation increased in terms of leaps and bounds, focusing on the supervisory on

governance. Therefore, it is sustained that the convergence of governance practices

from banking sector was driven by the fact that credit institutions in Europe faced

unprecedented regulatory changes.

Even though it is stating the obvious, it is important to remind that financial companies

take risk: credit risk, market risk, liquidity risk and many others. Therefore, regardless

of whether the organization takes risks, intermediates the risk or hedges it out, it is very

important to understand the business in which activities are carried out. In this respect,

an oversight of an appropriate implemented risk governance framework should be in

place and exercised by the board of directors. This framework includes well developed

risk appetite framework, strong risk culture, effective risk management (Swammy and

McMaster, 2018).

Noll (2006) considers that for Central and Eastern Europe (“CEE”) countries, directives

would be more useful to overcome their governance weaknesses.

It is well known that a corporate governance code, generally, is not mandatory to adhere

to. However, this situation changes when such a code becomes a listing requirement at

stock market or in case it becomes a formal rule issued by the legislators.

All the negative externalities that might become related to a bank failure justify bank

regulation, as noted by John et al. (2016). A bank failure at the individual level not only

affects the credit institution itself, but also all the other actors in the financial industry

and global economy. John et al. (2016) mentions that the aim of bank regulation is to

protect depositors and to promote financial stability.

Transparency and the level of disclosure are two topics very important in the well-

functioning of a credit institution. In case of banks, in Europe, guidelines on internal

corporate governance are offered by European Banking Authority, the main highlights

being regulated, therefore, it is mandatory to comply with the requirements of the

European authority but not in all the cases it is mandatory to also disclose them.

The starting point of the case study is represented by selecting Romania – an emerging

country.

Despite recent progress, it was suggested that disclosures and also transparency in

regards to the corporate governance still need improvement in Romania (Albu et al.,

2014).

As Noll (2006) noted, Romania struggled to create efficient market institutions, the

institutional development being partly delayed by many dramatic political changes.

The entrance of Romania under Soviet influence after the Second World War triggered

the switch to a centralized and planned economy. In December 1989, after the fall of

13

communism, Romania faced many dramatic accounting and economic reforms in order

to be able to incorporate western business principles. The period after the fall of

communism was characterized by many reforms and privatizations (Albu et al., 2014).

In regards to privatizations, BCR was part of this process in December 2005, when the

Government of Romania officially announced that Erste Bank acquired the bank with

a price per share in amount of EUR 7.65 at that moment in time. At the end of 2005,

BCR had total assets in amount of RON 33 billion, meaning more than 25% in the

market, Erste being willing to pay an acquisition price of EUR 3.75 billion in order to

obtain a control percentage of 61.88 in the biggest Romanian bank at that time. Erste

manifested confidence in the potential of the local market and started a sound

restructuring process led by the Czech banker Tomas Spurny. Also, in 2011, Erste

bought 24% of the shares owned by five financial investment companies from Romania,

reaching to a control percentage of 93.6. Thirteen years later after privatization, Erste

controls BCR with a percentage of 99.88, after buying 6.29% of the shares owned by

SIF Oltenia for EUR 140 million.

In 1995, the Bucharest Stock Exchange (“BSE”) was established, being a medium size

stock exchange in Eastern Europe. Also, Romania had a political goal represented by

the adherence to EU, process that started in 1993 and finished in January 2007 (Albu et

al, 2014). It is also worth mentioning that the first Romanian corporate governance code

was issued in 2001, following OECD recommendations, and then it was replaced by a

new code in 2008 which produced effects starting with 2010 (Albu and Gîrbină, 2015).

3. Research methodology

3.1. Background: Parent and subsidiary disclosures of corporate governance in

accordance with internal governance requirements from European Banking

Authority

Since 2000, European authorities have shown interest to the improvement of corporate

governance standards, the main goal being represented by the existence of safer and

more reliable bank functions (PwC, 2018). A significant role in the international

financial governance was played by the European Union (“EU”) with the support of an

administrative channel represented by the European Supervisory Authorities (“ESA”)

(Moloney, 2017).

The European Banking Authority (“EBA”) was established on 1st January 2011, taking

over all existing tasks and responsibilities of the Committee of European Banking

Supervisors, having as main objectives the following: to safeguard the efficiency,

integrity and orderly functioning of the entire banking sector and also to maintain

financial stability in the EU. Also, EBA’s main tasks are: to contribute to the

implementation of the European Single Rulebook in banking which will be able to

provide one single set of harmonized prudential rules for all the credit institutions

throughout the EU and to promote convergence of different supervisory practices, being

able to evaluate risks and vulnerabilities in the EU banking sector (EBA, 2019).

In order to achieve the objectives mentioned above, in September 2011, EBA released

its internal governance requirements, the Guidelines 44 (EBA GL 44) which will be

14

applicable until they will be revised in September 2017 producing effect on 30 June

2018.

One of the keys to banking sector’s success and also the economy as a whole is

represented by an effective corporate governance, Emmanuelle Caruel-Henniaux –

Partner at PwC Luxembourg affirming that: “The EBA guidelines are to ensure that, by

harmonizing institutions’ governance arrangements, imprudent risk-taking decisions

and choices in the banking sector are reduced significantly” (PwC, 2018).

As it became known, Erste Group Bank (“EGB”) reached an extensive presence in

Central and Eastern Europe (“CEE”) consolidating the following subsidiaries: Ceska

Sporitelna Group from Czech Republi

Categorize Significant Global Threat Sources, Objectives, and Capabilities

1

BUCHAREST UNIVERSITY

OF ECONOMIC STUDIES

FACULTY OF ACCOUNTING

AND MANAGEMENT

INFORMATION SYSTEMS

Proceedings of the 14th International

Conference

Accounting and

Management Information Systems

AMIS IAAER 2019

June 5 – 6, 2019

Bucharest University of Economic Studies

6, Piața Romană, 1st District,

Bucharest, 010374 Romania

ISSN 2247-6245

ISSN-L 2247-6245

2

ORGANIZING COMMITTEE

from the Faculty of Accounting and Management Information Systems,

Bucharest University of Economic Studies

Liliana Feleagă Department of Accounting and Audit

Cătălin Albu Department of Accounting and Audit

Nadia Albu Department of Accounting and Audit

Adrian Anica-Popa Department of Financial Analysis and Valuation

Dana Boldeanu Department of Management Information Systems

Daniela Calu Department of Accounting and Audit

Raluca Gușe Department of Accounting and Audit

Dragoș Mangiuc Department of Accounting and Audit

Elena Nechita Department of Accounting and Audit

Andrei Stanciu Department of Management Information Systems

INTERNATIONAL SCIENTIFIC COMMITTEE

Anna Alon University of Agder, Norway

Keryn Chalmers Swinburne University of Technology, Australia

Charles Cho York University, Canada

Robert Faff University of Queensland, Australia

Liliana Feleagă Bucharest University of Economic Studies, Romania

Andrei Filip ESSEC Business School, France

Sidney Gray University of Sydney, Australia

Allan Hodgson University of Queensland, Australia

Sebastian Hoffmann University of Edinburgh, UK

Rania Kamla Heriot-Watt University, UK

Giovanna Michelon University of Bristol, UK

Per Olsson ESMT Berlin, Germany

Katherine Schipper Duke University, USA

Donna Street University of Dayton, USA

3

Contents

Foreword 7

PS1 Corporate disclosure
Chairperson: Giovanna Michelon, University of Bristol, UK

8

Corporate governance disclosure in banking sector: A content

analysis

Oana Marina Bătae

Liliana Feleagă

9

Analysis of annual reports according to ESG dimension

Alexandra-Oana Marinescu
27

PS2 Audit and ethics
Chairperson: Costel Istrate, Alexandru Ioan Cuza University of Iași,

Romania

41

The dynamics of audit market under the adoption of International

Financial Reporting Standards
Marta Tache

42

Internal audit – A key process for diminishing the risk of fraud

Mihai Păunică

Cristina Iovu

52

PS3 Law 1
Chairperson: Raluca Dimitriu, Bucharest University of Economic Studies,

Romania

66

On company change in Romanian business law

Cristina Cojocaru
67

The role of the European Ombudsman in the European Union

Ioana Nely Militaru
75

The excessive publicity and formalities of the fiduciary operations in

Romania, and their impact over fiducia

Günay Duagi

83

PS4 Performance management
Chairperson: Irena Jindrichovska, Metropolitan University in Prague, Czech

Republic

98

Adoption and benefits of management accounting practices: A

Lebanese study

Hassan Nassereddine

99

PS5 Law 2
Chairperson: Cristina Cojocaru, Bucharest University of Economic Studies,

Romania

111

Termination of the employment contract during the probationary

period

Raluca Dimitriu

112

The legal protection law of working women in international

conventions and Jordanian labour
124

4

Ibrahim Al-haj-eid

PS6 Audit
Chairperson: Rania Kamla, Heriot-Watt University, UK

137

Impact of the auditors’ characteristics and of the audited firm on

the audit quality: Evidence from the Romanian regulated market

Mihai Carp

Costel Istrate

138

PS7 Accounting and finance 1
Chairperson: Robert Faff, University of Queensland, Australia

154

Effects of West Texas intermediate crude oil on stock markets

(Romania, Austria, Hungary, Bulgaria, The Czech Republic and

Poland)

Ștefan Daniel Armeanu

Camelia Cătălina Joldeș

155

PS8 Financial structure and intangibles
Chairperson: Allan Hodgson, University of Queensland, Australia

164

The financial structure influence on the cost of capital

Rodica Baciu

Petre Brezeanu

165

PS9 Accounting education 1
Chairperson: Alina Almășan, West University of Timișoara, Romania

176

Students’ perception of the current economic environment: Case of

Romania

George-Aurelian I. Tudor

Ioan Codruț E. Țurlea

177

Student perceptions of varying methods in the accounting classroom

Jonathan Lyons
189

PS10 Accounting education 2
Chairperson: Keryn Chalmers, Swinburne University of Technology,
Australia

203

New coordinates of accounting academic education. A Romanian

insight

Victoria Stanciu

Irina Bogdana Pugna

Mirela Gheorghe

204

Exploring the entrepreneurship perception of accounting master

students

Cristina Lidia Manea

Elena-Mirela Nichita

Alina Mihaela Irimescu

221

PS11 Accounting and finance 2
Chairperson: Elvira Scarlat, IE University, Spain

238

Does the par value of share influence the success of IPOs?

