CHAPTER I INTRODUCTION Computer and internet are very flexible to innovations as a new technology occurs to greatly serve its users. These technologies serve as a venue for growth and development in different fields that these could hardly be thought to be misused for criminal activities, called cybercrime. Cybercrime is an illegal and criminal activity using computer and internet. It comes in different forms such as: (i) an offense where computer is the target; (ii) an offense where a computer is a tool used to conduct illegal activity; and (iii) an offense where computer is used as a repository of crime. Cybercrime is one of the fastest-growing crimes around the world. It attacks people, property and organizations. Organizations prone to cybercrime include various establishments, businesses and government. The government constitutes different government agencies that play major roles to provide public services in the society. Government 1
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
CHAPTER I
INTRODUCTION
Computer and internet are very flexible to innovations as a new technology occurs
to greatly serve its users. These technologies serve as a venue for growth and
development in different fields that these could hardly be thought to be misused for
criminal activities, called cybercrime.
Cybercrime is an illegal and criminal activity using computer and internet. It
comes in different forms such as: (i) an offense where computer is the target; (ii) an
offense where a computer is a tool used to conduct illegal activity; and (iii) an offense
where computer is used as a repository of crime. Cybercrime is one of the fastest-
growing crimes around the world. It attacks people, property and organizations.
Organizations prone to cybercrime include various establishments, businesses and
government. The government constitutes different government agencies that play major
roles to provide public services in the society. Government agencies are responsible for
the oversight and administration of specific functions consequently, require utmost
information safekeeping.
In the Philippines, there are already cases of cybercrime in government agencies.
In research conducted by the Government Computer Security and Incident Response
Team (GCSIRT) from 2003 to 2007 (Sosa, n.d.), there was evidence of transnational
attacks on computers and the information infrastructure and a total of 667
government websites were discovered defaced, or an aggregate of 133 government
1
websites were attacked by defacers/hackers each year, an average of 11 incidents per
month.
The cases indicate increasingly technological society in the Philippine in which
strengthening the information security for government agencies is very essential.
Cybercrimes existence analysis and awareness programs can promote a great change to
the way information safekeeping is being practiced.
Background of the Study
Cybercrime is a relatively new phenomenon and many simple steps that could be
taken to protect against it remain unknown or unused by the majority of Information and
Communications Technology (ICT) users. A degree of basic understanding of
technological developments and their impact on information will often be sufficient to
prompt government agencies into action and change their routine behaviours. Although
cybercrime affects all parts of society, arguably it is the government that feels the most of
the impact from it.
Premeditated attacks carried out by hackers and viruses are clearly of great
concern for all government agencies. More often than not, these attacks are targeted at
well-known, large, government agencies. It is rarer for small and medium sized agencies
to be singled out for a targeted, malicious attack. More frequently it is human error, or a
collective failure by the organisation to protect itself, that is the root cause of a security
breach.
Awareness-raising is thus needed at many different levels and should be tailored
to suit the information needs of different target groups. Government agencies is similar to
2
businesses, which are inclined to give credibility to the impact that serious breaches of
security could have on their organisation, but despite this, the majority of businesses
remain confident that their current technical security processes, often based on
conventional, off-the-shelf anti-virus and firewall software, provide sufficient protection.
Sole reliance on these systems is, however, not sufficient to provide comprehensive
protection from attacks by increasingly sophisticated hackers and virus designers who are
able to bypass traditional security programmes.
Making available up-to-date information and general guidance on how to tackle
the latest threats is therefore necessary to overcome the dangerous over-reliance by
businesses on conventional programmes. Furthermore, if they are serious, security
breaches may have consequences for compliance and company liability, but many
government agencies are not aware of these risks and so do nothing to mitigate them.
Statement of the Problem
Computer and Internet which greatly serve its users can hardly be misused for
criminal activities. How do Philippine government agencies strengthen information
security from cybercrime existence in this increasingly technological society?
