Thesis Confidence Final2 (97-03)

1
Chapter 1 THE PROBLEM AND ITS BACKGROUND
Introduction
In the midst of a global social, political and economic slowdown, governments must cut costs to reduce deficits, while addressing citizens needs for more accessible, responsive communications. Governments throughout history have made different innovations to make information accessible to the public. The advancement of technology is considered as a new venue for addressing these problems. The role of technology became even more important in accomplishing governmental change once the Guttenberg press was invented. It allowed documents and entire books to be created in large quantities that were used to help educate people about current issues. It was also used as a force for challenging autocratic and even dictatorial rulers of the time. History has proven that these types of rulers are still around today, despite these technological developments. This eventually led to the development of Government Websites, which extended the use of communications further. The new forms of technology created the ability to spread the word of change at speeds our ancestors could have never managed.
Philippine government websites can be defined broadly as the use of information and communication technologies (ICTs) in the countrys public sector to improve its operations and delivery of services. It is increasingly being seen as the answer to a plethora of problems that the Philippine government or public agencies in general face in serving their constituencies effectively. This is
especially so in developing countries like the Philippines, where generally the public agencies face resource constraints in improving their operations and in delivering services to the citizens. In such cases, government websites have been touted as a means to save costs while at the same time improving quality, response times, and access to services. Government website information is
used for decision-making, budgetary, government policies, poverty eradication and scientific research among other purposes. These multiple purposes have enhanced the need for accurate timely information achievable through government websites.
Background of the Study
Philippine government websites play an important role in enhancing the communications between the government and its constituents. We usually dont see how important, but government websites are now playing a vital role in the game of technological time.
These websites is the application of information technology in the provision of government information and services with an aim of minimizing the burden of public administration and the business activities to its citizens. It plays a big role in bridging the information about the services offered by the government through the different ministries-- can be disseminated fast up to the grass root levels. This is intended to avail and improve the delivery of
government services to the citizens to all citizens wherever and whenever needed. Despite the long recognition of security as a people problem, approaches to tackling the people problems remains a technocratic one till today. To overcome security issues, security researchers recommend a variety of technical or sometimes referred to as positivist methods such as risk analysis, checklists and evaluation.
Although there have been the occasional attempts to look into alternative approaches to security research such as the cultural, social and organizational aspects in recent years, there still lies a noticeable absence of the human perspective in research approaches adopted thus far.
Why, with peoples profound impact on government website security in organizations is the human approach to security research neglected? This may be primarily due to the general perception held by many including sponsors, of security as a purely technical problem and thus the primary objective in only seeking technical solutions; the emergence of security from a computer science
domain; security researchers coming from computer science and engineering backgrounds; and the commercial viability of technological security products.
The view of this study is that although the existing technical research approaches are useful and relevant, they only tackle part of the problem. Considering the critical role of which people play in creating security threats and defending security risks, it is imperative then that the security discipline needs a different approach: the human approach.
This research takes on a portion of this task by adopting a human approach to researching security in organizations with an interpretive paradigm as the mode of inquiry. Hence, the research discusses security from a nontechnical standpoint, which is in opposition to the mainly technical or positivist approaches that have dominated the discipline so far. In supplementing and complementing the existing ones, this new approach will afford an overall, allencompassing view of the security phenomenon.
Theoretical Framework
This study shall be guided using the principles that backed Section VII, Article III of the 1987 Constitution, which states that The right of the people to information on matters of public concern shall be recognized. Access to official records, and to documents and papers pertaining to official acts, transactions, or
decisions, as well as to government research data used as basis for policy development, shall be afforded the citizen, subject to such limitations as may be provided by law. In pursuit to mans quest for harmony and progression, the aforementioned provision was included in order to provide the people an honest and accountable government. 1 Using this principle as the basis for the study, this research aims to pursue a higher stage of development in the protection and security of government websites against any abuses and criminal acts that might affect the confidentiality of most government documents and data. Various factors and problems of the provision open doors for
improvement. As stated in the abovementioned provision, official records, documents and pertinent papers to official acts, transactions, or decisions are subject to such limitations as may be provided by law. Unfortunately, current laws against abuses of the right to information have insufficient provisions regarding applicable punishments to those who will violate the law. Usually, the offenders of the law target Philippine government websites due to its low level of security and limited punishment for committing such crimes, thus, putting the states security in jeopardy Conceptual Framework Most
Problematic To uncover the most problematic people issues with regard to security in Issue of organizations from the perspectives of Respondents some IT Professors of the Polytechnic Profile: Philippine 1 The Constitutions of the Philippines, (Anvil Publishing Inc, 2005), 12. University of the Philippines Name Government Years of experience Website
Challenges met by the Philippine Government Websites External Environmental Risk Issues Existing Technological Solutions Issues External Human Threats Issues Security Management Issues Organizational Issues Personnel Issues The determination of the most problematic issues facing organizations with regard to them achieving security effectiveness. Not Problematic Somewhat Problematic Highly Problematic
Effectiveness of the strategies for the protection of government websites Strategies Use by the Philippine Government to protect the Websites
Figure 1. Conceptual Framework
This paper presents a conceptual framework to uncover the most problematic issue that the Philippine government is facing. In particular, the
researchers discusses 3 aspects of the model: (1) Specific Issues met by the Philippine Government Website (Existing Technological Solutions Issues, External Human Threats Issues, Security Management Issues, Organizational Issues and Personal Issues). (2) It is further determined as Not Problematic, Somewhat Problematic and Highly Problematic. (3) Continuous process or discrete strategies of the Philippine government to protect the websites through time and effectiveness of the strategies of the Philippine government to protect the websites.
Statement of the Problem
The main problem of this study is to determine the problems met by the different Philippine Government Websites and its effects on the Information Security of the State. Specifically, it attempts to answer the following questions:
1. What are the security measures and its role in the Philippine government regarding website security?
2. What are the issues met by the Philippine Government Website?
a. External Environmental Risk Issues b. Existing Technological Solutions Issues c. External Human Threats issues
d. Organizational Issues e. Security Management Issues f. Personnel Issues
3. What is the most problematic issue that the government is facing and how they can address that?
Scope and Limitation of the Study
The study was limited only to the present issues met by the Philippine Government websites. It involved 97 Information technology and Computer
Science Researcher and Practitioners in the National Capital Region as sample taken from 100 total population of the said Region. These professionals came from different companies and organizations of the said region.
Responses of these professionals were categorized according to their specialization to find out if the significant difference of their responses on the present challenges met by the Philippine government websites exists. Data gathering employed the questionnaire which the researcher admits as the limitation of bias. Thus, the questionnaire was supplemented by
observation, interviews, and analysis of different journals, books, articles, published and unpublished theses or dissertations as bases for formulating the questionnaire.
This study focuses attention only at the present challenges of the Philippine Government websites. Findings of the study, therefore, are true only for the subjects concerned and for the given period of time, although these could be used as basis for similar studies that would be conducted at the different Political Science Institutions in the country.
Significance of the Study
The primary objective of this research is to determine what security professionals perceived are the most problematic security issues especially the people issues affecting security in organizations. Findings from this research can then be used to help identify human related issues affecting security in organizations and improving security in real life settings. It is further hoped that:
For security researchers, this understanding could act as an impetus to further research adopting a holistic approach to the study of information security.
For government officials, and provincial and local leaders and government corporation managers, the findings of this research could create greater awareness of the importance of the human elements when considering and managing security in
organizations.