Tadeusz Dudycz
239

5

The determinants of ownership in M&As: An analysis of the stake

purchases in Romanian acquisitions

George Marian Aevoae

Roxana Dicu

Daniela Mardiros

253

The 4 quick solutions – First step towards a definitive VAT

system/to reduce the VAT gap across the EU

Rodica Ghiur

Petre Brezeanu

Mariana Vizoli

270

PS12 IFRS
Chairperson: Anna Alon, University of Agder, Norway

286

Voluntary financial disclosure in compliance with the International

Financial Reporting Standards in Romania

Mihai Păunică

Aureliana-Geta Roman

Mihaela Mocanu

287

Challenges for Romanian IFRS adopters – conflicting legislation

regarding the interim dividend

Mirela Păunescu

Adriana F. Popa

297

IFRS compliance in Romania: An institutional analysis on

pharmaceutical companies

Silvia Petre

309

PS13 Emerging issues
Chairperson: Konrad Grabiński, Cracow University of Economics, Poland

325

Participatory budgeting in public sector entities: Framework

development

Gabriela Lidia Tănase

Aurelia Ștefănescu

Ileana Cosmina Pitulice

326

Adoption and implementation of IPSASs in Cyprus: A lesson to

learn

Amar Sayed Ahmad

340

Stock and flow in accounting. Balance sheet and income statement

approaches

Daisuke Suzuki

354

PS14 CSR
Chairperson: Charles Cho, York University, Canada

364

Multidisciplinary approach of sustainable performance – financial

performance nexus. The perspective of energy industry corporations

Camelia Iuliana Lungu

Cornelia Dascălu

Chirața Caraiani

365

PS15 Non-financial reporting
Chairperson: Sebastian Hoffmann, University of Edinburgh, UK

388

6

Sustainability reporting in the mining sector

Irena Jindrichovska

Margarita Korkhova

389

The adoption of integrated reporting in Lebanon

Malak Bou Diab
405

The evolution of integrated reporting practices – empirical evidence

from recognized reporters

Alina Bratu

417

PS16 Finance
Chairperson: Andrei Filip, ESSEC Business School, France

435

Comparability of statements of cash flows: Evidence from Baltic

countries

Vaiva Kiaupaite Grushniene

Lehte Alver

436

Assessing comparability of accounting information using panel data

analysis, in the case of Romanian listed companies
Ioan-Bogdan Robu

455

Detecting earnings management using Benford’s law: The case of

Romanian listed companies

Costel Istrate

467

Measuring the level of accounting conservatism in financial reports

and its impact on the market value of banks are not applying IFRS
Dhiaa Sabah Alazzawi

Ileana Nișulescu-Ashrafzadeh

488

PS17 Management Information Systems
Chairperson: Victoria Stanciu, Bucharest University of Economic Studies,
Romania

503

The challenges and difficulties in the implementation of ERP

systems in Syria

Hasan Alkoutaini

Sherzad Ramadhan

504

The main factors in analysing the deployment of Cloud ERP in

order to create a competitive advantage
Lavinia Costan (Popa)

Gabriela Pascu (Popescu)

512

Impediments of an environmental SAP rollout process inside a sales

and distribution enterprise: Analysis and lessons learned from the

Romanian case
Viorel Costin Banță

Dana-Maria Boldeanu

520

Current security threats in the national and international context

Lavinia Mihaela Cristea
532

7

FOREWORD

It was with great pleasure that we host at the Bucharest University of Economic Studies,

Romania, another edition of our traditional Accounting and Management Information

Systems International Conference, on June 5-6 2019.

Owing to the great collaboration that we continue to have with our international

partners, this year’s edition was again co-organized together with the International

Association for Accounting Education and Research (IAAER). IAAER’s participation

at AMIS IAAER 2019 meant not only the attendance of numerous IAAER officers, but

also an increased participation to the organization of the conference’s plenary and

regular panels and sessions. As such, the international presence has continued to

strengthen and significantly contribute to a great conference experience for delegates.

During the conferences, two plenary panels, four regular panels and 17 parallel sessions

were organized, for a total of 56 papers that were scheduled. 130 participants from 16

countries registered and contributed to the debates in either panels or sessions.

Preceding the AMIS IAAER 2019 conference, IAAER and the Association of

Chartered Certified Accountants (ACCA) have co-organized, on June 3-4 2019, another

edition of their traditional Early Career Researchers Workshop. 21 early career

academics from Central and Eastern Europe have attended one day and a half of

presentations and trainings by 10 recognized international faculty from all over the

world. 10 of these early career academics have also presented their projects to these

very accomplished faculty members, and received timely and constructive feedback on

how to improve their work with a view to make it publishable by international journals.

All these activities would not have been possible without the very generous support of

our sponsors: ACCA and KPMG (Platinum Sponsors), CIMA (Gold Sponsor),

CECCAR, ANEVAR, Domeniile Sâmburești, Deloitte, V&TM, Boromir, TUV Austria

and Alintrans (Silver Sponsors), and AECCIG (our partner). Their continued support

honours us and helps us strive to offer an excellent conference experience to our

delegates.

In the end, I will also thank our team: Nadia Albu, Adrian Anica Popa, Dana Boldeanu,

Daniela Calu, Liliana Feleagă, Raluca Guşe, Dragoş Mangiuc, Elena Nechita and

Andrei Stanciu. They continue to volunteer their time to this important event in Central

and Eastern Europe.

We are very much looking forward to hosting everybody again at our university!

Professor Cătălin Albu,

Conference Chair

8

PS1 CORPORATE DISCLOSURE

Chairperson: Giovanna Michelon, University of Bristol, UK

Corporate governance disclosure in banking sector: A content analysis

Oana Marina Bătae

Liliana Feleagă

Analysis of annual reports according to ESG dimension

Alexandra-Oana Marinescu

9

Corporate governance disclosure in banking sector: A

content analysis

Oana-Marina Bătaea,1 and Liliana Feleagăa

a Bucharest University of Economic Studies, Romania

Abstract
Idea: The aim of this study is to analyse the level of disclosure of corporate governance

in banking sector accordingly to guidelines issued by European Banking Authority, for

a parent and its subsidiary.

Data: The sample consists of two banks, the focus being on the subsidiary, while the

parent is analysed for comparison purposes. The data were hand collected from

published reports on the official website of the banks for year ended 2017.

Tools: A content analysis is used in order to measure the degree of corporate

governance disclosures. Manual coding process was applied in order to be able to sort

data and classify it in input, intermediary and output data needed for the

accomplishment of the objectives.

What’s new? The results of the study show high values of corporate governance

disclosure index, reflecting the compliance with regulatory requirements and also the

alignment between a parent and its subsidiary.

So what? The impact of the study is represented by highlighting the alignment of group

entities.

Contribution: The study contributes to the literature by examining the level of

disclosure of corporate governance, emphasizing the requirements from EBA which are

mandatory to comply with, but voluntary to disclose.

Keywords: Corporate governance, banking sector, Romania, parent and subsidiary
alignment

1. Introduction

Over time, corporate governance has been considered a long-standing issue, the number

of publicized corporate problems which occurred in the late 1980s, at least in UK,

leading to the setting up of the Cadbury Committee and highlighting the following:

business failures, different practices of creative accounting, limited role of the auditors

and also a weak link between remuneration of the executive directors and performance

of the company (Short, 1999). The first major public document which took corporate

governance as its object is represented by the United Kingdom’s Cadbury Report of

1992, better governance becoming quickly a powerful promise (Erturk et al. 2004).

Cadbury (1992) defines corporate governance as being “the system by which

companies are directed and controlled”.

One of the main drivers of corporate governance is represented by the agency concept

based on the agency theory. This assumes the fact that a conflict might arise when the

objectives of the shareholders, named principal, are not the same as the ones of the

1 Corresponding author: Doctoral School in Accounting, Bucharest University of Economic Studies, 6

Piața Romană, 1st district, Bucharest, 010374 Romania.

10

executives who run the business using their managerial professional skills, named as

agent (Jensen and Meckling, 1976).

However, by the early 2000s, in the UK and US, corporate governance started to be

associated more often with disappointment in case of failure of different mechanisms

in 2002 related to prevention or detection of irresponsible behaviour in organizations

such as World Com or Enron, or protest held in 2003 by British media regarding the

limitation of “rewards for failure” (Erturk et al. 2004).

Heath and Norman (2004) sustain that the breakdown of governance in relation to

scandals from Enron era represents a failure of the companies and also of their

shareholders to be able to protect themselves against many agency problems.

The main objective of an organization is to stick with the strategy that has been set up

and in order to be able to accomplish this, there are different standards, laws,

regulations, rules, policies and principles a company needs to adhere to.

In Romania, from a regulatory and conceptually point of view, corporate governance

became part of this country at the beginning of 2000, the delay being represented by

the result of a lot of inconclusive efforts that targeted juridical, social, political and

economic reforms (Feleagă et al. 2011).

In Austria, even though there is no legal definition of the corporate governance concept,

different studies emphasize a strengthening of corporate governance, triggered by a

more flexible structure which integrates new stakes and actors and contributes to “the

network character of contemporary corporatism” (Molina and Rhodes, 2002). Also,

universal banking in Austria had outlasted many changes over the time and since the

1989, when the collapse of communism occurred, Austrian banks have shown interest

in investing in CEE where, in a historical context, their traditional market has been

(European Association for Banking History E.V., 1994).