Cybercriminals are veering away from attacking individual personal computers
(PCs) due to low gain that they can get from single users. Instead, they are turning to
infiltrate establishments or agencies for larger profit. According to Senator Edgardo
Angara (2011) the country ranks high among countries in the region susceptible to
cybercrimes and attacks as well as malicious programs such as URL phishing that allows
hackers to remotely control another computer. Increasing reports of crimes are presented
3
in research conducted by the GCSIRT from 2003 to 2007 (Sosa, n.d.), there was evidence
of transnational attacks on computers and the information infrastructure and a total of 667
government websites were discovered defaced, or an aggregate of 133 government
websites were attacked by defacers/hackers each year, an average of 11 incidents per
month. Based on this research, it was found out that 134 coded defacers (both local and
international) have attacked these government websites in that five-year period.
Government agencies now are in proactive queries of cybercrime as they want protection.
Information security is next to cybercrime awareness. Based from the current
information security, a tailored cybercrime awareness program is generated. Evaluation
of the information security implemented with cybercrime awareness program will
determine the change in information in Philippine government agencies.
Objectives of the Study
To determine the different types of cybercrimes being experienced by Philippine
government agencies.
To evaluate the causes of cybercrime in the Philippine government agencies.
To determine how cybercrime affects the information security of Philippine
government agencies.
To determine the change in information security by an increase in cybercrime
awareness in Philippine government agencies.
4
Hypotheses of the Study
The following hypotheses were tested in the study:
H1: An increase in cybercrime awareness strengthens information security in Philippine
government agencies.
H0: An increase in cybercrime awareness has no change in the information security in
Philippine government agencies.
Significance of the Study
The results of this study will be of significant value to a number of sectors in
government agencies, ITC users and the general public.
To government agencies themselves. The study aids in awareness rising on
cybercrimes that could possibly attack different levels of information safekeeping. Sole
reliance on basic systems is no longer sufficient to provide comprehensive protection
from attacks by increasingly sophisticated hackers and virus designers who are able to
bypass traditional security programmes. Updated information and general guidance on
how to tackle the latest threats are necessary to overcome the dangerous over-reliance by
government agencies on conventional programmes and strengthen the information
security.
To ICT users. Information on cybercrime awareness for efficacy of information
security is very useful to the majority of ICT users. A degree of basic understanding of
technological developments and their impact on operation will often be sufficient to
prompt government ICT users into action and change their routine behaviours.
5
To the citizens. The citizens are the tax payers and they have the rights to know
that the taxes are efficiently managed by the agencies particularly in the field of
information security. If the government information is well protected, it will also be
beneficial to the citizens who the government serves.
This study focuses on the government agencies in the Philippines making itself,
its ICT user and its stakeholder or the citizens as the beneficiaries of the research. The
data on cybercrime awareness for efficacy of information security is very useful not only
for further study in this area but also in a better understanding of the particular target
group. This shall help in designing intervention for this group and sending the right
message across to the right people.
Scope and Limitations of the Study
This study will determine the different types of cybercrimes being experienced by
most of the government agencies in the Philippines. The realization of the various types
of cybercrimes is determined but no further analysis of how the process of certain
cybercrime works. The change in information security will be evaluated by how it is
affected by cybercrime awareness programs. It is revealed through the evaluation of
compliance in information security standards and through examination of resources and
expenses, such as in terms of assets, costs or profit. This study also gathered pertinent
data regarding the efficacy of information security. The study involves discussions from
experts and concerned government leaders. The selection of respondents will only be
limited to government agencies that have had experiences with cybercrimes. Since the
Philippines have a different organizational setting as compared to other countries, this
6
study is limited only to an analysis of Philippine government agencies. Researchers are
open for the fact that there will be organizations that will conceal that they have
experienced such crime for investors or stakeholders sake and for confidentiality
purposes.
The study can offer for an increased in cybercrime awareness that can contribute
to the effectiveness of information security in the administrative level of government
agencies situated in the Philippines.
