Research ( to Papa God Be All the Glory!)

CHAPTER I

INTRODUCTION

Computer and internet are very flexible to innovations as a new technology occurs

to greatly serve its users. These technologies serve as a venue for growth and

development in different fields that these could hardly be thought to be misused for

criminal activities, called cybercrime.

Cybercrime is an illegal and criminal activity using computer and internet. It

comes in different forms such as: (i) an offense where computer is the target; (ii) an

offense where a computer is a tool used to conduct illegal activity; and (iii) an offense

where computer is used as a repository of crime. Cybercrime is one of the fastest-

growing crimes around the world. It attacks people, property and organizations.

Organizations prone to cybercrime include various establishments, businesses and

government. The government constitutes different government agencies that play major

roles to provide public services in the society. Government agencies are responsible for

the oversight and administration of specific functions consequently, require utmost

information safekeeping.

In the Philippines, there are already cases of cybercrime in government agencies.

In research conducted by the Government Computer Security and Incident Response

Team (GCSIRT) from 2003 to 2007 (Sosa, n.d.), there was evidence of transnational

attacks on computers and the information infrastructure and a total of 667

government websites were discovered defaced, or an aggregate of 133 government

1

websites were attacked by defacers/hackers each year, an average of 11 incidents per

month.

The cases indicate increasingly technological society in the Philippine in which

strengthening the information security for government agencies is very essential.

Cybercrimes existence analysis and awareness programs can promote a great change to

the way information safekeeping is being practiced.

Background of the Study

Cybercrime is a relatively new phenomenon and many simple steps that could be

taken to protect against it remain unknown or unused by the majority of Information and

Communications Technology (ICT) users. A degree of basic understanding of

technological developments and their impact on information will often be sufficient to

prompt government agencies into action and change their routine behaviours. Although

cybercrime affects all parts of society, arguably it is the government that feels the most of

the impact from it.

Premeditated attacks carried out by hackers and viruses are clearly of great

concern for all government agencies. More often than not, these attacks are targeted at

well-known, large, government agencies. It is rarer for small and medium sized agencies

to be singled out for a targeted, malicious attack. More frequently it is human error, or a

collective failure by the organisation to protect itself, that is the root cause of a security

breach.

Awareness-raising is thus needed at many different levels and should be tailored

to suit the information needs of different target groups. Government agencies is similar to

2

businesses, which are inclined to give credibility to the impact that serious breaches of

security could have on their organisation, but despite this, the majority of businesses

remain confident that their current technical security processes, often based on

conventional, off-the-shelf anti-virus and firewall software, provide sufficient protection.

Sole reliance on these systems is, however, not sufficient to provide comprehensive

protection from attacks by increasingly sophisticated hackers and virus designers who are

able to bypass traditional security programmes.

Making available up-to-date information and general guidance on how to tackle

the latest threats is therefore necessary to overcome the dangerous over-reliance by

businesses on conventional programmes. Furthermore, if they are serious, security

breaches may have consequences for compliance and company liability, but many

government agencies are not aware of these risks and so do nothing to mitigate them.

Statement of the Problem

Computer and Internet which greatly serve its users can hardly be misused for

criminal activities. How do Philippine government agencies strengthen information

security from cybercrime existence in this increasingly technological society?

Cybercriminals are veering away from attacking individual personal computers

(PCs) due to low gain that they can get from single users. Instead, they are turning to

infiltrate establishments or agencies for larger profit. According to Senator Edgardo

Angara (2011) the country ranks high among countries in the region susceptible to

cybercrimes and attacks as well as malicious programs such as URL phishing that allows

hackers to remotely control another computer. Increasing reports of crimes are presented

3

in research conducted by the GCSIRT from 2003 to 2007 (Sosa, n.d.), there was evidence

of transnational attacks on computers and the information infrastructure and a total of 667

government websites were discovered defaced, or an aggregate of 133 government

websites were attacked by defacers/hackers each year, an average of 11 incidents per

month. Based on this research, it was found out that 134 coded defacers (both local and

international) have attacked these government websites in that five-year period.