This interest was manifested also by Erste Group Bank (“EGB”) when started to control

Banca Comercială Română SA (“BCR”).

The aim of this paper is to measure the level of disclosure of different points which are

related to the guidelines on internal governance, more exactly EBA requirements, in

case of two representative banks, subsidiary and parent, BCR and EGB. These

requirements are mandatory to comply with, there existing a confirmation of

compliance issued by and transmitted after completion to EBA, however it is not

mandatory to disclose every sensitive information.

As secondary objectives, the following were also assessed: different EBA requirements

regarding internal governance which are disclosed in case of the parent and are not

disclosed by the subsidiary; different EBA requirements regarding internal governance

which are disclosed by the subsidiary and are not disclosed by the parent; a statistical

analysis regarding the reports in which the applicability of the requirements can be

found and also analysis of points which are disclosed in different reports in case of EGB

or BCR.

11

The rest of the paper is structured as follows: section two illustrates the literature

review, including the local context, followed by third section which presents research

methodology with details regarding the study approach, data used, data selected as a

sample, the manner through which data was collected and formulas which will be used

in the fourth section which highlights the results obtained. Last but not least, we present

conclusions and forward looking information already available for future research.

2. Literature review

As Ernst and Young (“EY”) mentions on its UK official website (2019), corporate

governance is central to the health and strength of the global economy.

Four definitions of corporate governance are presented by Huse (2007), these being the

“managerial”, “stakeholder”, “shareholder and supremacy” and “firm” definitions.

From the managerial perspective, corporate governance will design or employ different

systems and techniques that are able to secure the values and interests of management.

In shareholder and supremacy definition, the board is accountable to all shareholders,

including monitoring of managerial opportunism which can be avoided through co-

opting board members and managers by the shareholders through incentive systems

based on share options or share-holding. This definition is linked to the agency theory.

From the stakeholder perspective, corporate governance is defined as all the

relationships between all actors that can be decision makers and key influencers

exercising control over firm resources. Actors can be represented on the one hand by

primary actors who are usually shareholders, the board and management and on the

other hand by other participants such as clients, suppliers, employees and community

overall. The fourth definition reflects the fact that corporate governance is not only

about spreading the value to actors but also it is about creating value throughout the

value chain, with the purpose of facilitating cooperation and engaging in the collective

processes of discovery and search.

Appropriate measures of risk management, accountability of board of directors and also

senior management, accurate information flows, issues of transparency and regulatory

environment represent key matters in corporate governance (Arjoon, 2005).

As he mentions, from an ethical perspective, the key issues identified at the level of

corporate governance are the ones which involve different questions concerning

relationships and also building trust in society, within or outside the company.

Swammy and McMaster (2018) mention that a combination of laws and regulations,

strategy and business structure are the key drivers of the core structure of the board.

Also, it is mentioned that compliance guidelines, in particular for banks, were issued

by the Basel Committee on Banking Supervision, providing that a credit institution

should hold itself to very high standards on its business activities and should always

strive to notice the spirit as well as the letter of the law.

The cornerstone of a good governance for banks is represented by good regulation

which is oriented on curbing excessive risk taking (Mullineux, 2006).

European banks, following the financial crisis of 2007-2008, faced a variety of

challenges which still continue until now. These challenges include a slow recovery

from economic recession, European sovereign crisis and reputational and financial

12

consequences of different forms through which misconduct manifested (Bernasconi and

Lalmant, 2015).

They consider that following the European Banking Authority’s guidelines and the

adoption of the Capital Requirements Directive (“CRD IV”), European Union (“EU”)

wide regulation increased in terms of leaps and bounds, focusing on the supervisory on

governance. Therefore, it is sustained that the convergence of governance practices

from banking sector was driven by the fact that credit institutions in Europe faced

unprecedented regulatory changes.

Even though it is stating the obvious, it is important to remind that financial companies

take risk: credit risk, market risk, liquidity risk and many others. Therefore, regardless

of whether the organization takes risks, intermediates the risk or hedges it out, it is very

important to understand the business in which activities are carried out. In this respect,

an oversight of an appropriate implemented risk governance framework should be in

place and exercised by the board of directors. This framework includes well developed

risk appetite framework, strong risk culture, effective risk management (Swammy and

McMaster, 2018).

Noll (2006) considers that for Central and Eastern Europe (“CEE”) countries, directives

would be more useful to overcome their governance weaknesses.

It is well known that a corporate governance code, generally, is not mandatory to adhere

to. However, this situation changes when such a code becomes a listing requirement at

stock market or in case it becomes a formal rule issued by the legislators.

All the negative externalities that might become related to a bank failure justify bank

regulation, as noted by John et al. (2016). A bank failure at the individual level not only

affects the credit institution itself, but also all the other actors in the financial industry

and global economy. John et al. (2016) mentions that the aim of bank regulation is to

protect depositors and to promote financial stability.

Transparency and the level of disclosure are two topics very important in the well-

functioning of a credit institution. In case of banks, in Europe, guidelines on internal

corporate governance are offered by European Banking Authority, the main highlights

being regulated, therefore, it is mandatory to comply with the requirements of the

European authority but not in all the cases it is mandatory to also disclose them.

The starting point of the case study is represented by selecting Romania – an emerging

country.

Despite recent progress, it was suggested that disclosures and also transparency in

regards to the corporate governance still need improvement in Romania (Albu et al.,

2014).

As Noll (2006) noted, Romania struggled to create efficient market institutions, the

institutional development being partly delayed by many dramatic political changes.

The entrance of Romania under Soviet influence after the Second World War triggered

the switch to a centralized and planned economy. In December 1989, after the fall of

13

communism, Romania faced many dramatic accounting and economic reforms in order

to be able to incorporate western business principles. The period after the fall of

communism was characterized by many reforms and privatizations (Albu et al., 2014).

In regards to privatizations, BCR was part of this process in December 2005, when the

Government of Romania officially announced that Erste Bank acquired the bank with

a price per share in amount of EUR 7.65 at that moment in time. At the end of 2005,

BCR had total assets in amount of RON 33 billion, meaning more than 25% in the

market, Erste being willing to pay an acquisition price of EUR 3.75 billion in order to

obtain a control percentage of 61.88 in the biggest Romanian bank at that time. Erste

manifested confidence in the potential of the local market and started a sound

restructuring process led by the Czech banker Tomas Spurny. Also, in 2011, Erste

bought 24% of the shares owned by five financial investment companies from Romania,

reaching to a control percentage of 93.6. Thirteen years later after privatization, Erste

controls BCR with a percentage of 99.88, after buying 6.29% of the shares owned by

SIF Oltenia for EUR 140 million.

In 1995, the Bucharest Stock Exchange (“BSE”) was established, being a medium size

stock exchange in Eastern Europe. Also, Romania had a political goal represented by

the adherence to EU, process that started in 1993 and finished in January 2007 (Albu et

al, 2014). It is also worth mentioning that the first Romanian corporate governance code

was issued in 2001, following OECD recommendations, and then it was replaced by a

new code in 2008 which produced effects starting with 2010 (Albu and Gîrbină, 2015).

3. Research methodology

3.1. Background: Parent and subsidiary disclosures of corporate governance in

accordance with internal governance requirements from European Banking

Authority

Since 2000, European authorities have shown interest to the improvement of corporate

governance standards, the main goal being represented by the existence of safer and

more reliable bank functions (PwC, 2018). A significant role in the international

financial governance was played by the European Union (“EU”) with the support of an

administrative channel represented by the European Supervisory Authorities (“ESA”)

(Moloney, 2017).

The European Banking Authority (“EBA”) was established on 1st January 2011, taking

over all existing tasks and responsibilities of the Committee of European Banking

Supervisors, having as main objectives the following: to safeguard the efficiency,

integrity and orderly functioning of the entire banking sector and also to maintain

financial stability in the EU. Also, EBA’s main tasks are: to contribute to the

implementation of the European Single Rulebook in banking which will be able to

provide one single set of harmonized prudential rules for all the credit institutions

throughout the EU and to promote convergence of different supervisory practices, being

able to evaluate risks and vulnerabilities in the EU banking sector (EBA, 2019).

In order to achieve the objectives mentioned above, in September 2011, EBA released

its internal governance requirements, the Guidelines 44 (EBA GL 44) which will be

14

applicable until they will be revised in September 2017 producing effect on 30 June

2018.

One of the keys to banking sector’s success and also the economy as a whole is

represented by an effective corporate governance, Emmanuelle Caruel-Henniaux –

Partner at PwC Luxembourg affirming that: “The EBA guidelines are to ensure that, by

harmonizing institutions’ governance arrangements, imprudent risk-taking decisions

and choices in the banking sector are reduced significantly” (PwC, 2018).

As it became known, Erste Group Bank (“EGB”) reached an extensive presence in

Central and Eastern Europe (“CEE”) consolidating the following subsidiaries: Ceska

Sporitelna Group from Czech Republi

Categorize Significant Global Threat Sources, Objectives, and Capabilities

applied
sciences

Article

Cyber Threat Actors for the Factory of the Future

Mirko Sailio 1,*, Outi-Marja Latvala 1 and Alexander Szanto 2

1 VTT Technical Research Centre of Finland, 02044 Espoo, Finland; outi-marja.latvala@vtt.fi
2 BIGS Brandenburgisches Institut für Gesellschaft und Sicherheit, 14482 Potsdam, Germany;

alexander.szanto@bigs-potsdam.org
* Correspondence: mirko.sailio@vtt.fi; Tel.: +358-401958601

Received: 30 April 2020; Accepted: 17 June 2020; Published: 24 June 2020
����������
�������

Abstract: The increasing degree of connectivity in factory of the future (FoF) environments,
with systems that were never designed for a networked environment in terms of their technical
security nature, is accompanied by a number of security risks that must be considered. This leads to
the necessity of relying on risk assessment-based approaches to reach a sufficiently mature cyber
security management level. However, the lack of common definitions of cyber threat actors (CTA)
poses challenges in untested environments such as the FoF. This paper analyses policy papers and
reports from expert organizations to identify common definitions of CTAs. A significant consensus
exists only on two common CTAs, while other CTAs are often either ignored or overestimated in their
importance. The identified motivations of CTAs are contrasted with the specific characteristics of FoF
environments to determine the most likely CTAs targeting FoF environments. Special emphasis is
given to corporate competitors, as FoF environments probably provide better opportunities than ever
for industrial espionage if they are not sufficiently secured. In this context, the study aims to draw
attention to the research gaps in this area.