This study will not cover actual solutions to cybercrimes experienced by
Philippine government agencies. It encourages responsiveness to cybercrimes to secure
policies for effective information security. This study does not also include cybercrimes
committed not for government means and its corresponding influences or effects.
Definition of Terms
Available technology refers to the IT expertise and tools, such as technology level and
resources, that a government agency has and able to provide for its information
safekeeping.
Behavior refers to the duties and responsibilities of IT users and personnel accountable
for information security.
Cybercrime refers to a criminal activity where a computer or a computer network is used
as a target, source, tool, or place of a crime.
Cybercrime awareness is the factor that influences efficacy of information security.
Cybercrime awareness program refers to activities specifically tailored to increase
awareness and combat cybercrime.
7
Cybercriminal refers to a person who committed a cybercrime for illegal means.
Internet and computers refer to the medium in which cybercriminals conduct illegal
activities.
Philippine government agencies refer to different national departments or agencies
designated for specific functions that are or are likely to experience cybercrimes.
Information security refers to the management and protection of information, against
cybercrime, and information communication of assets, against the risks of loss,
misuse, damage, reputation and loss of assets.
Technological society refers as time goes by also the advancement in technology in a
certain society.
8
CHAPTER II
REVIEW OF RELATED LITERATURE
To fulfill the objectives of this research, the researchers decided to work on a step
by step process. The study will first determine the different types of cybercrimes being
experienced by Philippine government agencies. The researchers made sure that the
cybercrimes determined in this paper are current or up-to-date. This can also be a value-
added of this research. Next, the determined types of cybercrimes will be evaluated to
know the causes for each. After knowing the types and the causes of cybercrimes, the
effects of cybercrimes on information security of Philippine government agencies will be
determined. The first three objectives will help the researchers to know the current or the
existing information safekeeping of the government agencies. Next, implementation of
cybercrime awareness programs will come into place. The effects of the implementation
of cybercrime awareness programs on information security will be determined. By this,
the researchers will be able to know if there will be an increase in the government
agencies’ information security after the implementation of the programs. The researchers
will also be able to determine on how the government agencies strengthen its information
by means of cybercrime awareness which is the statement of the problem of this paper.
Crime statistics exposed five industries that are most susceptible to cybercrimes.
Cybercrimes attempt to acquire sensitive information with malicious intent about the
industry. The top five industries vulnerable to cybercrimes include travel, education,
financial services, IT services and government services (Ascentive team, 2011). Based on
9
the percentage of companies in each sector that responded to cybercrime include the
following: (1) Travel Industry – 25 %; (2) Education Industry – 22.92 %; (3) Financial
Services Industry – 22.69 %; (4) IT Services Industry – 20.44 % and; (5) Government
Services Industry – 21.23 %. Government services in the Philippines that are prone to
cybercrimes are the main focus of this study. The Department of Labor and Employment
(DOLE), Department of Justice (DOJ), and the Department of Health (DOH) are the
government agencies that are experiencing recent attacks to cybercrimes. Government
agencies that use electronic communication are the most susceptible to this kind of
crimes.
Any business that provides access to email or access to its network via the
Internet is only as safe from cybercrimes to the degree that its employees are trained to
avoid cybercrime emails and other cyber-attack schemes (Sjouwerman 2011). The more
employees within an organization use electronic mails or go online, the greater the risks
of exposure to cybercrimes. The same is true for government agencies. Every government
agency has its own risk to mitigate. Every agency aligns its policies according to its
perspectives and beliefs. Nevertheless, government agency risks are at a growing rate and
so the need for effective information security. Government agencies have embraced
Internet technologies to support its every day services (Day, 2003).
Globalization and an increased reliance on the Internet have forced many
government agencies to rely on computer and networking technology for the storage of
valuable company and personal information (Easttom, 2006). Proliferation of online
activity and e-commerce has attracted the attention of existing criminal organizations and
a new breed of cybercriminals (Gupta & Hammond, 2005). Richards (2006) argued that
10
to define and further understand cybercrime, it is important to be aware of the different
types of crimes that can be linked to computers.