Government agencies now are in proactive queries of cybercrime as they want protection.

Information security is next to cybercrime awareness. Based from the current

information security, a tailored cybercrime awareness program is generated. Evaluation

of the information security implemented with cybercrime awareness program will

determine the change in information in Philippine government agencies.

Objectives of the Study

To determine the different types of cybercrimes being experienced by Philippine

government agencies.

To evaluate the causes of cybercrime in the Philippine government agencies.

To determine how cybercrime affects the information security of Philippine

government agencies.

To determine the change in information security by an increase in cybercrime

awareness in Philippine government agencies.

4

Hypotheses of the Study

The following hypotheses were tested in the study:

H1: An increase in cybercrime awareness strengthens information security in Philippine

government agencies.

H0: An increase in cybercrime awareness has no change in the information security in

Philippine government agencies.

Significance of the Study

The results of this study will be of significant value to a number of sectors in

government agencies, ITC users and the general public.

To government agencies themselves. The study aids in awareness rising on

cybercrimes that could possibly attack different levels of information safekeeping. Sole

reliance on basic systems is no longer sufficient to provide comprehensive protection

from attacks by increasingly sophisticated hackers and virus designers who are able to

bypass traditional security programmes. Updated information and general guidance on

how to tackle the latest threats are necessary to overcome the dangerous over-reliance by

government agencies on conventional programmes and strengthen the information

security.

To ICT users. Information on cybercrime awareness for efficacy of information

security is very useful to the majority of ICT users. A degree of basic understanding of

technological developments and their impact on operation will often be sufficient to

prompt government ICT users into action and change their routine behaviours.

5

To the citizens. The citizens are the tax payers and they have the rights to know

that the taxes are efficiently managed by the agencies particularly in the field of

information security. If the government information is well protected, it will also be

beneficial to the citizens who the government serves.

This study focuses on the government agencies in the Philippines making itself,

its ICT user and its stakeholder or the citizens as the beneficiaries of the research. The

data on cybercrime awareness for efficacy of information security is very useful not only

for further study in this area but also in a better understanding of the particular target

group. This shall help in designing intervention for this group and sending the right

message across to the right people.

Scope and Limitations of the Study

This study will determine the different types of cybercrimes being experienced by

most of the government agencies in the Philippines. The realization of the various types

of cybercrimes is determined but no further analysis of how the process of certain

cybercrime works. The change in information security will be evaluated by how it is

affected by cybercrime awareness programs. It is revealed through the evaluation of

compliance in information security standards and through examination of resources and

expenses, such as in terms of assets, costs or profit. This study also gathered pertinent

data regarding the efficacy of information security. The study involves discussions from

experts and concerned government leaders. The selection of respondents will only be

limited to government agencies that have had experiences with cybercrimes. Since the

Philippines have a different organizational setting as compared to other countries, this

6

study is limited only to an analysis of Philippine government agencies. Researchers are

open for the fact that there will be organizations that will conceal that they have

experienced such crime for investors or stakeholders sake and for confidentiality

purposes.

The study can offer for an increased in cybercrime awareness that can contribute

to the effectiveness of information security in the administrative level of government

agencies situated in the Philippines.

This study will not cover actual solutions to cybercrimes experienced by

Philippine government agencies. It encourages responsiveness to cybercrimes to secure

policies for effective information security. This study does not also include cybercrimes

committed not for government means and its corresponding influences or effects.

Definition of Terms

Available technology refers to the IT expertise and tools, such as technology level and

resources, that a government agency has and able to provide for its information

safekeeping.

Behavior refers to the duties and responsibilities of IT users and personnel accountable

for information security.

Cybercrime refers to a criminal activity where a computer or a computer network is used

as a target, source, tool, or place of a crime.

Cybercrime awareness is the factor that influences efficacy of information security.

Cybercrime awareness program refers to activities specifically tailored to increase

awareness and combat cybercrime.

