CHAPTER I INTRODUCTION

Computer and internet are very flexible to innovations as a new technology occurs to greatly serve its users. These technologies serve as a venue for growth and development in different fields that these could hardly be thought to be misused for criminal activities, called cybercrime. Cybercrime is an illegal and criminal activity using computer and internet. It comes in different forms such as: (i) an offense where computer is the target; (ii) an offense where a computer is a tool used to conduct illegal activity; and (iii) an offense where computer is used as a repository of crime. Cybercrime is one of the fastestgrowing crimes around the world. It attacks people, property and organizations. Organizations prone to cybercrime include various establishments, businesses and government. The government constitutes different government agencies that play major roles to provide public services in the society. Government agencies are responsible for the oversight and administration of specific functions consequently, require utmost information safekeeping. In the Philippines, there are already cases of cybercrime in government agencies. In research conducted by the Government Computer Security and Incident Response Team (GCSIRT) from 2003 to 2007 (Sosa, n.d.), there was evidence of transnational attacks on computers and the information infrastructure and a total of 667 government websites were discovered defaced, or an aggregate of 133 government

websites were attacked by defacers/hackers each year, an average of 11 incidents per month. The cases indicate increasingly technological society in the Philippine in which strengthening the information security for government agencies is very essential. Cybercrimes existence analysis and awareness programs can promote a great change to the way information safekeeping is being practiced.

Background of the Study Cybercrime is a relatively new phenomenon and many simple steps that could be taken to protect against it remain unknown or unused by the majority of Information and Communications Technology (ICT) users. A degree of basic understanding of technological developments and their impact on information will often be sufficient to prompt government agencies into action and change their routine behaviours. Although cybercrime affects all parts of society, arguably it is the government that feels the most of the impact from it. Premeditated attacks carried out by hackers and viruses are clearly of great concern for all government agencies. More often than not, these attacks are targeted at well-known, large, government agencies. It is rarer for small and medium sized agencies to be singled out for a targeted, malicious attack. More frequently it is human error, or a collective failure by the organisation to protect itself, that is the root cause of a security breach. Awareness-raising is thus needed at many different levels and should be tailored to suit the information needs of different target groups. Government agencies is similar to

businesses, which are inclined to give credibility to the impact that serious breaches of security could have on their organisation, but despite this, the majority of businesses remain confident that their current technical security processes, often based on conventional, off-the-shelf anti-virus and firewall software, provide sufficient protection. Sole reliance on these systems is, however, not sufficient to provide comprehensive protection from attacks by increasingly sophisticated hackers and virus designers who are able to bypass traditional security programmes. Making available up-to-date information and general guidance on how to tackle the latest threats is therefore necessary to overcome the dangerous over-reliance by businesses on conventional programmes. Furthermore, if they are serious, security breaches may have consequences for compliance and company liability, but many government agencies are not aware of these risks and so do nothing to mitigate them.

Statement of the Problem Computer and Internet which greatly serve its users can hardly be misused for criminal activities. How do Philippine government agencies strengthen information security from cybercrime existence in this increasingly technological society? Cybercriminals are veering away from attacking individual personal computers (PCs) due to low gain that they can get from single users. Instead, they are turning to infiltrate establishments or agencies for larger profit. According to Senator Edgardo Angara (2011) the country ranks high among countries in the region susceptible to cybercrimes and attacks as well as malicious programs such as URL phishing that allows hackers to remotely control another computer. Increasing reports of crimes are presented

in research conducted by the GCSIRT from 2003 to 2007 (Sosa, n.d.), there was evidence of transnational attacks on computers and the information infrastructure and a total of 667 government websites were discovered defaced, or an aggregate of 133 government websites were attacked by defacers/hackers each year, an average of 11 incidents per month. Based on this research, it was found out that 134 coded defacers (both local and international) have attacked these government websites in that five-year period. Government agencies now are in proactive queries of cybercrime as they want protection. Information security is next to cybercrime awareness. Based from the current information security, a tailored cybercrime awareness program is generated. Evaluation of the information security implemented with cybercrime awareness program will determine the change in information in Philippine government agencies.

Objectives of the Study To determine the different types of cybercrimes being experienced by Philippine government agencies. To evaluate the causes of cybercrime in the Philippine government agencies. To determine how cybercrime affects the information security of Philippine government agencies. To determine the change in information security by an increase in cybercrime awareness in Philippine government agencies.