Different Types of Cybercrimes
Cybercrime is one of the fastest growing non-violent crimes in the Asian region.
In which, Philippines is among the countries that is greatly affected by it particularly the
government agencies. These cybercrime activities vary in different types and may
continue to evolve with advancement in technology.
According to the presentation of Cybercrime Investigation Cell, Mumbai (n.d.),
cybercrimes being experienced by government agencies due to technology advancements
include hacking, denial of service attack, virus dissemination, software piracy, net
extortion, phishing, spoofing, cyber stalking, cyber defamation and threatening. (1)
Hacking is the illegal intrusion into a computer system without the permission of the
computer owner/user; (2) denial of service attack floods the victim network or fills the
electronic mail box to deprive a person from services he or she is entitled to access or
provide; (3) virus dissemination involves malicious software that attacks by attaching
itself to other software; (4) software piracy is the illegal copying of counterfeit or genuine
programs; (5) net extortion is copying the confidential data to extort for large amount; (6)
phishing is the way of acquiring confidential information of a bank or financial holder
account; (7) spoofing is pretending to have the identity of a computer so as to obtain
access to another computer; (8) cyber stalking is following someone by sending email or
frequent entering in a chat room; (9) cyber defamation is spreading defamation about a
particular matter to the concerned ones and; (10) threatening is sending threat emails.
11
The types of cybercrimes presented by Cybercrime Investigation Cell, Mumbai
(n.d.) coincides with study conducted by De La Cruz (n.d.), an Information Security
Officer. He cited examples of cybercrime such as unauthorized network access,
interception and fabrication of emails, theft of passwords, identity theft, internet fraud,
and cyber-stalking.
Various types of cybercrimes are enduring problems in its increasing
technological structure. In which firms including government agencies is vulnerable to
cyber threats such as hacking, identity theft, spamming, phishing, denial-of-service
attacks, and malware, such as the ILOVEYOU virus. (Roxas-Chua III, 2008).
The country ranks high among countries in the region vulnerable to cybercrimes
and attacks as well as malicious programs such as URL phishing that allows hackers to
remotely control another computer (Angara, 2011). Common types of cybercrime
activities include unauthorized access, illegal interruption without right made by
technical means, of non-public transmission of computer data to, from or within a
computer system, data interference or the damaging, deletion, deterioration, alteration
or suppression of computer data without proper authority, system interference or the
serious hindering without right of the functioning of a computer system by
inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing
computer data, misuses of device, forgery and fraud (Enrile, 2010).
One remarkable example of these dangerous cybercrimes is the ILOVEYOU
virus, which is created and unleashed in May, 2000. It costs several companies,
governments, and citizens billions of US dollars in damages. Likewise, the first Filipino
who was convicted due to cybercrime, particularly in hacking, in September 2005 was
12
JJ Maria Giner. He is pleaded guilty of hacking government portal “gov.ph” and other
government websites.
At present, as stated by DOST Undersecretary Fortunato de la Pena (2011),
Officer-in-charge of the Information and Communications Technology Office (ICTO),
Philippine government agencies are experiencing cyber-attacks mostly from websites and
systems that are developed in-house using coding practices that are below standards. Last
July (2011), a hacker group which named itself as “Private X” attacked the websites of
the Office of the Vice President and Philippine Nuclear Research Institute. While
recently, website defacement of the online portal of the National Disaster Risk Reduction
and Management Council (NDRRMC) is reported. Determining and evaluating as to
where these cybercrimes are coming from and as to why they existed such a number is of
great importance.