For security developers and researchers who study information
10
security management techniques and methods, this research could offer a basis for modifications of their existing technical models into developing holistic security management models. Because of the practical focus of such investigations, the research generally has not involved the use or development of theory. Instead, most studies are descriptive. This study about the government websites is limited in terms of generalizability. Since they deal with specific problems, they must be repeated frequently as circumstances change.
The research conducted in this study involves an examination of theoretical concepts and an empirical testing of hypotheses, thus qualifying as basic research which Pavlik described as theory that can be applied to a variety of situations and thus, has more generalizability that descriptive research.2
This thesis introduces a computer science approach to collecting, storing and analyzing empirical data. This kind of approach has not been used in public relations research, and, therefore, can be considered a unique contribution to the film. The researcher believes that computer science can be successfully applied to research in government websites security in general. This study, being an example of this application, may stimulate and improve this research in other areas.
2
Sergei Golinsitski. Significance of the General Public for Public Relations: A Study of the Blogosphere's Impact on the October 2006 Edelman/Wal-Mart Crisis. (M.A. Diss., University of Iowa, 2007), 119.
11
Definition of Terms
The definition of terms presents the different technical terms that will be used in the study and their operational definition:
Attack is an attempt to bypass security controls on a computer
Authentication is the process of verifying that users are who they claim to be when logging onto a system
Authorization is the process of allowing only authorized users access to sensitive information. An authorization process uses the appropriate security authority to determine whether a user should have access to resources
Breach is the successful defeat of security controls that could result in a penetration of the system
Bug is an error or defect in software or hardware that causes a program to malfunction
Computer abuse is the willful or negligent unauthorized activity that affects
12
the availability, confidentiality, or integrity of computer resources. Computer abuse includes fraud, embezzlement, theft, malicious damage, unauthorized use, denial of service, and misappropriation
Computer fraud is a computer-related crimes involving deliberate misrepresentation or alteration of data in order to obtain something of value
Corporate hacking is the process of illegal retrieval of critical information that will compromise the organization's competitiveness and subsistence in the global market place
Countermeasure is any action, device, procedure, technique that reduces the vulnerability of a computer system
Cracker refers to a person who attempts to gain unauthorized access to a computer system. Such persons are usually ill intentioned and perform malicious acts of cybercrime
Cybercrime is a crime related to technology, computers, and the Internet
Data Mining is the analysis of corporate data, for relationships and correlations which have yet to be discovered. Such relationship discoveries can identify significant marketing opportunities to target specific client
13
segments
Encryption is the translation of data into a secure code to ensure the safe transfer of information across the Internet
Firewalls are security devices used to restrict access in communication networks. They prevent computer access between networks, and only allow access to services which are expressly registered
Hacker is a person who breaks into computer systems for the purpose of stealing or destroying data
Hacking is unauthorized use, or attempts to circumvent or bypass the security mechanisms of an information system or network
H-Factor is equivalent to human factor.
Information Systems is a term used to describe an integrated system which makes use of any number of varied information technologies.
Information Technologies (IT) has become an umbrella term used to describe a rapidly expanding group of equipment, services, applications, and basic technologies. For the purposes of this thesis, information technologies
14
are any of the above.
Intrusion Detection Systems (IDS) are complex software applications, which monitor network activity using various techniques
ISO 17799 is internationally recognized standards for security Logic bomb is a program routine that destroys data when certain conditions are met
Operating System is computer programs that are primarily or entirely concerned with controlling the computer and its associated hardware, rather than with processing work for users
Organization in this study is Philippine Government entity.
Security Administrator is an individual(s) who are responsible for all security aspects of a system on a day-to-day basis
Security Breach is a breach of security is where a stated organizational policy or legal requirement regarding security has been contravened
Security Incident is an alert to the possibility that a breach of security may be taking, or may have taken, place
15
Security Officer in an organization is the person who takes primary responsibility for the security related affairs of the organization
Security Policies are the set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information
Social Engineering is a means by which information is extracted, usually verbally, by someone impersonating a legitimate holder or user of the information in question
Source Code is the actual program, as written by the programmer, which is compiled into machine code which the computer can understand
Techno Crime is the term used by law enforcement agencies to denote criminal activity which uses (computer) technology, not as a tool to commit the crime, but as the subject of the crime itself
Virus a computer program designed to make copies of itself and spread itself from one machine to another without the help of the user
Warez are illegally-copied software or hacking tools
16
Worm is an independent program that replicates from machine to machine across network connections often clogging networks and information systems as it spreads
17
Chapter 2
REVIEW OF RELATED LITERATURE AND STUDIES
This
literature
review
includes
writings,
research,
journals,
and
thesis/dissertations concerning the information on confidentiality, security and vulnerability of government websites in the Philippines.
All of which provide the necessary background needed for evaluation of what causes vulnerability among the government websites in the Philippines. The selected sources of literature form a solid basis upon which to design a research study to further refine the factors causing the vulnerability in government websites and its result to our state's information security and confidentiality.
The writings included in this review reflect authors and researchers interested in the description, measurement and evaluation of the states' issues with regard to the vulnerability to information security of government websites and its resultant effect in our nation's security. Special emphasis is placed upon the effect of websites' vulnerability upon our states' information security. Selected writings are reviewed with extra attention given to those authors and researchers whose writings have gained popular acceptance or have been widely accepted.
18
2.1 Foreign Literature
2.1.1 Security Awareness in the 1990s: Feature Articles from the Security Awareness Bulletin Lynn F. Fischer Presents 32 feature articles from the Security Awareness Bulletin, representing the work of many authors. Includes: the emerging foreign intelligence threat (counterintelligence challenges; what is the threat?), espionage and espionage case studies; information systems security (security measures; Boeing hacker incident; understanding the computer criminal); security policy and programs; industrial security (arms control inspections); and the threat to U.S. technology (export control violations; foreign economic threat).3
2.1.2 Two New Reports Assess Use of Government Websites by Peggy Garvin (The Weekly News Digest) The Pew report, Government Online: The internet gives citizens new paths to government services and information focuses on the demographics and use patterns of those who tap into government information at the local, state, or
Lynn F. Fischer. Security Awareness in the 1990s: Feature Articles from the Security Awareness Bulletin. Google Books. 17 Jul. 2011. <http://books.google.com.ph/books? id=MggfVVuu7q0C&pg=PP6&lpg=PP6&dq=Security+Awareness+in+the+1990s: +Feature+Articles+from+the+Security+Awareness+Bulletin+Lynn+F. +Fischer&source=bl&ots=af3MTHPgrl&sig=vXw2JEB63A_Bh_OfMJvjXQf0hnI&hl=tl&ei =CE58TrSJKY7PmAWWw_iAAQ&sa=X&oi=book_result&ct=result&resnum=1&ved=0 CBgQ6AEwAA#v=onepage&q&f=false>
19
federal level. Among those who went online for government information at least once in the past year, government social media outlets and data were big draws. The second report measures satisfaction with federal government websites.4
2.2 Local Literature
2.2.1 Philippine Internet Review: 10 Years of Internet History (1994 - 2004) Carlos Miguel Alvarez Paras, Daniel O. Escasa It is a special publication that chronicles and explains the development of the Internet in the Philippines from its inception in 1994 to 2004. It highlights