7

Cybercriminal refers to a person who committed a cybercrime for illegal means.

Internet and computers refer to the medium in which cybercriminals conduct illegal

activities.

Philippine government agencies refer to different national departments or agencies

designated for specific functions that are or are likely to experience cybercrimes.

Information security refers to the management and protection of information, against

cybercrime, and information communication of assets, against the risks of loss,

misuse, damage, reputation and loss of assets.

Technological society refers as time goes by also the advancement in technology in a

certain society.

8

CHAPTER II

REVIEW OF RELATED LITERATURE

To fulfill the objectives of this research, the researchers decided to work on a step

by step process. The study will first determine the different types of cybercrimes being

experienced by Philippine government agencies. The researchers made sure that the

cybercrimes determined in this paper are current or up-to-date. This can also be a value-

added of this research. Next, the determined types of cybercrimes will be evaluated to

know the causes for each. After knowing the types and the causes of cybercrimes, the

effects of cybercrimes on information security of Philippine government agencies will be

determined. The first three objectives will help the researchers to know the current or the

existing information safekeeping of the government agencies. Next, implementation of

cybercrime awareness programs will come into place. The effects of the implementation

of cybercrime awareness programs on information security will be determined. By this,

the researchers will be able to know if there will be an increase in the government

agencies’ information security after the implementation of the programs. The researchers

will also be able to determine on how the government agencies strengthen its information

by means of cybercrime awareness which is the statement of the problem of this paper.

Crime statistics exposed five industries that are most susceptible to cybercrimes.

Cybercrimes attempt to acquire sensitive information with malicious intent about the

industry. The top five industries vulnerable to cybercrimes include travel, education,

financial services, IT services and government services (Ascentive team, 2011). Based on

9

the percentage of companies in each sector that responded to cybercrime include the

following: (1) Travel Industry – 25 %; (2) Education Industry – 22.92 %; (3) Financial

Services Industry – 22.69 %; (4) IT Services Industry – 20.44 % and; (5) Government

Services Industry – 21.23 %. Government services in the Philippines that are prone to

cybercrimes are the main focus of this study. The Department of Labor and Employment

(DOLE), Department of Justice (DOJ), and the Department of Health (DOH) are the

government agencies that are experiencing recent attacks to cybercrimes. Government

agencies that use electronic communication are the most susceptible to this kind of

crimes.

Any business that provides access to email or access to its network via the

Internet is only as safe from cybercrimes to the degree that its employees are trained to

avoid cybercrime emails and other cyber-attack schemes (Sjouwerman 2011). The more

employees within an organization use electronic mails or go online, the greater the risks

of exposure to cybercrimes. The same is true for government agencies. Every government

agency has its own risk to mitigate. Every agency aligns its policies according to its

perspectives and beliefs. Nevertheless, government agency risks are at a growing rate and

so the need for effective information security. Government agencies have embraced

Internet technologies to support its every day services (Day, 2003).

Globalization and an increased reliance on the Internet have forced many

government agencies to rely on computer and networking technology for the storage of

valuable company and personal information (Easttom, 2006). Proliferation of online

activity and e-commerce has attracted the attention of existing criminal organizations and

a new breed of cybercriminals (Gupta & Hammond, 2005). Richards (2006) argued that

10

to define and further understand cybercrime, it is important to be aware of the different

types of crimes that can be linked to computers.

Different Types of Cybercrimes

Cybercrime is one of the fastest growing non-violent crimes in the Asian region.

In which, Philippines is among the countries that is greatly affected by it particularly the

government agencies. These cybercrime activities vary in different types and may

continue to evolve with advancement in technology.