Hypotheses of the Study The following hypotheses were tested in the study: H1: An increase in cybercrime awareness strengthens information security in Philippine government agencies. H0: An increase in cybercrime awareness has no change in the information security in Philippine government agencies.

Significance of the Study The results of this study will be of significant value to a number of sectors in government agencies, ITC users and the general public. To government agencies themselves. The study aids in awareness rising on cybercrimes that could possibly attack different levels of information safekeeping. Sole reliance on basic systems is no longer sufficient to provide comprehensive protection from attacks by increasingly sophisticated hackers and virus designers who are able to bypass traditional security programmes. Updated information and general guidance on how to tackle the latest threats are necessary to overcome the dangerous over-reliance by government agencies on conventional programmes and strengthen the information security. To ICT users. Information on cybercrime awareness for efficacy of information security is very useful to the majority of ICT users. A degree of basic understanding of technological developments and their impact on operation will often be sufficient to prompt government ICT users into action and change their routine behaviours.

To the citizens. The citizens are the tax payers and they have the rights to know that the taxes are efficiently managed by the agencies particularly in the field of information security. If the government information is well protected, it will also be beneficial to the citizens who the government serves. This study focuses on the government agencies in the Philippines making itself, its ICT user and its stakeholder or the citizens as the beneficiaries of the research. The data on cybercrime awareness for efficacy of information security is very useful not only for further study in this area but also in a better understanding of the particular target group. This shall help in designing intervention for this group and sending the right message across to the right people.

Scope and Limitations of the Study This study will determine the different types of cybercrimes being experienced by most of the government agencies in the Philippines. The realization of the various types of cybercrimes is determined but no further analysis of how the process of certain cybercrime works. The change in information security will be evaluated by how it is affected by cybercrime awareness programs. It is revealed through the evaluation of compliance in information security standards and through examination of resources and expenses, such as in terms of assets, costs or profit. This study also gathered pertinent data regarding the efficacy of information security. The study involves discussions from experts and concerned government leaders. The selection of respondents will only be limited to government agencies that have had experiences with cybercrimes. Since the Philippines have a different organizational setting as compared to other countries, this

study is limited only to an analysis of Philippine government agencies. Researchers are open for the fact that there will be organizations that will conceal that they have experienced such crime for investors or stakeholders sake and for confidentiality purposes. The study can offer for an increased in cybercrime awareness that can contribute to the effectiveness of information security in the administrative level of government agencies situated in the Philippines. This study will not cover actual solutions to cybercrimes experienced by Philippine government agencies. It encourages responsiveness to cybercrimes to secure policies for effective information security. This study does not also include cybercrimes committed not for government means and its corresponding influences or effects.

Definition of Terms Available technology refers to the IT expertise and tools, such as technology level and resources, that a government agency has and able to provide for its information safekeeping. Behavior refers to the duties and responsibilities of IT users and personnel accountable for information security. Cybercrime refers to a criminal activity where a computer or a computer network is used as a target, source, tool, or place of a crime. Cybercrime awareness is the factor that influences efficacy of information security. Cybercrime awareness program refers to activities specifically tailored to increase awareness and combat cybercrime.

Cybercriminal refers to a person who committed a cybercrime for illegal means. Internet and computers refer to the medium in which cybercriminals conduct illegal activities. Philippine government agencies refer to different national departments or agencies designated for specific functions that are or are likely to experience cybercrimes. Information security refers to the management and protection of information, against cybercrime, and information communication of assets, against the risks of loss, misuse, damage, reputation and loss of assets. Technological society refers as time goes by also the advancement in technology in a certain society.