Internet-related developments that transpired from 1994 to 2004. Various firstmover and Internet bubble facts are also highlighted. It also includes High-Tech Crimes: Scams, Fraud, and Hacking in the Philippines
Documenting various Internet scams, fraud, hacking incidents, stalking, and other crimes that victimized Filipinos.5
2.3 Foreign Studies

4
Peggy Garvin. Two New Reports Assess Use of Government Websites. Google Books. 17 Jul. 2011. <http://books.google.com.ph/books? id=41aWygUNzJIC&pg=PA81&dq=The+Pew+report, +Government+Online+Peggy+Garvin&hl=tl&ei=6lZ8TriNLsLrmAWp_bFu&sa=X&oi= book_result&ct=result&resnum=1&ved=0CCkQ6AEwAA#v=onepage&q&f=false>
5
Carlos Miguel Alvarez Paras, & Daniel O. Escasa. Philippine Internet Review: 10 Years of Internet History (1994 - 2004). Scribd. Ed. Janette Toral. 19 Jul 2011. < http://www.scribd.com/doc/11306151/Philippine-Internet-Review-10-Years-of-InternetHistory-19942004>
20
2.3.1 Impact of E-Government on Management and use of Government Information in Kenya (Nerissa Kamar, Research Librarian, Egerton University)6 This paper has the objective of looking at e-government as implemented in Kenya and at its efficiency and effectiveness in allowing effective use of government information. It further attempts to draw a comparison between Kenya and other countries that have embraced e-government in the region. It concludes that information infrastructure is the gateway to global access and use of government information by citizens and governments. 2.3.2 Information Security: The Importance of the Human Element By Rita Goh SECURITY A COMPELLING BUSINESS CASE Security has become an important issue for companies since the advent of the Internet for e-business in the 1990s. While the Internet revolutionizes the way organizations conduct business, the risks it introduces can be fatal to business. Any breach or compromise of networks, systems and sensitive information could negatively affect business operations, severely impact organizations customers, and constitute a breach of laws and regulations. All of which can have devastating consequences for organizations of all levels which may threaten their continued existence. To appreciate and understand the importance of the role of security in organizations, it is essential to discuss three key elements: Business
6
Nerissa Kamar. Impact of E-Government on Management and use of Government Information in Kenya. International Federation of Library Associations and Institutions. 23 Jul. 2011. <http://archive.ifla.org/IV/ifla73/papers/119Kamar_Ongondo-en.pdf>
21
Uses of the Internet, Value of Information, and Business Risks. Together, these define organizational needs for having secured networks and systems. Besides e-commerce, some of the reasons and benefits for using the Internet to gain a presence in the electronic marketplace include globalization, information access, sales and marketing, and effective communication.
Globalization. As companies move into the international marketplace, the
Internet provides a global communications network that is vital to creating a global business presence. The Internet allows companies of any size to pursue customers on a worldwide basis. In the process, companies can unlock the vast business potential of the Internet new markets, new customers, new revenue sources, and new business models.
Information
access.
Using
the
Internet,
businesses
can
access
information, including government databases, industry statistics, and competitor practices.

Effective communication. Effective communication of information is the
lifeblood of businesses. Companies without rapid and easy access to their customers, suppliers and partners will not survive in todays highly competitive industries (Lipson & Fisher 1999)7. Using the Internet, businesses have access to an international electronic communications network that facilitates
communications and interactions among customers, suppliers, and competitors in far-flung locations.
7
David A. Fisher & Howard F. Lipson. Emergent Algorithms - A New Method for Enhancing Survivability in Unbounded Systems. 1999. 25 Jul. 2011. <http://computer.org/proceedings/hicss/0001/00017/00017043abs.htm>
22
Value of Information In the current knowledge based economy, information is a more powerful and more valuable asset than ever before. Information is essential for daily business operations, since managers need it to help them make critical decisions, conduct their research, plan activities, execute those plans, monitor progress, and report on results. It is only with this information that organizations can engage in daily business and commercial activities.
Organizations are also able to obtain competitive advantages through the effective use of information. For instance, data mining has enabled many companies to adapt their products where necessary to gain a competitive edge and/or to keep abreast of consumer needs. This can result in higher customer retention. Realistically, it has become nearly impossible for any organization to operate without the use of information.
An organizations information also includes proprietary data that is of immense value to those bent on compromising it and to a company. Items include future plans, product technical data, customer lists, personnel files, and financial records. This highly critical and sensitive data needs to be protected from disclosure to competitors.
In recent years, the availability, integrity and confidentiality of information are
23
no longer just a business necessity for organizations as there are legal and regulatory requirements they must comply with. With the recent push towards more stringent privacy laws, securing corporate information is fast becoming mandatory for organizations in many countries.
European countries have strict privacy laws; companies can be held liable if they do not take steps to protect the privacy of their customers. The UK Data Protection Act 19988 enforced in March 2000, for example, requires that organizations in possession of personal data must abide by the principles of the Act (Glendalesystems.com Ltd. 2001). Any organization processing personal data must comply with the eight enforceable principles of good practice. Data must be: 1. fairly and lawfully processed 2. processed for limited purposes 3. adequate, relevant and not excessive 4. accurate 5. not kept longer than necessary 6. processed in accordance with the data subjects rights 7. secure 8. not transferred to countries without adequate protection
The United States has similar laws. The U.S. Privacy Act was passed in
8
UK Data Protection Act of 1998. UK National Archives. 1998. 26 Jul. 2011. <http://www.legislation.gov.uk/ukpga/1998/29/contents>
24
1974 (U.S. Department of Justice 2002j) but only covered the public sector. Since then, numerous laws have been introduced especially for businesses categorized in the high risks sectors such as the banking and healthcare industries. Under the Health Insurance Portability and Accountability Act, organizations in the healthcare sectors have to meet the basic security requirements (Shehata 2002), and these include
Ability to prevent, detect, contain and correct security breaches. Policies must be implemented for access control with context-, role- and
user-based access rules.
Identification and authentication of system users must be in place.

Establish an audit trail to record and track who accesses an organizations
applications and data.
Hence, organizations that fail to show due diligence in protecting their data assets face a real risk of legal implications.
Indeed, the importance of having secured networks and systems can no longer be ignored. The Internet has become indispensable for conducting business in government, commercial and academic organizations. The Internet allows organizations to access much needed information rapidly, have effective communications while reducing costs, collaborate with partnerships, provide enhanced customer service, and conduct e-commerce.
25
Ultimately, whats at stake is not simply business information, but the business itself. Without adequate security, an organization is open to a variety of risksconsequences of which can be highly detrimental to the bottom line. The following are some statistics of financial losses attributable to corporate hacking:
A recent study commissioned by Price Waterhouse Coopers9 suggests
that security breaches have been estimated to cost the world economy an astounding US$1.6 trillion in the year 2000 (Knight 2000f).
Virus creators have a profound negative impact on the global economy.
Most computer crimes are not detected The complex, anonymous nature of the attacks makes them difficult to trace. Hackers often use fake identifications, either by using someone elses account, or masking their own identities (Shimeall 2001b). Michael Vatis, director of the FBI's National Infrastructure Protection Committee, told a Senate subcommittee that tracing cyberattacks is like "tracking vapor" (Christensen 1999).
Anh Nguyen. PwC: Security breach costs triple in 2 years for UK firms. Network World. 29 Apr. 2010. 27 Jul. 2011. < http://www.networkworld.com/news/2010/042910-pwc-security-breach-coststriple.html?source=nww_rss>
26
Financial Losses are difficult to ascertain Financial losses such as lost contracts, jobs, markets and design rights are often difficult to calculate. Besides, information is not a physical asset, which makes the calculation of its monetary value rather difficult. It might, for example, have cost thousands of dollars to compile mailing lists, but after the lists are created, they may be worth millions to a competitor in ongoing sales, when stolen.