Keywords: Factory of the Future (FoF), cyber threat actor; threat actors; corporate cyber espionage

1. Introduction

The managed information security strategy for an organization requires an approach based in risk
analysis for efficient resource allocation and to document the due diligence required by law. Multiple
common systems have been described for risk analysis. These approaches present the identification
of cyber threat actors (CTAs) as a critical step in successfully designing a robust cyber defense for
an organization.

Many information security organizations have defined classifications or lists of types of threat
actors, threat agents or malicious actors. However, there is often no consensus on common definitions
of the types of attackers, and often the reader must assume the perspective of the organization
compiling such a list. Furthermore, organizations may tend to consider just one or only a few sources
of information and thus to orientate their actions according to the corresponding scope of the classified
threat elements of the respective report. This may result in overlooking a certain emphasis that the
majority of security organizations have identified as a risk factor or over-emphasizing a CTA with
minor effect in operating a real environment. Thus, there is a tendency to focus on quantitative factors
(i.e., the number of occurrences of different threat actors mentioned in the respective reports) rather
than qualitative factors (i.e., a competitive analysis).

This study has, therefore, systematically collected relevant literature on CTA from reports and
strategy papers of national and expert organizations as well as industries, first to provide an overview
and second to identify priorities and potentially ignored or underestimated risks. While industrial
espionage is not a new phenomenon and has always been practiced by states and by competitors,

Appl. Sci. 2020, 10, 4334; doi:10.3390/app10124334 www.mdpi.com/journal/applsci

Appl. Sci. 2020, 10, 4334 2 of 25

the majority of expert literature shies away from discussing this threat actor in cyberspace or appears
to neglect them. At least the results of the assessment of the reports and strategy papers provide some
indication of this.

Hence, this study aims to raise awareness of this subject, considering that the economic ecosystem
is becoming increasingly interconnected, which is especially true for the factory of the future (FoF).
FoF environments are promising great productivity gains and new possibilities for profitable business
strategies. However, reality also shows that the implementation of these various conditions required
by the FoF environment comes with serious cyber security challenges.

First, this paper studies the different CTA listings and identifies CTAs from multiple organization
types from governmental institutions to cyber security industry experts. Second, the paper groups
similar threat actors together to lessen the duplication of actors. Third, threat actors and their
capabilities are then mapped to the characteristics of the FoF environment. Finally, the paper discusses
the somewhat politely ignored role of competitors as threat actors and the concept of “hack back” as a
controversially debated defense mechanism.

2. Analysis of Reports and Strategy Papers—Identifying Cyber Threat Actors

Threat actors are defined e.g., as an entity that is responsible for an incident that impacts or has
potential to impact an organization’s security [1]. This definition, however, is too vague to identify the
real threats for an organization. This section will list threat actors identified by different authorities:
national, cyber security expert organizations or industry leaders, to examine their kind and number of
appearances. The nation, expert and industry organizations were selected given their importance in
the field of cyber security, with the aim of obtaining a broad collection to identify similarities with
documentation published in English to facilitate peer review.

CTAs identified by national authorities are collected by first analyzing reports published by
relevant cyber security bureaus. Thereafter, the national cyber security strategies are considered. While
national advice and official positions on threat actors may not be available in the languages known to
the authors, broader level strategy papers typically are. We have also included the European Union
Agency for Cybersecurity (ENISA) and the United Nations to this authority category even though
they are international organizations. Their expertise and recommendations are in particular relevant
for countries that do not have extensive and sophisticated technical (information technology (IT))
expertise, and they probably present an international consensus on the ideas. Since ENISA represents
and is, as a cybersecurity umbrella organization, responsible for all European Union (EU) nation states;
no national level analysis is made on EU countries, even though many would have been natural
candidates for the list.

Other expert organizations and industry leaders have also published reports or communications
describing the threat landscape of the internet. It is interesting to note that many reports avoided
talking about threat actors, making them meaningless for our research. Some of the most notable were
Rapid7, Symantec and OWASP (Open Web Application Security Project).

Table 1 shows the findings of the research on the reports and strategy papers. Identified CTAs are
marked with an “X” and CTAs strongly indicated by the paper are marked with an “i”.

Appl. Sci. 2020, 10, 4334 3 of 25

Table 1. List of identified cyber threat actors (CTAs) based on international reports and strategy papers.

Organization Nation-States
Cyber

Criminal
Hacktivist Terrorist Insider

Thrill
Seeker

Hacker
Ind.

Espionage
Corporation

Malicious
Actor

Other Partner

National
US NIST X X X X X X i X – – – X
ENISA X X X X X – – – X – – –

Canada CCCS X X X X X X – – – – – –
Japan NISC X X – i – – – – – X – –

Russia X X – X – – – – – – – –
India X X – X – – – i – – – –
Brazil X X X X – – – – – – – –

S. Africa X X – X – – – – – – – –
UN X X – X – – – i – – – –

China CAC – X – X – – – i – – – –

Expert
SANS X X X – X – – – – – – X

CIS X X X X X – – – – – – –
CC – – – – X – X – – X X –

ISSA X X – – X – – – – – – –
ITU X – – X X – – – – i – –

Industry
CrowdStrike X X X – – – – – – – – i

Verizon X X X – X – – – – – – X
IBM X X X – X – X – X X – –

FireEye X X – – X – – i – – – X
Symantec – X – – – – – – – i – –
Accenture X X X – – – – – – – – X

McAfee X X – – – – – – – – – i
Sum 22 19 20 10 12 11 2 3 5 2 5 1 7

Appl. Sci. 2020, 10, 4334 4 of 25

2.1. National and International Cyber Security Organizations

2.1.1. US—National Institute for Standards and Technology (NIST)

The United States has multiple major agencies tasked in dealing with cyber security, the most
notable perhaps being the National Institute for Standards and Technology (NIST). NIST has published
a great number of reports and guidelines for cyber security. Their 800-82 guide for industrial control
systems security perhaps the is best fitting [2]. The CTAs identified include national governments
(nation-states), terrorists, industrial spies, organized crime groups (cyber criminal), hacktivists and
hackers. It also refers to an additional source [3], which further includes thrill seekers and insiders as
separate actors. Additionally, NIST has guidelines for conducting risk assessments, which identifies
industrial espionage and partners for additional likely CTAs [4].

2.1.2. European Union (EU)—The European Union Agency for Cybersecurity (ENISA)

ENISA is an agency tasked in enhancing Europe’s cyber security capabilities, mainly by conducting
research and providing assistance to national cyber security actors in the EU. It published an annual
threat landscape report until 2019 [5]. The identified threat actor categories have matured somewhat in
the years the report has been published. The report also aims to identify actual incidents that have
been published, and attributes those to the likeliest threat actor category. Their latest threat landscape
report identifies cyber criminals, nation-states, hacktivists, cyber fighters, cyber terrorists and script
kiddies (thrill seekers).

2.1.3. Canada—Canadian Centre for Cyber Security (CCCS)

The Canadian Centre for Cyber Security (CCCS) is the Canadian authority in cyber security. It has
a cyber threat actor list [6] with expected motivations and typical sophistication included. It lists
nation-states, cyber criminals, hacktivists, terrorist groups, thrill seekers and insiders as CTAs.

2.1.4. Japan—National Center of Incident Readiness and Strategy (NISC)

The National Center of Incident Readiness and Strategy (NISC), the Japanese government’s cyber
security authority has a public cybersecurity strategy [7]. It identifies the key threat actors for Japan
being other nation-states and cybercrime. It also indicates that terrorist usage of the cyberspace needs
to be monitored and understood.

2.1.5. United Nations (UN)

The United Nations (UN) has also been active in aiding to distribute cyber security awareness
in its member countries. It is especially important for the countries that have less developed cyber
security expertise. A recent report [8] identified cyber criminals, nation-states and terrorists as notable
threat actors in the area. Industrial espionage was mentioned as well.

2.1.6. China—The Cyberspace Administration of China (CAC)

The Cyberspace Administration of China (CAC) publishes a national cyber security strategy since
2016 [9]. While the original document was not available in English, machine translation has enabled
the authors to use text search for key terms. In addition to supporting meta-analysis documents [10],
this enables crude level analysis on threat actor mentions with some level of confidence. Given the
high importance of China in the area of cyber security, the strategy was included without access
to the original text. CAC identifies cybercriminals, terrorists, and industrial espionage as a threat.
Interestingly, China is the only state not listing nation-states as threat actors in cyberspace.

Appl. Sci. 2020, 10, 4334 5 of 25

2.1.7. Russia

The Security Council of the Russian Federation has published the cyber security strategy of
Russia [11]. It identifies nation-states, cyber criminals and terrorists as threat actors. The major focus
of the strategy is on outside actors targeting social stability by using the cyberspace.

2.1.8. Brazil

Brazil has a complicated cyber security strategy spanning a multitude of different federal
organizations [12]. It identifies state actors, cyber criminals, terrorist and hacktivists as threat actors.

2.1.9. South Africa

South Africa has published the National Cybersecurity Policy Framework since 2015 [13].
It identifies state actors, cyber criminals and terrorists as the main threat actors.