According to the presentation of Cybercrime Investigation Cell, Mumbai (n.d.),

cybercrimes being experienced by government agencies due to technology advancements

include hacking, denial of service attack, virus dissemination, software piracy, net

extortion, phishing, spoofing, cyber stalking, cyber defamation and threatening. (1)

Hacking is the illegal intrusion into a computer system without the permission of the

computer owner/user; (2) denial of service attack floods the victim network or fills the

electronic mail box to deprive a person from services he or she is entitled to access or

provide; (3) virus dissemination involves malicious software that attacks by attaching

itself to other software; (4) software piracy is the illegal copying of counterfeit or genuine

programs; (5) net extortion is copying the confidential data to extort for large amount; (6)

phishing is the way of acquiring confidential information of a bank or financial holder

account; (7) spoofing is pretending to have the identity of a computer so as to obtain

access to another computer; (8) cyber stalking is following someone by sending email or

frequent entering in a chat room; (9) cyber defamation is spreading defamation about a

particular matter to the concerned ones and; (10) threatening is sending threat emails.

11

The types of cybercrimes presented by Cybercrime Investigation Cell, Mumbai

(n.d.) coincides with study conducted by De La Cruz (n.d.), an Information Security

Officer. He cited examples of cybercrime such as unauthorized network access,

interception and fabrication of emails, theft of passwords, identity theft, internet fraud,

and cyber-stalking.

Various types of cybercrimes are enduring problems in its increasing

technological structure. In which firms including government agencies is vulnerable to

cyber threats such as hacking, identity theft, spamming, phishing, denial-of-service

attacks, and malware, such as the ILOVEYOU virus. (Roxas-Chua III, 2008).

The country ranks high among countries in the region vulnerable to cybercrimes

and attacks as well as malicious programs such as URL phishing that allows hackers to

remotely control another computer (Angara, 2011). Common types of cybercrime

activities include unauthorized access, illegal interruption without right made by

technical means, of non-public transmission of computer data to, from or within a

computer system, data interference or the damaging, deletion, deterioration, alteration

or suppression of computer data without proper authority, system interference or the

serious hindering without right of the functioning of a computer system by

inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing

computer data, misuses of device, forgery and fraud (Enrile, 2010).

One remarkable example of these dangerous cybercrimes is the ILOVEYOU

virus, which is created and unleashed in May, 2000. It costs several companies,

governments, and citizens billions of US dollars in damages. Likewise, the first Filipino

who was convicted due to cybercrime, particularly in hacking, in September 2005 was

12

JJ Maria Giner. He is pleaded guilty of hacking government portal “gov.ph” and other

government websites.

At present, as stated by DOST Undersecretary Fortunato de la Pena (2011),

Officer-in-charge of the Information and Communications Technology Office (ICTO),

Philippine government agencies are experiencing cyber-attacks mostly from websites and

systems that are developed in-house using coding practices that are below standards. Last

July (2011), a hacker group which named itself as “Private X” attacked the websites of

the Office of the Vice President and Philippine Nuclear Research Institute. While

recently, website defacement of the online portal of the National Disaster Risk Reduction

and Management Council (NDRRMC) is reported. Determining and evaluating as to

where these cybercrimes are coming from and as to why they existed such a number is of

great importance.

Causes of Cybercrime

Presented by the Cybercrime Investigation Cell, Crime Branch, CID, Mumbai

(n.d.), computer crimes are vulnerable because of ambiguity, computer’s storage

capacity, weakness in operating system, and lack of awareness of the users. Lack of

cybercrime awareness of the government agencies is what researchers are trying to

connect with information security. Boosting responsiveness or awareness to cybercrimes

can lessen and somehow can prevent the risk of exposure to cybercrimes. Lack of

awareness is very closely connected with human conduct. It is therefore very probable

that while protecting the computer system there might be any be deficiency in awareness,

13

which in turn provides a cyber criminal to gain access and control over the government

agencies computer systems.

Sentor’s (2009) enumerated the different causes of cybercrimes currently being

experienced by government agencies in the Philippines which include storage of data,

confidential information, negligence, complexity of codes, lack of evidence, and

accessibility to victims.

Storage of Data of government agencies can be a cause of cybercrime. Weak and

unsecured storage of government data allow criminals in various fields to have access to

extensive data and in which case this data can be removed through various means,

including physical and virtual.