Most computer crimes are not reported to the authorities Most corporate victims do not report network security breaches to the authorities (Cimino 2000). A recent Federal Bureau of Investigations (FBI) survey10 found that out of the ninety percent of U.S. businesses and government agencies who suffered hacker attacks, only a third of them reported the intrusions to law enforcement (Krebs 2002b; NUA 2002). The reluctance in reporting to the authorities may be due to the following reasons, key ones include:
Fear of Embarrassment The negative publicity highlights a companys vulnerabilities. It would be detrimental, especially for banks and credit card companies, if their investors, shareholders, and customers come to know how insecure their computer systems are. Corporate victims would also find it rather embarrassing if the public found out that teenage hackers could read their secrets or transfer money from their accounts.
10
T. McCollum. Cyber Crime still on the rise (Update). AllBusiness. 2002. 28 Jul. 2011. <http://www.allbusiness.com/technology/computer-software-security/2033071.html>
27
Fear of Lawsuits It would be detrimental for companies if customers come to know that they have been victimized. The disclosure may open them up for potential lawsuits
Hackers are difficult to prosecute It is virtually impossible to take legal action against hackers due mainly to the following factors:
Some hackers come from far-off locations where there are no statutes
against computer crime. Compounding the difficulties of detection is the rerouting of hacking activities through various countries (Maria 1999a). Hence, making the prosecution process difficult.
Hackers can only be prosecuted if the exposed company can show that it
was actively security conscious (Fonseca & Harreld 2001), which many companies find great difficulty in proving due to complexities of putting together a bulletproof case.
There are few laws on the books that set clearly applicable precedents
for the right to legal relief in computer-related cases (Halbert 1994).

The price of prosecution does not come cheap. In the U.K., the threshold
for pursuing attackers can cost more than US$73,000 (McAlearney 2001b). Furthermore, since hackers tend to work by themselves, the cost of a lawsuit may be much more than can reasonably be recovered from the
28
defendant.
SOURCES OF SECURITY THREATS
Potential environmental risks can come in many different forms, both externally and within organizations. Generally, sources of security threats can be broken up into two categories: natural disasters and human threats (Howard 1997 and Benson 2000a).
Natural Disasters Natural disasters such earthquakes, hurricanes, floods, lightning and fire can cause severe damage to computer systems. Information can be lost, downtime or loss of productivity can occur, and damage to hardware can disrupt essential services. Other threats such as riots, wars and terrorist attacks could be included here. Although they are threats caused by people, they have been classified as disastrous (Benson 2000a). However, in comparison with human threats, the unexpected and occasional natural disasters pose few security threats to organizations. It has been well documented that the greatest threat to computer systems and their information comes from humans, through actions that are either malicious or ignorant (Benson 2000a).
Human Threats Human threats are threats perpetrated by individuals or groups of individuals that
29
attempt to penetrate systems through computer networks, public switched telephone networks or other sources. These attacks generally target known security vulnerabilities of systems and many of these vulnerabilities are simply due to configuration errors (Bassham & Polk 1994). The major sources of human security threats can take the form of internal and external corporate hacking for information or hacking for malice.
2.4 Local Studies
2.4.1 E-governance at the Local Government Level in the Philippines: An Assessment of City Government Websites (Author: Sheila V. Siar), Philippine Institute for Development Studies , 200511 The study is focused on the extent local governments in the Philippines have implemented e-governance using websites as their medium. The study used the available resources and services that city governments provide to citizens and other groups in society through their websites. The focus of this research is the content of the websites, with cities as the representative local government units.
2.5 Synthesis and Relevance of the Reviewed Literature and Studies
This literature is helpful in initial stages of understanding the issues impacting the vulnerability of Philippine government websites. However, In the case of
11
Sheila V. Siar. E-governance at the Local Government Level in the Philippines: An Assessment of City Government Websites. FindArticles.com. 2005. 30 Jul. 2011. <http://findarticles.com/p/articles/mi_qa5519/is_200501/ai_n21364514/>
30
Information Security of the E-government sites in the Philippines, the primary focus of this literature is the comparative security aspect of information sharing on the local e-government websites from the foreign e-government sites. Several studies regarding Information Security have been conducted in the last 5 years. The development of internet in the Philippines constitutes greatly to the modern hacking crimes in Government websites. Incidents of e-government hacking were not only experienced in the Philippines, but also in other countries. Results have b been linked to security threats worldwide een linked to security threats worldwide.
31
Chapter 3 RESEARCH METHODOLOGY
This chapter provides an overview of the strategy which was used to conduct this research and derive the data necessary to answer the research question posed in chapter one. In the sections that follow, research approaches in information security, the methodology, the research design and stages of the empirical work will be explained.
METHOD OF RESEARCH
This study is a descriptive type of research which described, recorded, analyzed and interpreted the profile of Information Technology and Computer Science Experts in the government according to their personal and work-related factors as well as what the respondents feel should be done about the different issues about the Philippine government websites. Likewise, it attempted to discover the most problematic issue that the Philippine Government Websites is facing. Questionnaire was used to gather the needed information or data. The survey was broken into three parts- demographic information, general descriptive information and specific issue information. In the first part of the survey, each
32
respondent was asked their, years of security experience, and job title. In the second part of the survey respondents were asked to identify the kinds of security measures that organizations make use of, their perceived role and level of security in organizations. In addition, their opinions were sought on how organizations can improve their security effectiveness. In the third part of the survey each respondent was asked to rank how problematic an issue was with regard to achieving security effectiveness in organizations.
POPULATION AND SAMPLE SIZE
The
study
was
conducted
in
selected
Information
Technology
Researchers and Practitioners in the National Capital Region (NCR). The study made use of non-probability random sampling (purposive) techniques. This type of non-probability sampling is done by randomly selecting the respondents from different division of the population. Respondents included Information Technology and Computer Science Researchers and Practitioners of selected National Government Agencies. Ninety Seven IT Experts in the different government agencies were asked to answer the questionnaire consisting different categories.
RESEARCH INSTRUMENT
33
In this research, the prime instrumentation used was questionnaire. Questionnaire is more appropriate to be used since there are a large number of respondents. Questionnaire was used to gather the needed information or data. The survey was broken into three parts- demographic information, general descriptive information and specific issue information. In the first part of the survey, each respondent was asked their, years of security experience, and job title. In the second part of the survey respondents were asked to identify the kinds of security measures that organizations make use of, their perceived role and level of security in organizations. In addition, their opinions were sought on how organizations can improve their security effectiveness. In the third part of the survey each respondent was asked to rank how problematic an issue was with regard to achieving security effectiveness in organizations.
DATA GATHERING PROCEDURE
To gather accurate and reliable data, the researchers used a systematic procedure. First, the researchers provided 97 copies of the questionnaire which is to be used to gather data. The researchers conducted their survey at the selected
34
agencies in the NCR. The purpose of the study was attached to the questionnaire distributed. Upon making sure that the respondents understood the purpose of the questionnaires, the researchers made it way on distributing it to the security professionals and obtaining the needed information. After finishing the survey in the chosen agencies, the results were tallied and tabulated. When the tabulation per agency was accomplished, the results were combined to have the collective evaluation of the most problematic issues that the government website are facing. After observing the collective assessment of the results, the gathered data were analyzed and interpreted by the researchers and came up with an appropriate recommendation.