2.1.10. India

India is writing a new version of its National Cyber Security Strategy for 2020, with comments
being presently requested [14]. The call for comments mentions state actors, cyber criminals and
terrorism explicitly and implies high risk to business data (industrial espionage).

2.2. Expert Organizations

2.2.1. The SANS Institute (SANS)

The SANS Institute is an international cooperative research and education organization offering
training and certification for information security professionals around the world. It is one of the
biggest private organizations focusing on information security excellence.

SANS identifies cyber criminals, state sponsored threat actors, hacktivists, insiders (system
administrators, end users, executives and managers) and partners as threat actors [15].

2.2.2. International Securities Services Association (ISSA)

The International Securities Services Association (ISSA) is an organization aiming to strengthen
collaboration and mitigate risks within the global securities services industry. It publishes an annual
cyber security risk management report for its members, including a threat agent analysis for the
industry. The ISSA identifies nation-states, cyber criminals (organized crime), hacktivists, malicious
insiders and unwitting insiders as threat agents [16].

2.2.3. International Telecommunication Union (ITU)

The International Telecommunication Union (ITU), a UN agency focusing on communications
networks, identified nation-states, terrorist, disgruntled workers (insiders) and malicious intruders
(malicious actors) as threat actors [17].

2.2.4. Centre for Internet Security (CIS)

The Centre for Internet Security (CIS) is a non-profit organization aimed to improve cyber security
of private and public organizations. It identifies nation-states, cyber criminals, hacktivists, terrorists
and insiders as primary threat actors [18].

2.2.5. Common Criteria for Information Technology Security Evaluation (CC)

The Common Criteria for Information Technology Security Evaluation (CC) is a technical basis
for an international agreement aiming to ensure a common criteria for security properties of certified
products. The CC describes examples of threat actors as hackers, malicious users, and non-malicious
users. The report also describes computer processes and accidents as threat actors. Those are combined

Appl. Sci. 2020, 10, 4334 6 of 25

to the “other” column on Table 1 [19]. Its view of threat actors is unusual when compared to others,
but its importance as a global standard merits its addition to the list.

2.3. Industry

2.3.1. Verizon

Verizon, an American multinational telecommunications company provides threat reporting to
the public based on their customers’ incidents. They report incidents originating from cashiers and
system administrators (insider), supply chain partners, cyber criminals, nation-states and activists [20].

2.3.2. International Business Machines Corporation (IBM) X-Force Threat Intelligence Index

X-Force provides threat intelligence based on in-house research. It lists organized crime (cyber
crime), nation-state, hacktivist and insider activities in their research [21].

2.3.3. CrowdStrike

CrowdStrike is an anti-virus provider, which publishes an annual report. The CrowdStrike Global
Threat Report focuses on nation-states and cyber criminals. An additional focus is on supply chain
compromises, pointing to the activities of partners as a possible threat actor [22].

2.3.4. Symantec

Symantec is a leading cyber security vendor, which has an annual report on cloud security [23].
It does not focus on identifying threat actors, but names cyber criminals and bad guys (malicious actors).

2.3.5. FireEye

FireEye is an information security vendor with strong threat intelligence abilities. It publishes a
report on detected threat trends annually [24], containing results from their customers sensor systems.
It creates great transparency in cyber security incidents. While it does not define threat actors, its report
lists state sponsored actors, cyber criminals and insiders and indicates partner or third-party actors.
It also identifies espionage activity, likely in support of intellectual property or espionage end goals,
indicating likely competitor activity.

2.3.6. Fortinet

Fortinet is a cyber security company boasting the largest device footprint in the industry.
The feedback loop from these devices is reported quarterly in a threat landscape report [25]. It focuses
on the results from their monitoring and identify cyber criminals and nation-state actors [26].

2.3.7. McAfee

McAfee is a leader in the cyber security and threat intelligence market. It publishes a quarterly
threat report on detected cyber attacks and incidents [27]. It identifies nation-state actors, cyber
criminals and supply chain partner attacks.

2.3.8. Accenture

Accenture is a global professional services company, which has expertise in a wide range of
industries. It publishes an annual [28] report containing measurements based on its cyber defense
system. It identifies cyber criminals, hacktivists, state-sponsored threat actors and compromised
business partners as threat actors.

Appl. Sci. 2020, 10, 4334 7 of 25

3. Classifying Cyber Threat Actors (CTAs)

CTAs are differentiated from others mainly by their internal motivation. Skill level, resources and
other such attributes do not differentiate well between different CTAs (e.g., nation-states building their
cyber offence program may be poorly resourced and lacking in skills while a hacktivist group with a
rich patron may have almost limitless resources).

The previous section identified 13 different threat actors. Some of the threat actors have such
similarities in their motivation, that they can be combined without losing the meaning of the category,
see Figure 1. Hacktivists and terrorists have been grouped into ideologues, hackers have been merged
with thrill seekers, industrial espionage and corporations have been combined to a competitor actor
class. Some classes have been imported without change.

Appl. Sci. 2020, 10, x FOR PEER REVIEW 6 of 24

actors, its report lists state sponsored actors, cyber criminals and insiders and indicates partner or
third-party actors. It also identifies espionage activity, likely in support of intellectual property or
espionage end goals, indicating likely competitor activity.

2.3.6. Fortinet

Fortinet is a cyber security company boasting the largest device footprint in the industry. The
feedback loop from these devices is reported quarterly in a threat landscape report [25]. It focuses on
the results from their monitoring and identify cyber criminals and nation-state actors [26].

2.3.7. McAfee

McAfee is a leader in the cyber security and threat intelligence market. It publishes a quarterly
threat report on detected cyber attacks and incidents [27]. It identifies nation-state actors, cyber
criminals and supply chain partner attacks.

2.3.8. Accenture

Accenture is a global professional services company, which has expertise in a wide range of
industries. It publishes an annual [28] report containing measurements based on its cyber defense
system. It identifies cyber criminals, hacktivists, state-sponsored threat actors and compromised
business partners as threat actors.

3. Classifying Cyber Threat Actors (CTAs)

CTAs are differentiated from others mainly by their internal motivation. Skill level, resources
and other such attributes do not differentiate well between different CTAs (e.g., nation-states
building their cyber offence program may be poorly resourced and lacking in skills while a hacktivist
group with a rich patron may have almost limitless resources).

The previous section identified 13 different threat actors. Some of the threat actors have such
similarities in their motivation, that they can be combined without losing the meaning of the category,
see Figure 1. Hacktivists and terrorists have been grouped into ideologues, hackers have been merged
with thrill seekers, industrial espionage and corporations have been combined to a competitor actor
class. Some classes have been imported without change.

Figure 1. Identified threat actors combined into the eight categories discussed in this paper.

The malicious actor umbrella term does not have any differentiation power, so it is discarded
as almost all threat actors can be considered malicious actors. Threats without an actor are placed in

Figure 1. Identified threat actors combined into the eight categories discussed in this paper.

The malicious actor umbrella term does not have any differentiation power, so it is discarded as
almost all threat actors can be considered malicious actors. Threats without an actor are placed in a
non-actor classification. Next, we describe the threat actor classes and the reasons for grouping in
more detail.

3.1. Cyber Criminals

Cyber criminals infiltrate networks using any available and exploitable vulnerability. They
have two objectives, to extract value (money, valuable items or valuable data) and to avoid legal
consequences while doing it. One should keep in mind that a large portion of financial damage caused
by cyber criminals is not direct, especially in industrial networks. Many schemes (e.g., ad fraud, loyalty
program fraud) inflict mainly secondary (indirect) costs to their victim organization [29].

Some cyber crime groups seem to be state-sponsored and act for nation-state threat actors [30],
so clear differentiation between cyber criminals and state actors may be impossible. Cyber criminals
can also work for other third parties, even other cyber criminals, as a service (cyber crime as a
service—CCaaS) [31].

Cyber criminal activity directed at organizations can be divided into three broad categories:

• Mass scams and automated hacking: these activities aim to monetize successful hacking using
automated tools and mass scams to infect large amount of accounts and computers. They use
crypto trojans for blackmailing and stealing easily sellable data (e.g., social security numbers,
credit card numbers, passwords and bitcoins). They ssek to get value with minimum possible
human effort. Special mention should be given to cryptojackers, who infect systems and then use

Appl. Sci. 2020, 10, 4334 8 of 25

those resources for mining crypto currencies. This gives the owners of the tools financial value
without the knowledge of the owner of the system.

• Criminal infrastructure providers: these actors use automated hacking tools to infect as many
systems as possible, and to consequently use those systems in a criminal infrastructure (e.g.,
botnets). They may then sell the utilization of this infrastructure to third parties for distributed
denial of service (DDoS) attacks, spamming, bullet-proof hosting etc., or exploit it for their own
campaigns. In these cases, an infected system may perform normally without any noticeable
problems, until the system is placed on a public blacklist for malicious activity.

• Big game hunters: these cyber criminals use considerable effort to attack single high-value
targets, especially high-value financial transaction systems (e.g., SWIFT hacks). These types of
attack may apply custom designed malware, or conduct attacks through supply chain partners.
The criminals invest considerable effort into studying the related technologies and network
architectures, carefully engineering the attack and hiding their actions. High-value targets in an
organization are also targeted by email and phone frauds, utilizing social engineering skills to
enhance the wider attack [25,28].

Cyber criminals are very creative, they may both come up with novel attacks and resurface
long-forgotten scams with a fresh perspective to make criminal gains. This is important to keep in
mind, especially when discussing emerging technologies such as artificial intelligence (AI) or the
ecosystem of the FoF.