Confidential Information from security firms, scientific databases, financial

institutes and even governmental organizations is stored online and on networks. This

allows cyber criminals to initiate unauthorized access and use it for personal needs.

Complex technology can be manipulated and firewalls can be bypassed, allowing

criminals to gain access to security codes, bank accounts and other governmental

information.

Sometimes simple Negligence can give rise to criminal activities. Saving a

password on an official computer; using official data in a public place; and storing data

without protection are simple causes of cybercrimes that could exist in a government

agency. Cyber criminals can take advantage of such negligence and use it to obtain,

manipulate and forge information.

Government operating systems have Complex Codes that can be decoded or

manipulated to gain access to the system. There are always loopholes in security that a

14

professional cyber criminal can find and hack into. A traditional bank robber can research

the security system and take advantage of it and likewise, a cyber thief is not much

different, except that he can breach security virtually.

Another cause of increasing cyber crime is the Lack of Evidence to bind the

criminal by law. There are so many ways to hide the track of a cyber crime and little to

actually police the criminal. The police can trace the information to the criminal, but

unless solid physical evidence is found, the track cannot be used in a court of law.

Accessibility to Victims is another root cause of cybercrime in government

agencies. Government employees who go online allow cyber criminals to target

necessary government information without being physically present. The police and other

related agencies find it impossible to connect people when the trace is online. Hackers

gather information and use it for own criminal ends. Though technology is improving

there is a long way to go before cyber criminals can be punished watchfully.

Many modes of criminal activity which the traditional policing methods and the

laws bind lose jurisdiction in cyber crime cases. Thus, many crimes are being committed

online which affect the information security of Philippine government agencies.

.

Cybercrime Existence Affecting Information Security

Information security has evolved significantly over the last decade and even more

quickly over the last few years. In earlier days, critical data was in paper format; thus

physical security was the major concern. The large amount of electronic data coupled

with how government agencies are networked together (e.g. via the Internet) has made

security of electronic data a challenging problem today. The objective of information

15

security in government agencies is to protect information from a wide range of accidental

or malicious threats or attacks. Government agencies should not look at security only as

technology, but instead as people, processes, and technology. Fortunately, several

information security standards, such as ISO17799 (British standard BS7799), have been

developed and information government security best practices have been defined.

According to an Accenture study (December 2009) on data protection and

privacy, 58 % of the surveyed respondents indicated loss of sensitive personal

information and 42 % had an ongoing problem of data security breaches. If a government

agency has not faced any cyber crime problems, it is important to begin addressing

concerns now before facing security violations. Understanding what steps government

agencies can take, costly and embarrassing security breaches can be protected and

prevented.

Depending on the reliance on information technology, all government agencies

need to fully understand the overall security posture and whether compliance with the

industrial standards is met or not. Reviews of the security posture need to cover all

areas from Government Agency Continuity, Planning to Intrusion Detection and Anti-

Virus programs. On the other hand, government agencies need to know how beneficial

information security is and thus how security measures that address risks with cost-

effective manner have to be implemented. Having a comprehensive information

security framework that is based on standards and addresses the specific risks that an

organization is facing is a current goal for many government agencies. There is no

perfect solution that will secure all government information assets and systems in

compliance with all contractual and legal requirements.

16

Implementation of Cybercrime Awareness Programs

Although there is no perfect solution that will secure all government information

assets and systems, several approaches have been proposed for the management of

security information. Security is a key concern for effective information safekeeping.

Government agencies lacking security awareness in cyber world can miss detecting many

detrimental cybercrimes. Internal security threats include user security errors, security

carelessness, security negligence, and security attacks (Leach, 2003). Information

systems may be secured by preventing, detecting, and correcting internal and external

threats. (Chen, Shaw, & Yang, n.d.) Raising cybercrime awareness can mitigate further

risks associated to such agencies as well as detect perceived threats in information

security.