STATISTICAL TREATMENT OF DATA The data obtained from the respondents were tabulated systematically in order to obtain accurate information related to each element of the target population. The statistical treatment of data used to determine the percentage of acquiring the most problematic issue was the percentage formula, as shown below:
P=
35
X 100 N where: P = Percentage F = Frequency N = Number of Respondents
Chapter 4
36
PRESENTATION, ANALYSIS AND INTERPRETATION OF DATA
The previous chapter explained how the web survey was conducted. This chapter summarizes the results of the survey. As discussed in Chapter 3, this survey was used to complement the findings and analysis of the interviews compiled into the IS Issues Database. The main objective of the survey was to understand security professionals views and opinions on issues affecting security in organizations.
Analysis of data is provided for each part of this study, and is organized around the survey questions presented and advanced methodologically in chapter three.
Security Measures in Place Top 2 Potential Threats Security Rating External Environmental Risks External Human Threats Security Management Issue
Perceived role of security Security Role Responsibility Improving Security Effectiveness Existing Solutions Issues Organizational Issues Personnel Issues
4.1
Respondents Security Experience
Table 4.1 shows the breakdown of expertise levels of respondents. The small
37
number of the respondents with more than 15 years of security experience 6 or 6.1% is expected considering that the security industry is relatively young. The largest group of respondents is those with 3-6 years of experience - 36 of the total respondents, or 37.1%. This is not surprising considering the phenomenal growth of the security industry in the past 5 years.
TABLE 4.1
RESPONDENTS SECURITY EXPERIENCE NUMBER OF PERCENTAGE RESPONDENTS 6 22 18 36 5 10 97 6.1 22.7 18.6 37.1 5.2 10.3 100
EXPERTISE LEVELS More than 15 years 11-15 years 7-10 years 3-6 years Less than 3 years Not sure TOTAL
4.2.
Security Measures in Place
The first of the background questions dealt with the kinds of security
38
measures organizations have in place (see table 4.2). This information is very useful in determining the risk perceptions of organizations. All the respondents (100%) indicated the installation of Anti-virus software in the workplace, with 84.5 percent indicating the adoption of firewalls and 64.9 percent indicating the use of encryption. Only 10 percent of respondents indicated the provision of security awareness training with 12 percent of respondents indicating the adoption of people management in organization.
39
TABLE 4.2 SECURITY MEASURES IN PLACE
EXISTING SECURITY MEASURES Anti-virus software Authentication Authorization Encryption Firewalls Hacker Insurance Implementation of Security Policies Incorporating security culture Outsourcing People Management Password Management Security Awareness Training People Management Security Awareness Training
NUMBER OF RESPONSES 97 38 48 63 82
PERCENTAGE
100 39.2 49.5 64.9 84.5
38 3 38 21 12 10
39.2 3.1 39.2 21.6 12.4 10.3
The results show that external breaches are of a greater concern to organizations than those perpetuated internally as anti-virus software, firewalls and encryption are measures designed primarily to ward off outside attacks.
40
4.3
Perceived Role of Security
Respondents were asked what they perceived is the role of security in organizations (see Table 4.3) in order to understand security professionals opinions about the importance of information security in organizations. 35.1 percent of those surveyed indicated that organizations viewed the role of security as a nice to have rather than a need to have.
Although organizations recognize that the security of information is a key business issue in the modern e-business world as indicated by 26.8 percent of the respondents, they may be aware of the legal implications of insecurity as 7.2 percent of the respondents indicated that organizations viewed security as a legal requirement. Negative publicity as a result of insecurity is also not a major concern for organizations as indicated by 5.1 percent of the respondents.
TABLE 4.3
PERCEIVED ROLE OF SECURITY
41
Avoiding bad press or reputation due to security Avoiding legal liability breaches issues concerning security breaches Meeting International Security Standards Nice to have rather than the need to have Protecting customers information Securing networks and Systems Total
5.1
7.2
4.1
34 26 21 97
35.1 26.8 21.6 100
42
4.4
Top 2 Potential Threats
This particular survey question asked the respondents to list what they perceived to be the two most critical potential threats impacting security in organizations. A content analysis of the responses to this question showed that hackers (69.1%) and poor implementation of security policies (48.5%) as two of the greatest potential threats. Table 4.5 shows a complete breakdown of the respondent answers to this question. TABLE 4.4 TOP TWO POTENTIAL SECURITY THREATS
43
Potential Threats Current Employees Denials of Attacks Former Employees Hackers Lack of Employee Awareness Outsourced Service Providers Poor Implementation of Security Policies Systems Administrators Vendor Products with Weak Security Controls
Number of Responses Percentage 21 30 38 67 19 17 47 10 28 21.6 30.9 39.1 69.1 19.6 17.5 48.5 10.3 28.9
44
4.5
Security Role Responsibility
This particular survey question asked the respondents who they perceived is responsible for security in organizations. 45.4 percent of respondents indicated that the Head. IT Department or its equivalent is responsible for computer security in organizations. Only 5 .2 percent of the respondents indicated that organizations have a formal security administrator or security officer job appointment .10.3 percent of the respondents indicated that organizations do not draw up this responsibility at all.
TABLE 4.5
SECURITY ROLE RESPONSIBILITY
45
Security Responsibility Computer Operations Manager Designated staff from other Head, IT Department or equivalent departments MIS Manager or equivalent None Security Administrator Total
Number of 6 17 44 15 10 5 97
Percentage 6.2 17.5 45.4 15.5 10.3 5.2 100
4.6
Security Rating
In this particular question, respondents are required to rate the effectiveness of security in organizations on a scale of 0-10, 0 being least effective, 10 being highly effective. For ease of reference scaled data has been collapsed into three groups: ineffective (0-3), somewhat effective (4-6), and highly effective (7-10). Table 4.6 shows the results of respondents perceptions of security effectiveness in organizations: TABLE 4.6 SECURITY RATING
46
Effectiveness Ineffective Somewhat Effective Highly Effective Total
Number of Responses Percentage 61 62.9 24 24.7 12 12.4 97 100
A high percentage 62.9% of the respondents rated security in organizations as Ineffective, 24.7% perceived security in organizations as somewhat effective and only 12.4% of the respondents rated organizational security as highly effective. This clearly shows that there is a critical need for organizations to improve their level of security.
47
4.7
Improving Security Effectiveness Respondents were also asked on their opinions on how organizations
might improve their security effectiveness. A content analysis was performed on the 97 responses that were received. Appendix 4 provides a complete listing of the responses to this particular survey question. For ease of reference, responses were broadly categorized into three areas: technical, non-technical and holistic. A breakdown of these areas and the responses is found in Table 4.7.
Technical Areas
Technical areas comprise mainly of security technologies and software such as anti-virus software, encryption and firewalls. Other technical areas deemed important to respondents were: SSL, PKI, biometrics and intrusion detection systems as being capable of providing significant improvements to the level of security in their organizations. It is interesting to note that the majority of respondents (82.5 per cent) who rated technical security improvement areas were security practitioners.
48
General Areas
General areas cover a wide range, from areas such as law enforcement to nontechnical areas such as security awareness training and education for employees. General areas of security controls deemed significant to respondents were: more stringent laws and greater cooperation between the authorities and the business community. Internal security measures include security awareness and training, password management, application access control, physical access control and program change control.