CHAPTER II REVIEW OF RELATED LITERATURE

To fulfill the objectives of this research, the researchers decided to work on a step by step process. The study will first determine the different types of cybercrimes being experienced by Philippine government agencies. The researchers made sure that the cybercrimes determined in this paper are current or up-to-date. This can also be a valueadded of this research. Next, the determined types of cybercrimes will be evaluated to know the causes for each. After knowing the types and the causes of cybercrimes, the effects of cybercrimes on information security of Philippine government agencies will be determined. The first three objectives will help the researchers to know the current or the existing information safekeeping of the government agencies. Next, implementation of cybercrime awareness programs will come into place. The effects of the implementation of cybercrime awareness programs on information security will be determined. By this, the researchers will be able to know if there will be an increase in the government agencies information security after the implementation of the programs. The researchers will also be able to determine on how the government agencies strengthen its information by means of cybercrime awareness which is the statement of the problem of this paper. Crime statistics exposed five industries that are most susceptible to cybercrimes. Cybercrimes attempt to acquire sensitive information with malicious intent about the industry. The top five industries vulnerable to cybercrimes include travel, education, financial services, IT services and government services (Ascentive team, 2011). Based on

the percentage of companies in each sector that responded to cybercrime include the following: (1) Travel Industry 25 %; (2) Education Industry 22.92 %; (3) Financial Services Industry 22.69 %; (4) IT Services Industry 20.44 % and; (5) Government Services Industry 21.23 %. Government services in the Philippines that are prone to cybercrimes are the main focus of this study. The Department of Labor and Employment (DOLE), Department of Justice (DOJ), and the Department of Health (DOH) are the government agencies that are experiencing recent attacks to cybercrimes. Government agencies that use electronic communication are the most susceptible to this kind of crimes. Any business that provides access to email or access to its network via the Internet is only as safe from cybercrimes to the degree that its employees are trained to avoid cybercrime emails and other cyber-attack schemes (Sjouwerman 2011). The more employees within an organization use electronic mails or go online, the greater the risks of exposure to cybercrimes. The same is true for government agencies. Every government agency has its own risk to mitigate. Every agency aligns its policies according to its perspectives and beliefs. Nevertheless, government agency risks are at a growing rate and so the need for effective information security. Government agencies have embraced Internet technologies to support its every day services (Day, 2003). Globalization and an increased reliance on the Internet have forced many government agencies to rely on computer and networking technology for the storage of valuable company and personal information (Easttom, 2006). Proliferation of online activity and e-commerce has attracted the attention of existing criminal organizations and a new breed of cybercriminals (Gupta & Hammond, 2005). Richards (2006) argued that

10

to define and further understand cybercrime, it is important to be aware of the different types of crimes that can be linked to computers.

Different Types of Cybercrimes Cybercrime is one of the fastest growing non-violent crimes in the Asian region. In which, Philippines is among the countries that is greatly affected by it particularly the government agencies. These cybercrime activities vary in different types and may continue to evolve with advancement in technology. According to the presentation of Cybercrime Investigation Cell, Mumbai (n.d.), cybercrimes being experienced by government agencies due to technology advancements include hacking, denial of service attack, virus dissemination, software piracy, net extortion, phishing, spoofing, cyber stalking, cyber defamation and threatening. (1) Hacking is the illegal intrusion into a computer system without the permission of the computer owner/user; (2) denial of service attack floods the victim network or fills the electronic mail box to deprive a person from services he or she is entitled to access or provide; (3) virus dissemination involves malicious software that attacks by attaching itself to other software; (4) software piracy is the illegal copying of counterfeit or genuine programs; (5) net extortion is copying the confidential data to extort for large amount; (6) phishing is the way of acquiring confidential information of a bank or financial holder account; (7) spoofing is pretending to have the identity of a computer so as to obtain access to another computer; (8) cyber stalking is following someone by sending email or frequent entering in a chat room; (9) cyber defamation is spreading defamation about a particular matter to the concerned ones and; (10) threatening is sending threat emails.

11

The types of cybercrimes presented by Cybercrime Investigation Cell, Mumbai (n.d.) coincides with study conducted by De La Cruz (n.d.), an Information Security Officer. He cited examples of cybercrime such as unauthorized network access, interception and fabrication of emails, theft of passwords, identity theft, internet fraud, and cyber-stalking. Various types of cybercrimes are enduring problems in its increasing technological structure. In which firms including government agencies is vulnerable to cyber threats such as hacking, identity theft, spamming, phishing, denial-of-service attacks, and malware, such as the ILOVEYOU virus. (Roxas-Chua III, 2008). The country ranks high among countries in the region vulnerable to cybercrimes and attacks as well as malicious programs such as URL phishing that allows hackers to remotely control another computer (Angara, 2011). Common types of cybercrime activities include unauthorized access, illegal interruption without right made by technical means, of non-public transmission of computer data to, from or within a computer system, data interference or the damaging, deletion, deterioration, alteration or suppression of computer data without proper authority, system interference or the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data, misuses of device, forgery and fraud (Enrile, 2010). One remarkable example of these dangerous cybercrimes is the ILOVEYOU virus, which is created and unleashed in May, 2000. It costs several companies, governments, and citizens billions of US dollars in damages. Likewise, the first Filipino who was convicted due to cybercrime, particularly in hacking, in September 2005 was