Causes of Cybercrime
Presented by the Cybercrime Investigation Cell, Crime Branch, CID, Mumbai
(n.d.), computer crimes are vulnerable because of ambiguity, computer’s storage
capacity, weakness in operating system, and lack of awareness of the users. Lack of
cybercrime awareness of the government agencies is what researchers are trying to
connect with information security. Boosting responsiveness or awareness to cybercrimes
can lessen and somehow can prevent the risk of exposure to cybercrimes. Lack of
awareness is very closely connected with human conduct. It is therefore very probable
that while protecting the computer system there might be any be deficiency in awareness,
13
which in turn provides a cyber criminal to gain access and control over the government
agencies computer systems.
Sentor’s (2009) enumerated the different causes of cybercrimes currently being
experienced by government agencies in the Philippines which include storage of data,
confidential information, negligence, complexity of codes, lack of evidence, and
accessibility to victims.
Storage of Data of government agencies can be a cause of cybercrime. Weak and
unsecured storage of government data allow criminals in various fields to have access to
extensive data and in which case this data can be removed through various means,
including physical and virtual.
Confidential Information from security firms, scientific databases, financial
institutes and even governmental organizations is stored online and on networks. This
allows cyber criminals to initiate unauthorized access and use it for personal needs.
Complex technology can be manipulated and firewalls can be bypassed, allowing
criminals to gain access to security codes, bank accounts and other governmental
information.
Sometimes simple Negligence can give rise to criminal activities. Saving a
password on an official computer; using official data in a public place; and storing data
without protection are simple causes of cybercrimes that could exist in a government
agency. Cyber criminals can take advantage of such negligence and use it to obtain,
manipulate and forge information.
Government operating systems have Complex Codes that can be decoded or
manipulated to gain access to the system. There are always loopholes in security that a
14
professional cyber criminal can find and hack into. A traditional bank robber can research
the security system and take advantage of it and likewise, a cyber thief is not much
different, except that he can breach security virtually.
Another cause of increasing cyber crime is the Lack of Evidence to bind the
criminal by law. There are so many ways to hide the track of a cyber crime and little to
actually police the criminal. The police can trace the information to the criminal, but
unless solid physical evidence is found, the track cannot be used in a court of law.
Accessibility to Victims is another root cause of cybercrime in government
agencies. Government employees who go online allow cyber criminals to target
necessary government information without being physically present. The police and other
related agencies find it impossible to connect people when the trace is online. Hackers
gather information and use it for own criminal ends. Though technology is improving
there is a long way to go before cyber criminals can be punished watchfully.
Many modes of criminal activity which the traditional policing methods and the
laws bind lose jurisdiction in cyber crime cases. Thus, many crimes are being committed
online which affect the information security of Philippine government agencies.
.
Cybercrime Existence Affecting Information Security
Information security has evolved significantly over the last decade and even more
quickly over the last few years. In earlier days, critical data was in paper format; thus
physical security was the major concern. The large amount of electronic data coupled
with how government agencies are networked together (e.g. via the Internet) has made
security of electronic data a challenging problem today. The objective of information
15
security in government agencies is to protect information from a wide range of accidental
or malicious threats or attacks. Government agencies should not look at security only as
technology, but instead as people, processes, and technology. Fortunately, several
information security standards, such as ISO17799 (British standard BS7799), have been
developed and information government security best practices have been defined.
According to an Accenture study (December 2009) on data protection and
privacy, 58 % of the surveyed respondents indicated loss of sensitive personal
information and 42 % had an ongoing problem of data security breaches. If a government
agency has not faced any cyber crime problems, it is important to begin addressing
concerns now before facing security violations. Understanding what steps government
agencies can take, costly and embarrassing security breaches can be protected and
prevented.
Depending on the reliance on information technology, all government agencies
need to fully understand the overall security posture and whether compliance with the
industrial standards is met or not. Reviews of the security posture need to cover all
areas from Government Agency Continuity, Planning to Intrusion Detection and Anti-
Virus programs. On the other hand, government agencies need to know how beneficial
information security is and thus how security measures that address risks with cost-
effective manner have to be implemented. Having a comprehensive information
security framework that is based on standards and addresses the specific risks that an
organization is facing is a current goal for many government agencies. There is no
perfect solution that will secure all government information assets and systems in
compliance with all contractual and legal requirements.