Holistic Areas
Holistic areas encompass security solutions embracing both the technical and human dimensions of security. It is interesting to note that only five respondents indicated the adoption of a holistic approach to improving security effectiveness in organizations TABLE 4.7 IMPROVING SECURITY EFFECTIVENESS
Improvement Areas Number of Technical 80 General Holistic 12 5
Percentage 82.5 12.4 5.1
49
4.8
ANALYSIS OF PRIMARY DATA
The six questions of this portion of the research focuses on the determination of the most problematic issues facing organizations with regard to them achieving security effectiveness. For each of the three questions respondents were asked to rate each issue given on a scale of 0-10 with 0 being not at all problematic and 10 being extremely problematic. For ease of reference the scale responses have been collapsed into three categories were Not Problematic represents scales 0-3, Somewhat Problematic represents scales 4-6, and Highly Problematic represents scales 7-10.
4.8.1
Impacting External Environmental Risks
Respondents were asked to rate 6 issues with regard to external environmental risks. Of all the issues, the rapidly changing technology was perceived by the largest number of respondents (87.6%) as being highly problematic. Two other issues in this category also received substantial response as being highly problematic: inherent internet flaws, with a 74.2% response rate and Availability of effective solutions with 67%. All of the 6 issues were perceived
50
as being at highly problematic with the exception of media misrepresentation which 53.6% of the respondents viewed as not problematic with regard to external environmental risks. Table 4.8 provides a complete listing of the 6 issues and their response rates.
TABLE 4.8 EXTERNAL ENVIRONMENTAL RISKS

NOT PROBLEMATIC (0-3) Availability of Effective Solutions Ever Changing Security Threats 1% (1 Respondent) 4.1 Ineffective Laws (4 Respondents ) (47 Respondents) 25.8 0% (25 Respondents) (72 Respondents) (46 Respondents) 74.2 35.1 (34 Respondents) 48.5 0% 32% (65 Respondents) 63.9 (62 Respondents) 47.4 SOMEWHAT PROBLEMATIC (4-6) 67 % HIGHLY PROBLEMATIC (7-10)
ISSUE
Inherent Internet Flaws
Media Misrepresentations
53.6 (52 Respondents) 3.1 (3 Respondents )
32% (31 Respondents) 9.3 (9 Respondents)
14.4 (14 Respondents) 87.6 (85 Respondents)
Rapidly Changing Technology
4.8.2
Existing Solutions Issues
In table 4.9, seven existing technical solutions issues are listed with their
51
appropriate response rates. All of the issues with regard to this category were viewed as at least highly problematic. 52.6 percent of the respondents did not view the difficulty of implementation as a problem for organizations. The highest rating went to the issue of security expertise with 87.6 percent of the respondents placing it in the highly problematic range. TABLE 4.9 E X IS TIN G SOLUTIONS ISSUES
NOT PROBLEMATIC ISSUE (0-3) SOMEWHAT PROBLEMATIC (4-6) HIGHLY PROBLEMATIC (7-10)
High Acquisition 3.1 Cost (3 Respondents) (31 Respondents) (63 Respondents) 32% 64.9
Difficult to 0% Implement (51 Respondents) Inherent Flaws and Weaknesses in Security Technologies Bug in Security 0% Software (26 Respondents) Requires Security 0% Expertise (12 Respondents) Lack of Holistic Planning Model 4.1 34% (33 Respondents) (85 Respondents) 61.9 (60 Respondents) 12.4 87.6 (71 Respondents) 26.8 73.2 2.1 (2 Respondents ) 21.6 (21 Respondents) 76.3 (74 Respondents) (46 Respondents) 52.6 46.4
52
(4 Respondents ) Lack of Holistic Security Management Model
0%
46.4 (45 Respondents)
4.8.3
External Human Threats
Respondents were asked to rate 6 external perpetrators whom they regard as posing the greatest threat to organizations. Of all the perpetrators, virus creators were perceived by the largest number of respondents (75.3 percent) as being highly problematic. Two other perpetrators in this category also received substantial response as being highly problematic: software pirates, with a 62.9% response rate and social engineers, with 56.7%. All of the 6 external perpetrators were perceived as being at least highly problematic with the exception of phreakers which 51.5 of the respondents viewed as posing little threats to organizations.
53
TABLE 4.10 EXTERNAL HUMAN THREATS

NOT PROBLEMATIC ISSUE (0-3) 1% External Consultants (1 Respondent) 0% Phreakers (50 Respondents) 1% Script Kiddies (1 Respondent ) 11.3 Social Engineers (11 Respondents) 1% Sotware Pirates (1 Respondent) 0% Virus Creators (24 Respondents) (73 Respondents) (35 Respondents) 24.7 (61 Respondents) 75.3 (31 Respondents) 36.1 (55 Respondents) 62.9 (53 Respondents) 32% (43 Respondents) 56.7 54.6 (47 Respondents) 44.3 (52 Respondents) 51.5 (44 Respondents) 48.5 SOMEWHAT PROBLEMATIC (4-6) 53.6 HIGHLY PROBLEMATIC (7-10) 45.4
4.8.4 Organizational Inhibitors
Respondents were asked to rate 11 organizational issues which can impact security. Budgeting was perceived by 89 of the respondents (91.8%) as being the most problematic. All other issues in this category also received substantial response as being highly problematic.
54
TABLE 4.11 ORGANIZATIONAL INHIBITORS

NOT PROBLEMATIC ISSUE (0-3) 3.1 Adequate Staffing (3 Respondents) 0% Budgeting (8 Respondents) 4.1 Communication (4 Respondents ) Interdepartmental Coordination 6.2 Leadership (6 Respondents) 28.9 Organizational Culture 47.4 (28 Respondents) (46 Respondents) 0% 28.9 (28 Respondents) 22.7 0% (22 Respondents) 21.6 0% (21 Respondents) 50.5 3% (49 Respondents) 13.4 0% (13 Respondents) (84 Respondents) (45 Respondents) 86.6 (76 Respondents) 46.4 (75 Respondents) 78.4 (23 Respondents) 71.3 (69 Respondents) 77.3 23.7 (30 Respondents) (61 Respondents) 0% (37 Respondents) 19.6 (19 Respondents) 30.9 (56 Respondents) 80.4 (78 Respondents) 62.9 38.1 (89 Respondents) 57.7 (47 Respondents) 8.2 (47 Respondents) 91.8 48.5 SOMEWHAT PROBLEMATIC (4-6) 48.5 HIGHLY PROBLEMATIC (7-10)
Organizational Directives Organizational IT Expertise Organizational Security Expertise Organizational Support Resistance to Change
4.8.5
Security Management Issues
55
In table 4.12, seven security management issues are listed with their appropriate response rates. All of the issues with regard to this category were viewed as least highly problematic.. The highest rating went to the issue of lack of security awareness training and failure to upgrade systems with 89.7 percent of the respondents placing it in the highly problematic range. Four other issues in this category also received substantial response as being highly problematic: no formal security plan, with a 86.6 response rate; lack of security corporate culture, with 80.4.
56
TABLE 4.12 SECURITY MANAGEMENT ISSUES

NOT PROBLEMATIC ISSUE (0-3) Failure to Upgrade Systems Lack of Security Awareness Training Lack of Security Corporate Culture 0% SOMEWHAT PROBLEMATIC (4-6) 10.3 (10 Respondents) 1% (1 Respondent) 0% (19 Respondents) 0% Lack of Security Policy (11 Respondents) 0% No Formal Security Plan (13 Respondents) 3.1 Reliance On Outsourcers (3 Respondents) 36.1 (35 Respondents) (84 Respondents) 60.8 (59 Respondents) 13.4 (86 Respondents) 86.6 11.3 (78 Respondents) 88.7 9.3 (9 Respondents) 19.6 HIGHLY PROBLEMATIC (7-10) 89.7 (87 Respondents) 89.7 (87 Respondents) 80.4
4.1 Role Ambiguity (4 Respondents)
4.8.6
Personnel Issues
57
Respondents were asked to rate 6 barriers which employees face with regard to security in their organizations. Lack of management support was perceived by the largest number of respondents (89.7%) as the most problematic limiter. Two other inhibiting factors cited by respondents as being highly problematic were: lack of security awareness training, with an 80.4% response rate and individual IT expertise with 78.4%.