Cyber criminals are the primary source of incidents in the wild [5]. It is important to note,
however, that cyber crimes range widely from online tax fraud to romance scams [29]. Not all kinds of
cyber crimes are relevant to the majority of organizations and an organization needs to apply proper
risk-based cyber security management processes to identfy the relevant threats. Moreover, e.g., a tax
fraud may not be directed at the organization but an insider committing such a crime could still impact
it. Twenty of the 22 organisations identified cyber criminals as a CTA (Table 1).

3.2. Nation-State Actors

Nation-states can be considered as active threat actors in cyber security [5]. Their objectives are
more varied than that of regular cyber criminals, typically aiming to gather intelligence or support
national interests (e.g., nuclear non-proliferation, financing, technology transfer and dissident control).
The cyberspace toolset has enhanced the abilities that nation-states have already previously held,
especially in espionage.

For the last 20 years, a lot of reporting has been published on cyber operations aimed at technology
proliferation. In this, state actors have been tied to campaigns using industrial espionage to elevate the
capabilities of domestic companies, typically tied to military technologies. China, for instance, has
been especially effective bridging the technology gap using various methods.

Strategic sabotage is one of the techniques that nation-state actors use. Maybe the best known
suspected nation-state cyber action was the Stuxnet incident [32]. In this incident centrifuges used by
the Iranian nuclear program were sabotaged by infecting their air-gapped control systems with an
advanced malware causing them to deteriorate. While the target was a state-run program, the attack
path went through a commercial actor’s control software.

Some states have been linked to cyber activities which indicate usage of cyber operations to
enable other state activity limited by international sanctions. The SWIFT banking system attacks
have been linked to nation-states using it as a way to finance their operations under strict economic
sanctions [33]. These operations can be thought of as infrastructure enabling other activities. In smaller
scale, nation-state actors using cyber operations for their aims may also need botnet infrastructure to
maintain ability to use and mask cyber operations.

Ukrainian and Georgian critical infrastructures have both been subject to cyber operations seeming
to originate from Russia. These cyber operations have similar aims as conventional military attacks
on infrastructure, but without the need of a full blown war, with international condemnation and

Appl. Sci. 2020, 10, 4334 9 of 25

sanctions following. Cyber war operations however can be hard to attribute to specific actors, and
there is always plausible deniability [34]. Even when attribution is reliable, there are a lot of legal gray
areas to hide [35].

Nation-states target not only other nations, but also organizations (e.g., companies and
non-governmental organizations (NGOs)), and they also practice mass surveillance of individuals.
The stated aims are typically counterterrorism work and internal security. One more recent aspect for
state actors is political campaign interference [36].

There are at least two major paths to national cyber operation capability. Some nations use
well-funded intelligence agencies, while others use cyber criminal organizations. Such state sponsored
groups are typically easier to identify, but have had a higher degree of deniability by the state [24].

It should be noted that, for most organizations, propaganda operations by nation-states (e.g.,
fake news, troll farms, social media manipulations) are not a valid cyber threat. Moreover, operating
in certain nations may force the organization to adhere to that country’s cyber laws (e.g., national
firewalls, DNS blacklisting, legal backdoors to systems or mass surveillance of people). These are also
out of the scope of cyber security policies and our paper.

Nation-states activities present a large part of documented cyber incidents in the wild. It represents
the second largest source of measured cyber incidents [5]. In the analysis 19 of the 22 organizations
identified nation-state actors as a CTA (Table 1).

3.3. Ideologues (Hacktivist and Terrorist)

This paper combines the hacktivists and terrorists under the same threat actor category due to
obvious similarities in operational aims. Hacktivists are activists who are ready to disobey computer
security laws in their activity to advance their cause. Terrorists are groups of people aiming to cause
terror to advance their cause. While the results of their activity are very different, both actors are
ideologically motivated.

Additionally, the use of a terrorist label is problematic, as the label it used subjectively by
nation-states and organizations. Terrorists often seem to be freedom fighters on the other side of
a conflict. The government of Iran might classify the Stuxnet incident as an act of cyber terrorism,
while the West typically considers it a nation-state activity [37]. The definition of cyber terrorism has
become more indiscriminate for many organizations and some define any activity by a terrorist group
in the internet (e.g., recruitment, money laundering, propaganda) as cyber terrorism. For example,
the Japanese Cyber Strategy [7] refers to the need to monitor terrorist organizations that use cyberspace
for demonstrations, recruiting citizens and raising funds for violent extremism.

Those following an ideology and willing to perform terrorist activities by using computers are
defined to belong to the same category as activists in this paper.

While an amount of activity by these actors is present, it is much smaller, than that of cyber
criminals and nation-state actors. In addition, activists are typically a known threat to organizations
they target. It is interesting to note, that while 12 of 22 identify terrorist threat actors, the au

Categorize Significant Global Threat Sources, Objectives, and Capabilities

applied
sciences

Article

Cyber Threat Actors for the Factory of the Future

Mirko Sailio 1,*, Outi-Marja Latvala 1 and Alexander Szanto 2

1 VTT Technical Research Centre of Finland, 02044 Espoo, Finland; outi-marja.latvala@vtt.fi
2 BIGS Brandenburgisches Institut für Gesellschaft und Sicherheit, 14482 Potsdam, Germany;

alexander.szanto@bigs-potsdam.org
* Correspondence: mirko.sailio@vtt.fi; Tel.: +358-401958601

Received: 30 April 2020; Accepted: 17 June 2020; Published: 24 June 2020
����������
�������

Abstract: The increasing degree of connectivity in factory of the future (FoF) environments,
with systems that were never designed for a networked environment in terms of their technical
security nature, is accompanied by a number of security risks that must be considered. This leads to
the necessity of relying on risk assessment-based approaches to reach a sufficiently mature cyber
security management level. However, the lack of common definitions of cyber threat actors (CTA)
poses challenges in untested environments such as the FoF. This paper analyses policy papers and
reports from expert organizations to identify common definitions of CTAs. A significant consensus
exists only on two common CTAs, while other CTAs are often either ignored or overestimated in their
importance. The identified motivations of CTAs are contrasted with the specific characteristics of FoF
environments to determine the most likely CTAs targeting FoF environments. Special emphasis is
given to corporate competitors, as FoF environments probably provide better opportunities than ever
for industrial espionage if they are not sufficiently secured. In this context, the study aims to draw
attention to the research gaps in this area.

Keywords: Factory of the Future (FoF), cyber threat actor; threat actors; corporate cyber espionage

1. Introduction

The managed information security strategy for an organization requires an approach based in risk
analysis for efficient resource allocation and to document the due diligence required by law. Multiple
common systems have been described for risk analysis. These approaches present the identification
of cyber threat actors (CTAs) as a critical step in successfully designing a robust cyber defense for
an organization.

Many information security organizations have defined classifications or lists of types of threat
actors, threat agents or malicious actors. However, there is often no consensus on common definitions
of the types of attackers, and often the reader must assume the perspective of the organization
compiling such a list. Furthermore, organizations may tend to consider just one or only a few sources
of information and thus to orientate their actions according to the corresponding scope of the classified
threat elements of the respective report. This may result in overlooking a certain emphasis that the
majority of security organizations have identified as a risk factor or over-emphasizing a CTA with
minor effect in operating a real environment. Thus, there is a tendency to focus on quantitative factors
(i.e., the number of occurrences of different threat actors mentioned in the respective reports) rather
than qualitative factors (i.e., a competitive analysis).

This study has, therefore, systematically collected relevant literature on CTA from reports and
strategy papers of national and expert organizations as well as industries, first to provide an overview
and second to identify priorities and potentially ignored or underestimated risks. While industrial
espionage is not a new phenomenon and has always been practiced by states and by competitors,

Appl. Sci. 2020, 10, 4334; doi:10.3390/app10124334 www.mdpi.com/journal/applsci

Appl. Sci. 2020, 10, 4334 2 of 25

the majority of expert literature shies away from discussing this threat actor in cyberspace or appears
to neglect them. At least the results of the assessment of the reports and strategy papers provide some
indication of this.

Hence, this study aims to raise awareness of this subject, considering that the economic ecosystem
is becoming increasingly interconnected, which is especially true for the factory of the future (FoF).
FoF environments are promising great productivity gains and new possibilities for profitable business
strategies. However, reality also shows that the implementation of these various conditions required
by the FoF environment comes with serious cyber security challenges.

First, this paper studies the different CTA listings and identifies CTAs from multiple organization
types from governmental institutions to cyber security industry experts. Second, the paper groups
similar threat actors together to lessen the duplication of actors. Third, threat actors and their
capabilities are then mapped to the characteristics of the FoF environment. Finally, the paper discusses
the somewhat politely ignored role of competitors as threat actors and the concept of “hack back” as a
controversially debated defense mechanism.

2. Analysis of Reports and Strategy Papers—Identifying Cyber Threat Actors

Threat actors are defined e.g., as an entity that is responsible for an incident that impacts or has
potential to impact an organization’s security [1]. This definition, however, is too vague to identify the
real threats for an organization. This section will list threat actors identified by different authorities:
national, cyber security expert organizations or industry leaders, to examine their kind and number of
appearances. The nation, expert and industry organizations were selected given their importance in
the field of cyber security, with the aim of obtaining a broad collection to identify similarities with
documentation published in English to facilitate peer review.

CTAs identified by national authorities are collected by first analyzing reports published by
relevant cyber security bureaus. Thereafter, the national cyber security strategies are considered. While
national advice and official positions on threat actors may not be available in the languages known to
the authors, broader level strategy papers typically are. We have also included the European Union
Agency for Cybersecurity (ENISA) and the United Nations to this authority category even though
they are international organizations. Their expertise and recommendations are in particular relevant
for countries that do not have extensive and sophisticated technical (information technology (IT))
expertise, and they probably present an international consensus on the ideas. Since ENISA represents
and is, as a cybersecurity umbrella organization, responsible for all European Union (EU) nation states;
no national level analysis is made on EU countries, even though many would have been natural
candidates for the list.