16
Implementation of Cybercrime Awareness Programs
Although there is no perfect solution that will secure all government information
assets and systems, several approaches have been proposed for the management of
security information. Security is a key concern for effective information safekeeping.
Government agencies lacking security awareness in cyber world can miss detecting many
detrimental cybercrimes. Internal security threats include user security errors, security
carelessness, security negligence, and security attacks (Leach, 2003). Information
systems may be secured by preventing, detecting, and correcting internal and external
threats. (Chen, Shaw, & Yang, n.d.) Raising cybercrime awareness can mitigate further
risks associated to such agencies as well as detect perceived threats in information
security.
One effective preventive measure is to create a security-aware culture by
educating staff about security risks and their responsibilities (Timms, Potter, & Beard,
2004). One way to address security-aware culture is through implementation of
cybercrime awareness program.
Security awareness programs are often implemented using newsletters, posters,
trinkets, and Web sites. Functions built and investigated include a discussion forum, risks
events, awareness activities, a newsletter and article sharing, and a management center.
(Chen, Shaw, & Yang, n.d.)
According to Chen, Shaw, & Yang (n.d.):
The five key components in the system architecture that is used to
administer the system and to guide the development of the system functions are
17
(1) System Management, (2) User Management, (3) Incident Management, (4)
Awareness Activity Management and (5) Evaluation Management.
System Management manages three major functions of the system: news,
discussion, and selected articles. User Management allows the system manager to
maintain users’ data and confidential information. Incident Management gives the
system manager the ability to add, delete, maintain, and manage incident events using
wizards and templates. Awareness Activity Management the system manager can add and
delete awareness activities as well as easily create new projects. Evaluation Management
a system manager can obtain information such as participation behavior and performance
records for each participation activity. There are also some best practices and standards
helping the organizations to develop and to monitor government agencies’ information
safekeeping. Two of these standards are GASSP (Generally Accepted System Security
Principles) and the ISO17799, which was based on British standard BS7799. These
standards are vendor neutral and do not focus on specific technologies, but mainly focus
on the process of information security.
ISO17799 pertains to what should be an information security program, but does
not provide how security requirements can be achieved. It aims to protect information
from a wide range of threats like cybercrimes in order to ensure government agency
continuity and minimize the damage. It provides an opportunity for government
security managers to gain senior management recognition of the importance of
procedures and mechanisms to enhance information security. The objectives of this
methodology is to provide common and best practice guidance to enable a
government agency to implement appropriate information security, to facilitate inter-
18
company trading by providing confidence in the security of shared information, to
ensure government agency continuity and minimize damage, to help government
agencies to identify strengths and weaknesses in the organization’s information
security management processes, to plan improvement actions that support achievement
of the organization’s goals, to enable organizations to implement and measure
effective information security management practices and to provide confidence
relating to third party access. On the other hand, GASSP was developed to
promulgate comprehensive generally accepted system security principles using input
from information security practitioners in the private and public sectors from USA and
aboard. Other regulations and standards are the Sarbanes-Oxley, HIPAA, GLBA, BSI,
COBIT,
The level of cybercrime awareness will be determined by the government
agencies’ compliance with the standards of GASSP (Generally Accepted System
Security Principles) and ISO17799. Even though the approaches, architecture and tools
of these standards provide some important security tasks, the insufficiency and
incompleteness remain because the technology can be ineffective without the proper
people and processes integrated with it. Some of these proposals contain approaches and
architectures dedicated to assess the security policies applied in the organization and
verify the compliance with the standards but do not provide the technical solution to
implement them. Some others provide planning to implement and monitor specific
policies but do not provide a standard compliance service.
19
CHAPTER III
THEORETICAL/CONCEPTUAL/OPERATIONAL FRAMEWORK
This study used two standards followed by organizations to help them develop
and monitor their information security program. These two standards are GASSP
(Generally Accepted System Security Principles) and the ISO27002, which was based on
British standard BS7799.