12

JJ Maria Giner. He is pleaded guilty of hacking government portal gov.ph and other government websites. At present, as stated by DOST Undersecretary Fortunato de la Pena (2011), Officer-in-charge of the Information and Communications Technology Office (ICTO), Philippine government agencies are experiencing cyber-attacks mostly from websites and systems that are developed in-house using coding practices that are below standards. Last July (2011), a hacker group which named itself as Private X attacked the websites of the Office of the Vice President and Philippine Nuclear Research Institute. While recently, website defacement of the online portal of the National Disaster Risk Reduction and Management Council (NDRRMC) is reported. Determining and evaluating as to where these cybercrimes are coming from and as to why they existed such a number is of great importance.

Causes of Cybercrime Presented by the Cybercrime Investigation Cell, Crime Branch, CID, Mumbai (n.d.), computer crimes are vulnerable because of ambiguity, computers storage capacity, weakness in operating system, and lack of awareness of the users. Lack of cybercrime awareness of the government agencies is what researchers are trying to connect with information security. Boosting responsiveness or awareness to cybercrimes can lessen and somehow can prevent the risk of exposure to cybercrimes. Lack of awareness is very closely connected with human conduct. It is therefore very probable that while protecting the computer system there might be any be deficiency in awareness,

13

which in turn provides a cyber criminal to gain access and control over the government agencies computer systems. Sentors (2009) enumerated the different causes of cybercrimes currently being experienced by government agencies in the Philippines which include storage of data, confidential information, negligence, complexity of codes, lack of evidence, and accessibility to victims. Storage of Data of government agencies can be a cause of cybercrime. Weak and unsecured storage of government data allow criminals in various fields to have access to extensive data and in which case this data can be removed through various means, including physical and virtual. Confidential Information from security firms, scientific databases, financial institutes and even governmental organizations is stored online and on networks. This allows cyber criminals to initiate unauthorized access and use it for personal needs. Complex technology can be manipulated and firewalls can be bypassed, allowing criminals to gain access to security codes, bank accounts and other governmental information. Sometimes simple Negligence can give rise to criminal activities. Saving a password on an official computer; using official data in a public place; and storing data without protection are simple causes of cybercrimes that could exist in a government agency. Cyber criminals can take advantage of such negligence and use it to obtain, manipulate and forge information. Government operating systems have Complex Codes that can be decoded or manipulated to gain access to the system. There are always loopholes in security that a

14

professional cyber criminal can find and hack into. A traditional bank robber can research the security system and take advantage of it and likewise, a cyber thief is not much different, except that he can breach security virtually. Another cause of increasing cyber crime is the Lack of Evidence to bind the criminal by law. There are so many ways to hide the track of a cyber crime and little to actually police the criminal. The police can trace the information to the criminal, but unless solid physical evidence is found, the track cannot be used in a court of law. Accessibility to Victims is another root cause of cybercrime in government agencies. Government employees who go online allow cyber criminals to target necessary government information without being physically present. The police and other related agencies find it impossible to connect people when the trace is online. Hackers gather information and use it for own criminal ends. Though technology is improving there is a long way to go before cyber criminals can be punished watchfully. Many modes of criminal activity which the traditional policing methods and the laws bind lose jurisdiction in cyber crime cases. Thus, many crimes are being committed online which affect the information security of Philippine government agencies. . Cybercrime Existence Affecting Information Security Information security has evolved significantly over the last decade and even more quickly over the last few years. In earlier days, critical data was in paper format; thus physical security was the major concern. The large amount of electronic data coupled with how government agencies are networked together (e.g. via the Internet) has made security of electronic data a challenging problem today. The objective of information