58
TABLE 4.13 PERSONNEL ISSUES

NOT PROBLEMATIC (0-3) 40.2 High Workloads (39 Respondents) 0% (32 Respondents) 21.6 (21 Respondents) 2.1 Lack of Funds (2 Respondents) Lack of Management Support 0% (36 Respondents) 10.3 (10 Respondents) (59 Respondents) 89.7 (90 Respondents) 37.1 (26 Respondents) 78.4 (76 Respondents) 60.8 33% SOMEWHAT PROBLEMATIC (4-6) 26.8 HIGHLY PROBLEMATIC (7-10)
ISSUE
Individual IT Expertise
Lack of Rewards and Recognition
Lack of Security Awareness Training
0%
2.1 Poor Communication 37.1 (2 Respondents) (36 Respondents) 3.1 Role Ambiguity (3 Respondents) Uncertain Policies and Priorities 0% (29 Respondents) (68 Respondents) (40 Respondents) 29.9 (54 Respondents) 70.1 41.2 (59 Respondents) 55.7 60.8
4.9
SUMMARY
59
This chapter is devoted to the findings of the web survey. The perceptions of the respondents with regard to a variety of issues surrounding security in organizations were displayed and analyzed.
The purpose of the survey is to uncover the most problematic people issues with regard to security in organizations from the perspectives of security professionals. The researchers accept the sample bias that respondents are technically orientated individuals. However, as professionals in the security industry, and as researchers and consultants to organizations in both the public and private sectors, respondents opinions helped in the general analysis of the human related security issues and provide a more complete picture of the real life security situations in organizations.
60
Chapter 5 SUMMARY, CONCLUSIONS AND RECOMMENDATIONS
This chapter will provide some conclusions on the most problematic people issues with regard to security in the Philippine government. In addition, this chapter will provide recommendations for a holistic view of security management.
Information security is not just about technology. Website security is about the whole country. The consequences of ignoring the importance of security can be catastrophic for the Philippines. It can lead to compromised networks and systems resulting in lost secured information, increased clean-up costs, negative publicity, and losses to third parties.
More importantly, security is about people. Government that ignore or forget the human elements when seeking solutions may adopt incomplete solutions. Considering the role in which people play in creating and defending security problems in the government, the significance of the human factors and their impacts must not be ignored.
61
The main problem of this study is to determine the most problematic issues met by the different Philippine Government Websites and its effects on the. Specifically, it attempts to answer the following questions: 1. What are security measures and its role in Philippine Government regarding website security?
2. What are the challenges met by the Philippine Government Website?
a. External Environmental Risk Issues?? b. Existing Technological Solutions Issues? c. External Human Threats Issues? d. Organizational Issues? e. Security Management Issues? f. Personnel Issues?
3. What is the most problematic issue that the government is facing and how they can address to that?
62
Summary of Findings
Analysis from the findings in the survey presented in Chapter 4 revealed the following security weaknesses of organizations viewed by respondents as highly problematic, key issues include:
View security as of little importance Requires Security Expertise Failure to Upgrade System Lack of security awareness training
Rapidly Changing Technology Virus Creators Lack of management support Budget Constraints
Each issue is viewed individually with regard to its fundamental issues in order to better ascertain the singular impact of each one has on the most problematic people issues affecting security in organizations
Views of Security
The information created, processed and used by any organization is one of its most valuable assets. To compromise this asset could severely impact Philippine Government Websites customers, constitute a breach of laws and regulations, and negatively affect the company. Hence, the consequences of
63
insecurity can be highly detrimental for any organization. Yet, survey results show that the business leadership in organizations still held a lackadaisical view towards security or its consequences. When asked to choose from a list of what they perceived is the role of security in organizations, 35.1 percent of respondents indicated that organizations viewed the role of security as a nice to have rather than a need to have.
Furthermore, organizations may be unaware of the legal implications of insecurity as only 7.2 percent of respondents indicated that avoiding legal and regulatory liability issues concerning security breaches was a major concern for government organizations.
Requires Security Expertise
When it comes to defending itself from cyber-attacks, the Philippine government is one of the most vulnerable countries in the world, since many civilian and military operations are essentially dependent on data networking. We have seen recently what could happen if a foreign government or an extremely organized group of knowledgeable individuals targets the Philippine
infrastructure.
In the existing solutions issues, the highest rating went to the issue of security expertise with 87.6 percent of the respondents placing it in the highly problematic range. The cyber manpower crisis in the Philippines stands in sharp
64
contrast to the situation in China, where the training of computer experts is a top national priority. In the most recent round of the International Collegiate Programming Contest, co-sponsored by IBM and the Association for Computing Machinery, Chinese universities took four of the top 10 places. No Philippine university made the list.
Lack of Security Awareness Training
The lack of security awareness training was rated as the most problematic issue with regard to security management in organizations. Without proper security awareness training, administrators may not be aware of security risks and how these risks may be overcome within their day-to-day job functions.
Survey results clearly illustrate how government leaders and those responsible for security in their organizations may be misinformed or unaware of where their real vulnerabilities lie. The most common protection methods used by organizations as indicated by 100 percent of the respondents are anti-virus software, with 84.5 percent indicating firewalls. These measures are designed specially to ward off outside attacks. Documented evidences have shown that a company is at greater risk from being the victim of an internal security breach than an external attack. In reality, disgruntled or former employees, or contract workers, are most likely to commit an attack, or cause a security breach. Yet, survey results show that these internal security threats are receiving very little
65
attention from senior managers and security administrators.
Lack of Management Support
Lack of management support was viewed by 89.7% of the respondents as the most problematic with regard to issues that personnel faced. Effective security requires the active support of government leadership. Research studies conducted over the years have shown that the higher the level of management supports for security, the lower the number the security incidents occurring. The lack of management support can serve as a great deterrence for security administrators in carrying out their job responsibilities properly and effectively. Lack of management support may be due to senior government heads nave understanding of the importance of security and the consequential results of insecurity to their organizations.
Budget Constraints
Budget constraint is viewed by 91.8 percent of respondents as the most crucial factor inhibiting organizations from protecting the networks and systems. Traditionally, The Secretaries or the head of different government agencies decision-making role is predominantly to determine how much direct funding and other resources to grant to the organizations security administrators. However,
66
with organizational views of security as a nice to have rather than a need to have and without management support, it is highly unlikely that budget given to security will be given top priority. Government agencies have been reluctant to spend money on security because it is extremely difficult to prove that security serves the bottom line. For many government agencies, security has been viewed as overhead.
With budget constraints, pressures on security administrators with respect to cost savings may lead to difficulties in designing effective security. This would leave organizations critically exposed.