The Generally Accepted System Security Principles (GASSP) was primarily
created with government's information and data systems in mind. With this, the
proponents used this model in constructing their conceptual framework. The rules and
procedures were outlined in the National Research Council document titled, “Computers
At Risk”. The table below illustrates the principles and practices described.
Table 1. Generally Accepted System Security Principles
Another one of the best practices standards in helping organizations to develop and
to monitor their information security program is the ISO17799. It is vendor neutral and
do not focus on specific technologies, but mainly focusing on the process of
information security. ISO17799 pertains to what should be an information security
program, but does not provide how security requirements can be achieved. The
21
f igure below summarizes the s tandard.
Figure 1. BS7799
22
CONCEPTUAL FRAMEWORK
The effect of existence of cybercrime will increase the information security as
cybercrime awareness develops from such existence. The conceptual framework below aids
to measure on how Philippine government agencies strengthen information security from cybercrimes
in increasingly technological society. The variables that will be used in this study are cybercrime
existence as independent variable, change in information security as dependent variable and cybercrime
awareness programs as moderating variables.
Figure 2. Effect of cybercrime existence on information security
23
CHAPTER IV
METHODOLOGY
Research Design
The research design employed in this study is both descriptive and evaluative.
This study is conducted to determine the different types, how cybercrime affects the
information security, and the change in information security by an increase in cybercrime
awareness in Philippine government agencies. Also, this study is conducted to evaluate
the change in information security by an increase in cybercrime awareness in Philippine
government agencies. These data will be collected through questionnaires distributed to
agencies recently affected by cybercrimes. The method to analyse these data will be
through the ratings given by the agencies handed with the questionnaires.
Time and Place of the Study
The study was conducted at De La Salle University-Dasmarinas and has a time
frame of 4 months staring from the month of June to October—first semester of
S.Y.2011-2012 of the said university.
Sources of Data
The sources of the data used in this research came mostly from web sites of
creditable agencies, both private and government, and local and international that fight
cybercrimes. Also, since this paper aims to give the recent data about cybercrime in the
Philippine government agencies, articles from newspapers were also cited. The sites of
24
government agencies in the Philippines affected by the recent attacks of cybercrimes
were checked to better determine the updates on the problem.
Data Collection Procedure
The government agencies that will be handed with the questionnaires are the
Information Technology Directors of the Department of Health, the Department of Labor
and Employment, and the Department of Justice. Each Director will be allotted a time of
one month to answers the questionnaires. After the given time, proponents will again
collect the questionnaires for evaluation.
Analytical Procedures
The existence of cybercrime will be measured by noting the types of cybercrimes
that will be determined by the agencies handed with the questionnaires. From the types of
cybercrime, its causes and effects will also be evaluated and determined respectively.
The effects in particular will be measured in terms of the monetary and intrinsic
value of the assets that were affected by the cybercrime. Then, the causes, on the other
hand will, be evaluated based on the ratings that the agency will give from a scale of 1-10
where 1 stands as their sited least cause and 10 as their sited number one cause.
The conceptual framework of the study aids to measure on how Philippine government
agencies strengthen information security from cybercrimes in increasingly technological society. The
variables that will be used in this study are cybercrime existence as independent variable, change in
information security as dependent variable and cybercrime awareness programs as moderating variables.
Cybercrime existence will be determined by the types and causes of cybercrimes and the
25
corresponding effects of cybercrimes on information security of Philippine government agencies. These
independent variables are to be determined by using questionnaires to analyze the current situation of the
information security of an agency.
Cybercrime existence will be measured before and after the implementation of cybercrime
awareness programs and this will result to a change in information security which is the dependent
variable of the study.
The implementation of cybercrime awareness programs will help mitigate the existence of
cybercrimes and will be used to measure if there has been a change in the level of information security.
The effectiveness or the number of programs that will be implemented will affect the relationship
between cybercrime existence and information security. Cybercrime existence will be controlled by the
cybercrime awareness programs and will reflect on the level of information security.