Other expert organizations and industry leaders have also published reports or communications
describing the threat landscape of the internet. It is interesting to note that many reports avoided
talking about threat actors, making them meaningless for our research. Some of the most notable were
Rapid7, Symantec and OWASP (Open Web Application Security Project).

Table 1 shows the findings of the research on the reports and strategy papers. Identified CTAs are
marked with an “X” and CTAs strongly indicated by the paper are marked with an “i”.

Appl. Sci. 2020, 10, 4334 3 of 25

Table 1. List of identified cyber threat actors (CTAs) based on international reports and strategy papers.

Organization Nation-States
Cyber

Criminal
Hacktivist Terrorist Insider

Thrill
Seeker

Hacker
Ind.

Espionage
Corporation

Malicious
Actor

Other Partner

National
US NIST X X X X X X i X – – – X
ENISA X X X X X – – – X – – –

Canada CCCS X X X X X X – – – – – –
Japan NISC X X – i – – – – – X – –

Russia X X – X – – – – – – – –
India X X – X – – – i – – – –
Brazil X X X X – – – – – – – –

S. Africa X X – X – – – – – – – –
UN X X – X – – – i – – – –

China CAC – X – X – – – i – – – –

Expert
SANS X X X – X – – – – – – X

CIS X X X X X – – – – – – –
CC – – – – X – X – – X X –

ISSA X X – – X – – – – – – –
ITU X – – X X – – – – i – –

Industry
CrowdStrike X X X – – – – – – – – i

Verizon X X X – X – – – – – – X
IBM X X X – X – X – X X – –

FireEye X X – – X – – i – – – X
Symantec – X – – – – – – – i – –
Accenture X X X – – – – – – – – X

McAfee X X – – – – – – – – – i
Sum 22 19 20 10 12 11 2 3 5 2 5 1 7

Appl. Sci. 2020, 10, 4334 4 of 25

2.1. National and International Cyber Security Organizations

2.1.1. US—National Institute for Standards and Technology (NIST)

The United States has multiple major agencies tasked in dealing with cyber security, the most
notable perhaps being the National Institute for Standards and Technology (NIST). NIST has published
a great number of reports and guidelines for cyber security. Their 800-82 guide for industrial control
systems security perhaps the is best fitting [2]. The CTAs identified include national governments
(nation-states), terrorists, industrial spies, organized crime groups (cyber criminal), hacktivists and
hackers. It also refers to an additional source [3], which further includes thrill seekers and insiders as
separate actors. Additionally, NIST has guidelines for conducting risk assessments, which identifies
industrial espionage and partners for additional likely CTAs [4].

2.1.2. European Union (EU)—The European Union Agency for Cybersecurity (ENISA)

ENISA is an agency tasked in enhancing Europe’s cyber security capabilities, mainly by conducting
research and providing assistance to national cyber security actors in the EU. It published an annual
threat landscape report until 2019 [5]. The identified threat actor categories have matured somewhat in
the years the report has been published. The report also aims to identify actual incidents that have
been published, and attributes those to the likeliest threat actor category. Their latest threat landscape
report identifies cyber criminals, nation-states, hacktivists, cyber fighters, cyber terrorists and script
kiddies (thrill seekers).

2.1.3. Canada—Canadian Centre for Cyber Security (CCCS)

The Canadian Centre for Cyber Security (CCCS) is the Canadian authority in cyber security. It has
a cyber threat actor list [6] with expected motivations and typical sophistication included. It lists
nation-states, cyber criminals, hacktivists, terrorist groups, thrill seekers and insiders as CTAs.

2.1.4. Japan—National Center of Incident Readiness and Strategy (NISC)

The National Center of Incident Readiness and Strategy (NISC), the Japanese government’s cyber
security authority has a public cybersecurity strategy [7]. It identifies the key threat actors for Japan
being other nation-states and cybercrime. It also indicates that terrorist usage of the cyberspace needs
to be monitored and understood.

2.1.5. United Nations (UN)

The United Nations (UN) has also been active in aiding to distribute cyber security awareness
in its member countries. It is especially important for the countries that have less developed cyber
security expertise. A recent report [8] identified cyber criminals, nation-states and terrorists as notable
threat actors in the area. Industrial espionage was mentioned as well.

2.1.6. China—The Cyberspace Administration of China (CAC)

The Cyberspace Administration of China (CAC) publishes a national cyber security strategy since
2016 [9]. While the original document was not available in English, machine translation has enabled
the authors to use text search for key terms. In addition to supporting meta-analysis documents [10],
this enables crude level analysis on threat actor mentions with some level of confidence. Given the
high importance of China in the area of cyber security, the strategy was included without access
to the original text. CAC identifies cybercriminals, terrorists, and industrial espionage as a threat.
Interestingly, China is the only state not listing nation-states as threat actors in cyberspace.

Appl. Sci. 2020, 10, 4334 5 of 25

2.1.7. Russia

The Security Council of the Russian Federation has published the cyber security strategy of
Russia [11]. It identifies nation-states, cyber criminals and terrorists as threat actors. The major focus
of the strategy is on outside actors targeting social stability by using the cyberspace.

2.1.8. Brazil

Brazil has a complicated cyber security strategy spanning a multitude of different federal
organizations [12]. It identifies state actors, cyber criminals, terrorist and hacktivists as threat actors.

2.1.9. South Africa

South Africa has published the National Cybersecurity Policy Framework since 2015 [13].
It identifies state actors, cyber criminals and terrorists as the main threat actors.

2.1.10. India

India is writing a new version of its National Cyber Security Strategy for 2020, with comments
being presently requested [14]. The call for comments mentions state actors, cyber criminals and
terrorism explicitly and implies high risk to business data (industrial espionage).

2.2. Expert Organizations

2.2.1. The SANS Institute (SANS)

The SANS Institute is an international cooperative research and education organization offering
training and certification for information security professionals around the world. It is one of the
biggest private organizations focusing on information security excellence.

SANS identifies cyber criminals, state sponsored threat actors, hacktivists, insiders (system
administrators, end users, executives and managers) and partners as threat actors [15].

2.2.2. International Securities Services Association (ISSA)

The International Securities Services Association (ISSA) is an organization aiming to strengthen
collaboration and mitigate risks within the global securities services industry. It publishes an annual
cyber security risk management report for its members, including a threat agent analysis for the
industry. The ISSA identifies nation-states, cyber criminals (organized crime), hacktivists, malicious
insiders and unwitting insiders as threat agents [16].

2.2.3. International Telecommunication Union (ITU)

The International Telecommunication Union (ITU), a UN agency focusing on communications
networks, identified nation-states, terrorist, disgruntled workers (insiders) and malicious intruders
(malicious actors) as threat actors [17].

2.2.4. Centre for Internet Security (CIS)

The Centre for Internet Security (CIS) is a non-profit organization aimed to improve cyber security
of private and public organizations. It identifies nation-states, cyber criminals, hacktivists, terrorists
and insiders as primary threat actors [18].

2.2.5. Common Criteria for Information Technology Security Evaluation (CC)

The Common Criteria for Information Technology Security Evaluation (CC) is a technical basis
for an international agreement aiming to ensure a common criteria for security properties of certified
products. The CC describes examples of threat actors as hackers, malicious users, and non-malicious
users. The report also describes computer processes and accidents as threat actors. Those are combined

Appl. Sci. 2020, 10, 4334 6 of 25

to the “other” column on Table 1 [19]. Its view of threat actors is unusual when compared to others,
but its importance as a global standard merits its addition to the list.

2.3. Industry

2.3.1. Verizon

Verizon, an American multinational telecommunications company provides threat reporting to
the public based on their customers’ incidents. They report incidents originating from cashiers and
system administrators (insider), supply chain partners, cyber criminals, nation-states and activists [20].

2.3.2. International Business Machines Corporation (IBM) X-Force Threat Intelligence Index

X-Force provides threat intelligence based on in-house research. It lists organized crime (cyber
crime), nation-state, hacktivist and insider activities in their research [21].

2.3.3. CrowdStrike

CrowdStrike is an anti-virus provider, which publishes an annual report. The CrowdStrike Global
Threat Report focuses on nation-states and cyber criminals. An additional focus is on supply chain
compromises, pointing to the activities of partners as a possible threat actor [22].

2.3.4. Symantec

Symantec is a leading cyber security vendor, which has an annual report on cloud security [23].
It does not focus on identifying threat actors, but names cyber criminals and bad guys (malicious actors).

2.3.5. FireEye

FireEye is an information security vendor with strong threat intelligence abilities. It publishes a
report on detected threat trends annually [24], containing results from their customers sensor systems.
It creates great transparency in cyber security incidents. While it does not define threat actors, its report
lists state sponsored actors, cyber criminals and insiders and indicates partner or third-party actors.
It also identifies espionage activity, likely in support of intellectual property or espionage end goals,
indicating likely competitor activity.

2.3.6. Fortinet

Fortinet is a cyber security company boasting the largest device footprint in the industry.
The feedback loop from these devices is reported quarterly in a threat landscape report [25]. It focuses
on the results from their monitoring and identify cyber criminals and nation-state actors [26].

2.3.7. McAfee

McAfee is a leader in the cyber security and threat intelligence market. It publishes a quarterly
threat report on detected cyber attacks and incidents [27]. It identifies nation-state actors, cyber
criminals and supply chain partner attacks.

2.3.8. Accenture

Accenture is a global professional services company, which has expertise in a wide range of
industries. It publishes an annual [28] report containing measurements based on its cyber defense
system. It identifies cyber criminals, hacktivists, state-sponsored threat actors and compromised
business partners as threat actors.

Appl. Sci. 2020, 10, 4334 7 of 25

3. Classifying Cyber Threat Actors (CTAs)

CTAs are differentiated from others mainly by their internal motivation. Skill level, resources and
other such attributes do not differentiate well between different CTAs (e.g., nation-states building their
cyber offence program may be poorly resourced and lacking in skills while a hacktivist group with a
rich patron may have almost limitless resources).