15

security in government agencies is to protect information from a wide range of accidental or malicious threats or attacks. Government agencies should not look at security only as technology, but instead as people, processes, and technology. Fortunately, several information security standards, such as ISO17799 (British standard BS7799), have been developed and information government security best practices have been defined. According to an Accenture study (December 2009) on data protection and privacy, 58 % of the surveyed respondents indicated loss of sensitive personal information and 42 % had an ongoing problem of data security breaches. If a government agency has not faced any cyber crime problems, it is important to begin addressing concerns now before facing security violations. Understanding what steps government agencies can take, costly and embarrassing security breaches can be protected and prevented. Depending on the reliance on information technology, all government agencies need to fully understand the overall security posture and whether compliance with the industrial standards is met or not. Reviews of the security posture need to cover all areas from Government Agency Continuity, Planning to Intrusion Detection and AntiVirus programs. On the other hand, government agencies need to know how beneficial information security is and thus how security measures that address risks with costeffective manner have to be implemented. Having a comprehensive information security framework that is based on standards and addresses the specific risks that an organization is facing is a current goal for many government agencies. There is no perfect solution that will secure all government information assets and systems in compliance with all contractual and legal requirements.

16

Implementation of Cybercrime Awareness Programs Although there is no perfect solution that will secure all government information assets and systems, several approaches have been proposed for the management of security information. Security is a key concern for effective information safekeeping. Government agencies lacking security awareness in cyber world can miss detecting many detrimental cybercrimes. Internal security threats include user security errors, security carelessness, security negligence, and security attacks (Leach, 2003). Information systems may be secured by preventing, detecting, and correcting internal and external threats. (Chen, Shaw, & Yang, n.d.) Raising cybercrime awareness can mitigate further risks associated to such agencies as well as detect perceived threats in information security. One effective preventive measure is to create a security-aware culture by educating staff about security risks and their responsibilities (Timms, Potter, & Beard, 2004). One way to address security-aware culture is through implementation of cybercrime awareness program. Security awareness programs are often implemented using newsletters, posters, trinkets, and Web sites. Functions built and investigated include a discussion forum, risks events, awareness activities, a newsletter and article sharing, and a management center. (Chen, Shaw, & Yang, n.d.) According to Chen, Shaw, & Yang (n.d.): The five key components in the system architecture that is used to administer the system and to guide the development of the system functions are

17

(1) System Management, (2) User Management, (3) Incident Management, (4) Awareness Activity Management and (5) Evaluation Management. System Management manages three major functions of the system: news, discussion, and selected articles. User Management allows the system manager to maintain users data and confidential information. Incident Management gives the

system manager the ability to add, delete, maintain, and manage incident events using wizards and templates. Awareness Activity Management the system manager can add and delete awareness activities as well as easily create new projects. Evaluation Management a system manager can obtain information such as participation behavior and performance records for each participation activity. There are also some best practices and standards helping the organizations to develop and to monitor government agencies information safekeeping. Two of these standards are GASSP (Generally Accepted System Security Principles) and the ISO17799, which was based on British standard BS7799. These standards are vendor neutral and do not focus on specific technologies, but mainly focus on the process of information security. ISO17799 pertains to what should be an information security program, but does not provide how security requirements can be achieved. It aims to protect information from a wide range of threats like cybercrimes in order to ensure government agency continuity and minimize the damage. It provides an opportunity for government security managers to gain senior management recognition of the importance of procedures and mechanisms to enhance information security. The objectives of this methodology is to provide common and best practice guidance to enable a

government agency to implement appropriate information security, to facilitate inter-

18

company trading by providing confidence in the security of shared information, to ensure government agency continuity and minimize damage, to help government agencies to identify strengths and weaknesses in the organizations information

security management processes, to plan improvement actions that support achievement of the organizations goals, to enable organizations to implement and measure effective information security management practices and to provide confidence relating to third party access. On the other hand, GASSP was developed to promulgate comprehensive generally accepted system security principles using input from information security practitioners in the private and public sectors from USA and aboard. Other regulations and standards are the Sarbanes-Oxley, HIPAA, GLBA, BSI, COBIT, The level of cybercrime awareness will be determined by the government agencies compliance with the standards of GASSP (Generally Accepted System Security Principles) and ISO17799. Even though the approaches, architecture and tools of these standards provide some important security tasks, the insufficiency and incompleteness remain because the technology can be ineffective without the proper people and processes integrated with it. Some of these proposals contain approaches and architectures dedicated to assess the security policies applied in the organization and verify the compliance with the standards but do not provide the technical solution to implement them. Some others provide planning to implement and monitor specific policies but do not provide a standard compliance service.