One effective preventive measure is to create a security-aware culture by

educating staff about security risks and their responsibilities (Timms, Potter, & Beard,

2004). One way to address security-aware culture is through implementation of

cybercrime awareness program.

Security awareness programs are often implemented using newsletters, posters,

trinkets, and Web sites. Functions built and investigated include a discussion forum, risks

events, awareness activities, a newsletter and article sharing, and a management center.

(Chen, Shaw, & Yang, n.d.)

According to Chen, Shaw, & Yang (n.d.):

The five key components in the system architecture that is used to

administer the system and to guide the development of the system functions are

17

(1) System Management, (2) User Management, (3) Incident Management, (4)

Awareness Activity Management and (5) Evaluation Management.

System Management manages three major functions of the system: news,

discussion, and selected articles. User Management allows the system manager to

maintain users’ data and confidential information. Incident Management gives the

system manager the ability to add, delete, maintain, and manage incident events using

wizards and templates. Awareness Activity Management the system manager can add and

delete awareness activities as well as easily create new projects. Evaluation Management

a system manager can obtain information such as participation behavior and performance

records for each participation activity. There are also some best practices and standards

helping the organizations to develop and to monitor government agencies’ information

safekeeping. Two of these standards are GASSP (Generally Accepted System Security

Principles) and the ISO17799, which was based on British standard BS7799. These

standards are vendor neutral and do not focus on specific technologies, but mainly focus

on the process of information security.

ISO17799 pertains to what should be an information security program, but does

not provide how security requirements can be achieved. It aims to protect information

from a wide range of threats like cybercrimes in order to ensure government agency

continuity and minimize the damage. It provides an opportunity for government

security managers to gain senior management recognition of the importance of

procedures and mechanisms to enhance information security. The objectives of this

methodology is to provide common and best practice guidance to enable a

government agency to implement appropriate information security, to facilitate inter-

18

company trading by providing confidence in the security of shared information, to

ensure government agency continuity and minimize damage, to help government

agencies to identify strengths and weaknesses in the organization’s information

security management processes, to plan improvement actions that support achievement

of the organization’s goals, to enable organizations to implement and measure

effective information security management practices and to provide confidence

relating to third party access. On the other hand, GASSP was developed to

promulgate comprehensive generally accepted system security principles using input

from information security practitioners in the private and public sectors from USA and

aboard. Other regulations and standards are the Sarbanes-Oxley, HIPAA, GLBA, BSI,

COBIT,

The level of cybercrime awareness will be determined by the government

agencies’ compliance with the standards of GASSP (Generally Accepted System

Security Principles) and ISO17799. Even though the approaches, architecture and tools

of these standards provide some important security tasks, the insufficiency and

incompleteness remain because the technology can be ineffective without the proper

people and processes integrated with it. Some of these proposals contain approaches and

architectures dedicated to assess the security policies applied in the organization and

verify the compliance with the standards but do not provide the technical solution to

implement them. Some others provide planning to implement and monitor specific

policies but do not provide a standard compliance service.

19

CHAPTER III

THEORETICAL/CONCEPTUAL/OPERATIONAL FRAMEWORK

This study used two standards followed by organizations to help them develop

and monitor their information security program. These two standards are GASSP

(Generally Accepted System Security Principles) and the ISO27002, which was based on

British standard BS7799.

The Generally Accepted System Security Principles (GASSP) was primarily

created with government's information and data systems in mind. With this, the

proponents used this model in constructing their conceptual framework. The rules and

procedures were outlined in the National Research Council document titled, “Computers

At Risk”. The table below illustrates the principles and practices described.

20

Table 1. Generally Accepted System Security Principles

Another one of the best practices standards in helping organizations to develop and

to monitor their information security program is the ISO17799. It is vendor neutral and

do not focus on specific technologies, but mainly focusing on the process of

information security. ISO17799 pertains to what should be an information security

program, but does not provide how security requirements can be achieved. The

21

f igure below summarizes the s tandard.