The previous section identified 13 different threat actors. Some of the threat actors have such
similarities in their motivation, that they can be combined without losing the meaning of the category,
see Figure 1. Hacktivists and terrorists have been grouped into ideologues, hackers have been merged
with thrill seekers, industrial espionage and corporations have been combined to a competitor actor
class. Some classes have been imported without change.

Appl. Sci. 2020, 10, x FOR PEER REVIEW 6 of 24

actors, its report lists state sponsored actors, cyber criminals and insiders and indicates partner or
third-party actors. It also identifies espionage activity, likely in support of intellectual property or
espionage end goals, indicating likely competitor activity.

2.3.6. Fortinet

Fortinet is a cyber security company boasting the largest device footprint in the industry. The
feedback loop from these devices is reported quarterly in a threat landscape report [25]. It focuses on
the results from their monitoring and identify cyber criminals and nation-state actors [26].

2.3.7. McAfee

McAfee is a leader in the cyber security and threat intelligence market. It publishes a quarterly
threat report on detected cyber attacks and incidents [27]. It identifies nation-state actors, cyber
criminals and supply chain partner attacks.

2.3.8. Accenture

Accenture is a global professional services company, which has expertise in a wide range of
industries. It publishes an annual [28] report containing measurements based on its cyber defense
system. It identifies cyber criminals, hacktivists, state-sponsored threat actors and compromised
business partners as threat actors.

3. Classifying Cyber Threat Actors (CTAs)

CTAs are differentiated from others mainly by their internal motivation. Skill level, resources
and other such attributes do not differentiate well between different CTAs (e.g., nation-states
building their cyber offence program may be poorly resourced and lacking in skills while a hacktivist
group with a rich patron may have almost limitless resources).

The previous section identified 13 different threat actors. Some of the threat actors have such
similarities in their motivation, that they can be combined without losing the meaning of the category,
see Figure 1. Hacktivists and terrorists have been grouped into ideologues, hackers have been merged
with thrill seekers, industrial espionage and corporations have been combined to a competitor actor
class. Some classes have been imported without change.

Figure 1. Identified threat actors combined into the eight categories discussed in this paper.

The malicious actor umbrella term does not have any differentiation power, so it is discarded
as almost all threat actors can be considered malicious actors. Threats without an actor are placed in

Figure 1. Identified threat actors combined into the eight categories discussed in this paper.

The malicious actor umbrella term does not have any differentiation power, so it is discarded as
almost all threat actors can be considered malicious actors. Threats without an actor are placed in a
non-actor classification. Next, we describe the threat actor classes and the reasons for grouping in
more detail.

3.1. Cyber Criminals

Cyber criminals infiltrate networks using any available and exploitable vulnerability. They
have two objectives, to extract value (money, valuable items or valuable data) and to avoid legal
consequences while doing it. One should keep in mind that a large portion of financial damage caused
by cyber criminals is not direct, especially in industrial networks. Many schemes (e.g., ad fraud, loyalty
program fraud) inflict mainly secondary (indirect) costs to their victim organization [29].

Some cyber crime groups seem to be state-sponsored and act for nation-state threat actors [30],
so clear differentiation between cyber criminals and state actors may be impossible. Cyber criminals
can also work for other third parties, even other cyber criminals, as a service (cyber crime as a
service—CCaaS) [31].

Cyber criminal activity directed at organizations can be divided into three broad categories:

• Mass scams and automated hacking: these activities aim to monetize successful hacking using
automated tools and mass scams to infect large amount of accounts and computers. They use
crypto trojans for blackmailing and stealing easily sellable data (e.g., social security numbers,
credit card numbers, passwords and bitcoins). They ssek to get value with minimum possible
human effort. Special mention should be given to cryptojackers, who infect systems and then use

Appl. Sci. 2020, 10, 4334 8 of 25

those resources for mining crypto currencies. This gives the owners of the tools financial value
without the knowledge of the owner of the system.

• Criminal infrastructure providers: these actors use automated hacking tools to infect as many
systems as possible, and to consequently use those systems in a criminal infrastructure (e.g.,
botnets). They may then sell the utilization of this infrastructure to third parties for distributed
denial of service (DDoS) attacks, spamming, bullet-proof hosting etc., or exploit it for their own
campaigns. In these cases, an infected system may perform normally without any noticeable
problems, until the system is placed on a public blacklist for malicious activity.

• Big game hunters: these cyber criminals use considerable effort to attack single high-value
targets, especially high-value financial transaction systems (e.g., SWIFT hacks). These types of
attack may apply custom designed malware, or conduct attacks through supply chain partners.
The criminals invest considerable effort into studying the related technologies and network
architectures, carefully engineering the attack and hiding their actions. High-value targets in an
organization are also targeted by email and phone frauds, utilizing social engineering skills to
enhance the wider attack [25,28].

Cyber criminals are very creative, they may both come up with novel attacks and resurface
long-forgotten scams with a fresh perspective to make criminal gains. This is important to keep in
mind, especially when discussing emerging technologies such as artificial intelligence (AI) or the
ecosystem of the FoF.

Cyber criminals are the primary source of incidents in the wild [5]. It is important to note,
however, that cyber crimes range widely from online tax fraud to romance scams [29]. Not all kinds of
cyber crimes are relevant to the majority of organizations and an organization needs to apply proper
risk-based cyber security management processes to identfy the relevant threats. Moreover, e.g., a tax
fraud may not be directed at the organization but an insider committing such a crime could still impact
it. Twenty of the 22 organisations identified cyber criminals as a CTA (Table 1).

3.2. Nation-State Actors

Nation-states can be considered as active threat actors in cyber security [5]. Their objectives are
more varied than that of regular cyber criminals, typically aiming to gather intelligence or support
national interests (e.g., nuclear non-proliferation, financing, technology transfer and dissident control).
The cyberspace toolset has enhanced the abilities that nation-states have already previously held,
especially in espionage.

For the last 20 years, a lot of reporting has been published on cyber operations aimed at technology
proliferation. In this, state actors have been tied to campaigns using industrial espionage to elevate the
capabilities of domestic companies, typically tied to military technologies. China, for instance, has
been especially effective bridging the technology gap using various methods.

Strategic sabotage is one of the techniques that nation-state actors use. Maybe the best known
suspected nation-state cyber action was the Stuxnet incident [32]. In this incident centrifuges used by
the Iranian nuclear program were sabotaged by infecting their air-gapped control systems with an
advanced malware causing them to deteriorate. While the target was a state-run program, the attack
path went through a commercial actor’s control software.

Some states have been linked to cyber activities which indicate usage of cyber operations to
enable other state activity limited by international sanctions. The SWIFT banking system attacks
have been linked to nation-states using it as a way to finance their operations under strict economic
sanctions [33]. These operations can be thought of as infrastructure enabling other activities. In smaller
scale, nation-state actors using cyber operations for their aims may also need botnet infrastructure to
maintain ability to use and mask cyber operations.

Ukrainian and Georgian critical infrastructures have both been subject to cyber operations seeming
to originate from Russia. These cyber operations have similar aims as conventional military attacks
on infrastructure, but without the need of a full blown war, with international condemnation and

Appl. Sci. 2020, 10, 4334 9 of 25

sanctions following. Cyber war operations however can be hard to attribute to specific actors, and
there is always plausible deniability [34]. Even when attribution is reliable, there are a lot of legal gray
areas to hide [35].

Nation-states target not only other nations, but also organizations (e.g., companies and
non-governmental organizations (NGOs)), and they also practice mass surveillance of individuals.
The stated aims are typically counterterrorism work and internal security. One more recent aspect for
state actors is political campaign interference [36].

There are at least two major paths to national cyber operation capability. Some nations use
well-funded intelligence agencies, while others use cyber criminal organizations. Such state sponsored
groups are typically easier to identify, but have had a higher degree of deniability by the state [24].

It should be noted that, for most organizations, propaganda operations by nation-states (e.g.,
fake news, troll farms, social media manipulations) are not a valid cyber threat. Moreover, operating
in certain nations may force the organization to adhere to that country’s cyber laws (e.g., national
firewalls, DNS blacklisting, legal backdoors to systems or mass surveillance of people). These are also
out of the scope of cyber security policies and our paper.

Nation-states activities present a large part of documented cyber incidents in the wild. It represents
the second largest source of measured cyber incidents [5]. In the analysis 19 of the 22 organizations
identified nation-state actors as a CTA (Table 1).

3.3. Ideologues (Hacktivist and Terrorist)

This paper combines the hacktivists and terrorists under the same threat actor category due to
obvious similarities in operational aims. Hacktivists are activists who are ready to disobey computer
security laws in their activity to advance their cause. Terrorists are groups of people aiming to cause
terror to advance their cause. While the results of their activity are very different, both actors are
ideologically motivated.

Additionally, the use of a terrorist label is problematic, as the label it used subjectively by
nation-states and organizations. Terrorists often seem to be freedom fighters on the other side of
a conflict. The government of Iran might classify the Stuxnet incident as an act of cyber terrorism,
while the West typically considers it a nation-state activity [37]. The definition of cyber terrorism has
become more indiscriminate for many organizations and some define any activity by a terrorist group
in the internet (e.g., recruitment, money laundering, propaganda) as cyber terrorism. For example,
the Japanese Cyber Strategy [7] refers to the need to monitor terrorist organizations that use cyberspace
for demonstrations, recruiting citizens and raising funds for violent extremism.

Those following an ideology and willing to perform terrorist activities by using computers are
defined to belong to the same category as activists in this paper.

While an amount of activity by these actors is present, it is much smaller, than that of cyber
criminals and nation-state actors. In addition, activists are typically a known threat to organizations
they target. It is interesting to note, that while 12 of 22 identify terrorist threat actors, the au