19

CHAPTER III THEORETICAL/CONCEPTUAL/OPERATIONAL FRAMEWORK

This study used two standards followed by organizations to help them develop and monitor their information security program. These two standards are GASSP (Generally Accepted System Security Principles) and the ISO27002, which was based on British standard BS7799. The Generally Accepted System Security Principles (GASSP) was primarily created with government's information and data systems in mind. With this, the proponents used this model in constructing their conceptual framework. The rules and procedures were outlined in the National Research Council document titled, Computers At Risk. The table below illustrates the principles and practices described.

20

Table 1. Generally Accepted System Security Principles

Another one of the best practices standards in helping organizations to develop and to monitor their information security program is the ISO17799. It is vendor neutral and do not focus on specific technologies, but mainly focusing on the process of information security. ISO17799 pertains to what should be an information security program, but does not provide how security requirements can be achieved. 21 The

f ig u r e below s ummarizes the s tandard.

Figure 1. BS7799

22

CONCEPTUAL FRAMEWORK

The effect of existence of cybercrime will increase the information security as cybercrime awareness develops from such existence. The conceptual framework below aids to measure on how Philippine government agencies strengthen information security from cybercrimes in increasingly technological society. The variables that will be used in this study are cybercrime existence as independent variable, change in information security as dependent variable and cybercrime awareness programs as moderating variables.

Figure 2. Effect of cybercrime existence on information security

23

CHAPTER IV METHODOLOGY

Research Design The research design employed in this study is both descriptive and evaluative. This study is conducted to determine the different types, how cybercrime affects the information security, and the change in information security by an increase in cybercrime awareness in Philippine government agencies. Also, this study is conducted to evaluate the change in information security by an increase in cybercrime awareness in Philippine government agencies. These data will be collected through questionnaires distributed to agencies recently affected by cybercrimes. The method to analyse these data will be through the ratings given by the agencies handed with the questionnaires.

Time and Place of the Study The study was conducted at De La Salle University-Dasmarinas and has a time frame of 4 months staring from the month of June to Octoberfirst semester of S.Y.2011-2012 of the said university.

Sources of Data The sources of the data used in this research came mostly from web sites of creditable agencies, both private and government, and local and international that fight cybercrimes. Also, since this paper aims to give the recent data about cybercrime in the Philippine government agencies, articles from newspapers were also cited. The sites of

24

government agencies in the Philippines affected by the recent attacks of cybercrimes were checked to better determine the updates on the problem.

Data Collection Procedure The government agencies that will be handed with the questionnaires are the Information Technology Directors of the Department of Health, the Department of Labor and Employment, and the Department of Justice. Each Director will be allotted a time of one month to answers the questionnaires. After the given time, proponents will again collect the questionnaires for evaluation.

Analytical Procedures The existence of cybercrime will be measured by noting the types of cybercrimes that will be determined by the agencies handed with the questionnaires. From the types of cybercrime, its causes and effects will also be evaluated and determined respectively. The effects in particular will be measured in terms of the monetary and intrinsic value of the assets that were affected by the cybercrime. Then, the causes, on the other hand will, be evaluated based on the ratings that the agency will give from a scale of 1-10 where 1 stands as their sited least cause and 10 as their sited number one cause. The conceptual framework of the study aids to measure on how Philippine government agencies strengthen information security from cybercrimes in increasingly technological society. The variables that will be used in this study are cybercrime existence as independent variable, change in information security as dependent variable and cybercrime awareness programs as moderating variables.

25

Cybercrime existence will be determined by the types and causes of cybercrimes and the corresponding effects of cybercrimes on information security of Philippine government agencies. These independent variables are to be determined by using questionnaires to analyze the current situation of the information security of an agency. Cybercrime existence will be measured before and after the implementation of cybercrime awareness programs and this will result to a change in information security which is the dependent variable of the study. The implementation of cybercrime awareness programs will help mitigate the existence of cybercrimes and will be used to measure if there has been a change in the level of information security. The effectiveness or the number of programs that will be implemented will affect the relationship between cybercrime existence and information security. Cybercrime existence will be controlled by the cybercrime awareness programs and will reflect on the level of information security. Cybercrime awareness will affect the cybercrime existence as its components like evaluation, feedbacks, trainings, and seminars and these will eventually mitigate such existence.