Figure 1. BS7799

22

CONCEPTUAL FRAMEWORK

The effect of existence of cybercrime will increase the information security as

cybercrime awareness develops from such existence. The conceptual framework below aids

to measure on how Philippine government agencies strengthen information security from cybercrimes

in increasingly technological society. The variables that will be used in this study are cybercrime

existence as independent variable, change in information security as dependent variable and cybercrime

awareness programs as moderating variables.

Figure 2. Effect of cybercrime existence on information security

23

CHAPTER IV

METHODOLOGY

Research Design

The research design employed in this study is both descriptive and evaluative.

This study is conducted to determine the different types, how cybercrime affects the

information security, and the change in information security by an increase in cybercrime

awareness in Philippine government agencies. Also, this study is conducted to evaluate

the change in information security by an increase in cybercrime awareness in Philippine

government agencies. These data will be collected through questionnaires distributed to

agencies recently affected by cybercrimes. The method to analyse these data will be

through the ratings given by the agencies handed with the questionnaires.

Time and Place of the Study

The study was conducted at De La Salle University-Dasmarinas and has a time

frame of 4 months staring from the month of June to October—first semester of

S.Y.2011-2012 of the said university.

Sources of Data

The sources of the data used in this research came mostly from web sites of

creditable agencies, both private and government, and local and international that fight

cybercrimes. Also, since this paper aims to give the recent data about cybercrime in the

Philippine government agencies, articles from newspapers were also cited. The sites of

24

government agencies in the Philippines affected by the recent attacks of cybercrimes

were checked to better determine the updates on the problem.

Data Collection Procedure

The government agencies that will be handed with the questionnaires are the

Information Technology Directors of the Department of Health, the Department of Labor

and Employment, and the Department of Justice. Each Director will be allotted a time of

one month to answers the questionnaires. After the given time, proponents will again

collect the questionnaires for evaluation.

Analytical Procedures

The existence of cybercrime will be measured by noting the types of cybercrimes

that will be determined by the agencies handed with the questionnaires. From the types of

cybercrime, its causes and effects will also be evaluated and determined respectively.

The effects in particular will be measured in terms of the monetary and intrinsic

value of the assets that were affected by the cybercrime. Then, the causes, on the other

hand will, be evaluated based on the ratings that the agency will give from a scale of 1-10

where 1 stands as their sited least cause and 10 as their sited number one cause.

The conceptual framework of the study aids to measure on how Philippine government

agencies strengthen information security from cybercrimes in increasingly technological society. The

variables that will be used in this study are cybercrime existence as independent variable, change in

information security as dependent variable and cybercrime awareness programs as moderating variables.

Cybercrime existence will be determined by the types and causes of cybercrimes and the

25

corresponding effects of cybercrimes on information security of Philippine government agencies. These

independent variables are to be determined by using questionnaires to analyze the current situation of the

information security of an agency.

Cybercrime existence will be measured before and after the implementation of cybercrime

awareness programs and this will result to a change in information security which is the dependent

variable of the study.

The implementation of cybercrime awareness programs will help mitigate the existence of

cybercrimes and will be used to measure if there has been a change in the level of information security.

The effectiveness or the number of programs that will be implemented will affect the relationship

between cybercrime existence and information security. Cybercrime existence will be controlled by the

cybercrime awareness programs and will reflect on the level of information security.

Cybercrime awareness will affect the cybercrime existence as its components like evaluation,

feedbacks, trainings, and seminars and these will eventually mitigate such existence.

26

REFERENCES

Araneta, S. (2011). DOJ pushes passage of cybercrime bill. The Philippine Star,Retrieved August 21, 2011, from http://www.philstar.com/Article.