Cybercrime awareness will affect the cybercrime existence as its components like evaluation,
feedbacks, trainings, and seminars and these will eventually mitigate such existence.
26
REFERENCES
Araneta, S. (2011). DOJ pushes passage of cybercrime bill. The Philippine Star,Retrieved August 21, 2011, from http://www.philstar.com/Article.
Association for Information Systems. (2003). BS7799: a suitable model for information security management, Systems Engineering Research Centre, Southampton Institute, UK
Basu, S. (2004). E-government and developing countries: an overview. 109-132
Barrett, M., Steingruebl, A., & Smith, B. (2011). Combating cybercrime. RetrievedAugust 21, 2011, from https://www.paypal-media.com/assets/pdf/fact_sheet/
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2008). Analysis of perceived burden ofcompliance: the role of fairness, awareness, and facilitating condition.Retrieved July 26, 2011, from http://people.commerce.ubc.ca/phd/bulgurcu/docs/
Carter, E. (2002). Examining cybercrime: its forms and its perpetrator. RetrievedOctober 8, 2011, from http://www.google.com.ph/
Chen, C., Shaw, R., & Yang, S. (n.d.) Mitigating information security risks byincreasing user security awareness: a case study of an information securityawareness system. Retrieved August 21, 2011, from http://www.mendeley.com/
De La Cruz, M. (n.d.) Cybercrime awareness. Retrieved August 21, 2011, fromhttp://www.google.com.ph/
Enrile, J. (2010). Fifteenth congress of the republic of the Philippines. Retrieved August21, 2011, from http://www.senate.gov.ph/lisdata/75676380!.pdf
Felongco, G. (2011). Philippines prone to cyber crime: official. Gulfnews, RetrievedAugust 31, 2011, from http://gulfnews.com/news/world/philippines/
Morris, A. (2007). Protecting management information systems: virtual private network competitive advantage. Unpublished doctoral dissertation, AUT University
Nykodym, N., Ariss, S., & Kurtz, K. (n.d.). Computer addiction and cyber crime.Retrieved August 21, 2011, from http://www.na-businesspress.com/JLAE/
Research Center & Scientific Consultations. (2003). A standard-complaint integrated security framework, Al-Imam Mohammad Bin Saud Islamic University
Romero, A. (2011). Cybercrimes pose serious threat to Phl – PSA. The Philippine Star,Retrieved August 21, 2011, from http://www.philstar.com/
Sosa, G. (n.d.) Country report on cybercrime: the Philippine. Retrieved August 21, 2011,from http://www.unafei.or.jp/english/pdf/RS_No79/No79_12PA_Sosa.pdf
Tuazon, J. (2011). DOST-ICTO pushes for passage of cybercrime, data privacy bills.Barrio Siete, Retrieved August 21, 2011, from http://barriosiete.com/
Questionnaires that will be used to measure the variables in this study:
Indicate the number of occurrences of cybercrimes listed in the table below. If not in the list, indicate the cybercrime encountered.
Types of Cybercrime Number of Occurrences
Hacking
Denial of service
Virus dissemination
Software Piracy
Net extortion
Phishing
Spoofing
Cyber stalking
Cyber defamation
Threatening
Others:
_________________________
_________________________
_________________________
29
Indicate the corresponding monetary or inherent value of the effects on the existence of cybercrimes in information security. For the inherent value, indicate remarks to justify the amount that will be given for the sited effects.
EffectsMonetary
Value (P)
Inherent Value*
RemarksCorresponding
Amount (P)
Loss of Revenue
Wasted Time
Damaged Reputations
Reduced Productivity
TOTAL
*Inherent value- refers to the worth of intangible asset that is difficult to determine in terms of monetary value.
30
Indicate the rating of the causes for each type of cybercrime existing in the agency based from the scale below. If not in the list, indicate the additional cybercrimes encountered as well with the causes.