26

REFERENCES Araneta, S. (2011). DOJ pushes passage of cybercrime bill. The Philippine Star, Retrieved August 21, 2011, from http://www.philstar.com/Article. Association for Information Systems. (2003). BS7799: a suitable model for information security management, Systems Engineering Research Centre, Southampton Institute, UK Basu, S. (2004). E-government and developing countries: an overview. 109-132 Barrett, M., Steingruebl, A., & Smith, B. (2011). Combating cybercrime. Retrieved August 21, 2011, from https://www.paypal-media.com/assets/pdf/fact_sheet/ Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2008). Analysis of perceived burden of compliance: the role of fairness, awareness, and facilitating condition. Retrieved July 26, 2011, from http://people.commerce.ubc.ca/phd/bulgurcu/docs/ Carter, E. (2002). 1Examining cybercrime: its forms and its perpetrator. Retrieved October 8, 2011, from http://www.google.com.ph/ Chen, C., Shaw, R., & Yang, S. (n.d.) Mitigating information security risks by increasing user security awareness: a case study of an information security awareness system. Retrieved August 21, 2011, from http://www.mendeley.com/ Cyber Crime Investigation Cell, Mumbai (n.d.) Cyber crime awareness Retrieved July 26, 2011, from http://www.cybercellmumbai.com/files/ De La Cruz, M. (n.d.) Cybercrime awareness. Retrieved August 21, 2011, from http://www.google.com.ph/ Enrile, J. (2010). Fifteenth congress of the republic of the Philippines. Retrieved August 21, 2011, from http://www.senate.gov.ph/lisdata/75676380!.pdf Felongco, G. (2011). Philippines prone to cyber crime: official. Gulfnews, Retrieved August 31, 2011, from http://gulfnews.com/news/world/philippines/ Morris, A. (2007). Protecting management information systems: virtual private network competitive advantage. Unpublished doctoral dissertation, AUT University Nykodym, N., Ariss, S., & Kurtz, K. (n.d.). Computer addiction and cyber crime. Retrieved August 21, 2011, from http://www.na-businesspress.com/JLAE/

27

Research Center & Scientific Consultations. (2003). A standard-complaint integrated security framework, Al-Imam Mohammad Bin Saud Islamic University Romero, A. (2011). Cybercrimes pose serious threat to Phl PSA. The Philippine Star, Retrieved August 21, 2011, from http://www.philstar.com/ Sosa, G. (n.d.) Country report on cybercrime: the Philippine. Retrieved August 21, 2011, from http://www.unafei.or.jp/english/pdf/RS_No79/No79_12PA_Sosa.pdf Tuazon, J. (2011). DOST-ICTO pushes for passage of cybercrime, data privacy bills. Barrio Siete, Retrieved August 21, 2011, from http://barriosiete.com/

28

APPENDIXES Questionnaires that will be used to measure the variables in this study: Indicate the number of occurrences of cybercrimes listed in the table below. If not in the list, indicate the cybercrime encountered.

Types of Cybercrime
Hacking Denial of service Virus dissemination Software Piracy Net extortion Phishing Spoofing Cyber stalking Cyber defamation Threatening Others: _________________________ _________________________ _________________________

Number of Occurr ences

Indicate the corresponding monetary or inherent value of the effects on the existence of cybercrimes in information security. For the inherent value, indicate remarks to justify the amount that will be given for the sited effects.

29

Monetary Effects Value (P) Loss of Revenue Wasted Time Damaged Reputations Reduced Productivity TOTAL

Inherent Value* Corresponding Remarks Amount (P)

*Inherent value- refers to the worth of intangible asset that is difficult to determine in terms of monetary value.

Indicate the rating of the causes for each type of cybercrime existing in the agency based from the scale below. If not in the list, indicate the additional cybercrimes encountered as well with the causes. 5- Very Frequent 4-Frequent 3-Average 2-Rare 30

1-Never CAUSES Lack of evidence Storage of Data Complex codes Accessibility to victims Negligence TYPES OF CYBERCRIME

Hacking Denial of service Virus dissemination Software Piracy Net extortion Phishing Spoofing Cyber stalking Cyber defamation Threatening Others:

Confidential information

31

others