Association for Information Systems. (2003). BS7799: a suitable model for information security management, Systems Engineering Research Centre, Southampton Institute, UK

Basu, S. (2004). E-government and developing countries: an overview. 109-132

Barrett, M., Steingruebl, A., & Smith, B. (2011). Combating cybercrime. RetrievedAugust 21, 2011, from https://www.paypal-media.com/assets/pdf/fact_sheet/

Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2008). Analysis of perceived burden ofcompliance: the role of fairness, awareness, and facilitating condition.Retrieved July 26, 2011, from http://people.commerce.ubc.ca/phd/bulgurcu/docs/

Carter, E. (2002). Examining cybercrime: its forms and its perpetrator. RetrievedOctober 8, 2011, from http://www.google.com.ph/

Chen, C., Shaw, R., & Yang, S. (n.d.) Mitigating information security risks byincreasing user security awareness: a case study of an information securityawareness system. Retrieved August 21, 2011, from http://www.mendeley.com/

Cyber Crime Investigation Cell, Mumbai (n.d.) Cyber crime awareness Retrieved July26, 2011, from http://www.cybercellmumbai.com/files/

De La Cruz, M. (n.d.) Cybercrime awareness. Retrieved August 21, 2011, fromhttp://www.google.com.ph/

Enrile, J. (2010). Fifteenth congress of the republic of the Philippines. Retrieved August21, 2011, from http://www.senate.gov.ph/lisdata/75676380!.pdf

Felongco, G. (2011). Philippines prone to cyber crime: official. Gulfnews, RetrievedAugust 31, 2011, from http://gulfnews.com/news/world/philippines/

Morris, A. (2007). Protecting management information systems: virtual private network competitive advantage. Unpublished doctoral dissertation, AUT University

Nykodym, N., Ariss, S., & Kurtz, K. (n.d.). Computer addiction and cyber crime.Retrieved August 21, 2011, from http://www.na-businesspress.com/JLAE/

Research Center & Scientific Consultations. (2003). A standard-complaint integrated security framework, Al-Imam Mohammad Bin Saud Islamic University

27

Romero, A. (2011). Cybercrimes pose serious threat to Phl – PSA. The Philippine Star,Retrieved August 21, 2011, from http://www.philstar.com/

Sosa, G. (n.d.) Country report on cybercrime: the Philippine. Retrieved August 21, 2011,from http://www.unafei.or.jp/english/pdf/RS_No79/No79_12PA_Sosa.pdf

Tuazon, J. (2011). DOST-ICTO pushes for passage of cybercrime, data privacy bills.Barrio Siete, Retrieved August 21, 2011, from http://barriosiete.com/

28

APPENDIXES

Questionnaires that will be used to measure the variables in this study:

Indicate the number of occurrences of cybercrimes listed in the table below. If not in the list, indicate the cybercrime encountered.

Types of Cybercrime Number of Occurrences

Hacking

Denial of service

Virus dissemination

Software Piracy

Net extortion

Phishing

Spoofing

Cyber stalking

Cyber defamation

Threatening

Others:

_________________________

_________________________

_________________________

29

Indicate the corresponding monetary or inherent value of the effects on the existence of cybercrimes in information security. For the inherent value, indicate remarks to justify the amount that will be given for the sited effects.

EffectsMonetary

Value (P)

Inherent Value*

RemarksCorresponding

Amount (P)

Loss of Revenue

Wasted Time

Damaged Reputations

Reduced Productivity

TOTAL

*Inherent value- refers to the worth of intangible asset that is difficult to determine in terms of monetary value.

30

Indicate the rating of the causes for each type of cybercrime existing in the agency based from the scale below. If not in the list, indicate the additional cybercrimes encountered as well with the causes.

5- Very Frequent4-Frequent3-Average2-Rare1-Never

TYPESOF

CYBERCRIME

CAUSES

Sto

rage

of

Dat

a

Con

fide

ntia

l in

form

atio

n

Neg

lige

nce

Com

plex

co

des

Lac

k of

ev

iden

ce

Acc

essi

bili

ty

to v

icti

ms

oth

ers

Hacking

Denial of service

Virus disseminationSoftware Piracy

Net extortion

Phishing

Spoofing

Cyber stalking

Cyber defamationThreatening

Others:

31