Failure to Upgrade Systems
Failure to upgrade system is viewed by 89.7 percent of the respondents as one of the most problematic factor in management issues. With the budget
constraints that the Philippine government is facing, an action to upgrade the facilities and system for website protection is viewed with a little importance. With the continuous advancement of technology, various perpetrators develop and use different techniques and measures to penetrate into the system of government websites. The system that our government IT experts for website protection is far behind the advance systems that was used by our neighboring countries, especially the China. Rapidly Changing Technology
67
Nowadays, information technology involves more than just computer literacy; it also necessitates how computers work and how they can further be used not just for information processing but also for communications and problem solving tasks as well. Though the development of technology may have made our lives easier and more convenient, it has also bought along privacy and security issues. From e-mail to website hacking, people are now worried about their once private information becoming public knowledge. Of all the issues under External Environmental Risk Issues, the rapidly changing technology was perceived by the largest number of respondents (87.6%) as being highly problematic. With the rapid development of technology comes the innovation of hacking applications used against websites, particularly, government sites. Confidential files of a company can be destroyed, stolen and hacked by hackers. New attacks and vulnerabilities are being reported on almost daily basis. In these circumstances, application developers cannot take security for granted.
Virus Creators A computer does not catch the same types of viruses that we humans do, and humans do not catch the same types of viruses that computers do. Computer viruses are manmade by virus creators. Virus creators are smart people who write malicious software, among which are viruses. A virus can
68
cause a lot of harm to your computer. Viruses can also sometimes wipe out any information or software that is installed on your computer. Of all the perpetrators, virus creators were perceived by the largest number of respondents (75.3 rather than a need to have). Many viruses are developed for and used by criminals to con people out of money and to steal personal information from their victims. Virus creators also create viruses that are capable of determining the passwords to your accounts and your credit card and bank account numbers. If a virus creator has made a successful virus that has infested Government computer, this gives them the opportunity to raid your bank account and purchase items with your credit card because your private information is no longer private. Virus creators are also able to download large files by using your internet connection, and Government officials have no idea. Many virus creators do this as a way to search for illegal content. Lastly, many virus creators create viruses that will send you a large amount of spam email and other bizarre messages. These types of viruses just bombard your email with messages from people you don't know that have enticing and potentially lucrative subject lines in hopes that you will open the email and click on a link that will install a virus on your computer, giving the virus creator access to your personal information.
CONCLUSIONS
69
The primary focus of this study was to determine what people issues security professionals perceived as being the most problematic with regard to security in organizations.
What are the most problematic people issues faced by the organizations with regard to security?
HUMANISTIC NATURE OF SECURITY PROBLEMS
Human related security issues are extremely problematic and complex in organizations. They involve all the individuals who make up the organization, from top-level government heads to clerical staff. Effective security in organizations entails the commitment and involvement of government leaders and staffs in making security top priority technical dimensions but more significantly, the human dimensions of security. Furthermore, the government leadership must recognize that any approach to security management which hopes to be ultimately successful must take into account not just the technical dimensions but more significantly, the human dimensions of security.
RECOMMENDATIONS
70
The Government Leadership
The answer to effective Government Website security in organizations lies with leadership. To improve their organizations security odds, leaders and heads of government instrumentalities have to change the way they think about security. It requires a fundamental change in the values, beliefs, and assumptions about security and how it should be managed. They must truly believe that their organizations future is dependent on effective security. When leaders understand the importance of security, it becomes a priority for everyone in the organization.
The most important aspect of successful security management in any organization is the involvement of government heads and officials. Key components of an effective security program include the nurturing and incorporation of a security corporate culture, the proper planning and implementation of security policies, the provision of security training and education, all of which require the active participation and support of senior management. Hence, it is only with senior managements total commitment, involvement and support in all aspects of security and its management that effective security can be achieved in organizations.
Unqualified personnel An organization that wants to avoid hiring unqualified individuals who are of
71
security risks must take the utmost care with how it chooses organizational members. Such employees will be given access to the organizations Information Systems. Poor pre-employment screening methods can lead to employment of a person with unsuitable or even possibly fictitious credentials. To avoid hiring individuals who are unqualified who can pose potential security risks, careful screening of potential employees is vital. The primary aim is to ensure that only qualified people with certified information security skills manage network systems. The following are some of the precautionary measures organizations can take:
Prior to hiring staff, verification checks should be carried out. These should include: a minimum of two references and verification of the major aspects of the candidate's curriculum vitae, for example by checking the candidates academic qualifications.
Appropriate checks should also be carried out on contract and temporary staff. Employment agencies that provide staff to organizations may have similar checks in place, but it is advisable to verify them.
Untrained/Careless Workers
Untrained and careless workers have often been the major causes of
72
security breaches in government websites and organizations. Hence, adequate budget must be set aside to provide training and education in all aspects of security where personnel awareness of Information Security risks is developed to the point that it almost becomes second nature. Staff awareness of Information Security issues can fade, unless it is continually reinforced. Such lack of attention may lead to lax attitudes towards security, resulting in the exposure of critical and sensitive information to outsiders. Hence, regular training and ongoing security awareness initiatives must be conducted.
Deploy defense-in-depth
Deploy defense-in-depth describes the concept of protecting a computer network with a series of defense mechanisms organized in such a way that, if one of them fails, another one is available to take its place. This method focuses on an example of a practical defense-in-depth deployment that uses existing technologies and explores how they can be tied together to comprise a comprehensive and effective enterprise network security architecture.
Use a strict information security policy
73
An information security policy (ISP) lays the foundation for an organizations stance on information security. The ISP is designed to formally document an organizations information processing roles, responsibilities, and procedures. Some of the main items an ISP should include are procedures to add users to the network, procedures to handle compromised computers, procedures for backing up data and computer use and abuse policies. The procedures to add users to the network include items such as validation of user employment, determining which data the user needs access to and what type of access the user needs, initial user training, and user remote access requirements.
Firewalls
A firewall helps keep hackers from using the computer to send out personal information without the owners permission. While anti-virus software scans incoming email and files, a firewall is like a guard, watching for outside attempts to access the system and blocking communications to and from sources you don't permit. The firewall helps screen the incoming information that comes into the system by blocking unauthorized access, depending also on its configuration. To be properly protected, the firewall should be properly set according to its security needs. Take note that if not properly configured, the computer's firewall can be the hacker's door towards the system. Have the website tested by ethical hackers
74
Seek the services of ethical hackers in doing some penetration test on the website. This way, they will know the vulnerability of the site, and the government can find solutions to that early on.
Make sure all the inputs to the website have been checked and validated-
Cross-site scripting is one weakness of websites that can be used by hackers by inserting scripts into the webpage that may lead to their access to confidential information and the likes. To protect the website and information and ward off hackers using this technique, there is a need to check and validate inputs to the website. If online visitors are allowed to input some data on the website, the entry should be validated and checked against what inputs are allowed.
Virus Creators Virus creators are criminals, and those who use viruses to gain access to your personal information are also criminals. In most countries, it is illegal to create a virus, but many people get away with it; however, if they are discovered, they often face criminal charges especially those who have used the virus to con people out of money. It is important to keep government computers and other personal information safe; therefore, they should safeguard their information and take
75
some extra steps to keep Governments information confidential. Any computer within different government agencies and any computer that use for work should have anti-virus software installed on it. Anti-virus software is used to detect viruses and potential viruses. There are many anti-virus applications on the market today, so finding one to fit all the needs shouldn't be a problem. Another precaution to keep government websites safe from virus creators is to only open email messages from trusted sources. If a message sounds too good to be true, it probably is, so don't open it and delete it immediately.
FUTURE RESEARCH DIRECTIONS
Suggestions for further research
1. Corporate hackers themselves are worthy of separate study. The profiles of corporate hackers described in this work were derived predominantly from the study of literature taken from the Internet. A future study could contrast the various types of corporate hackers in order to identify similarities and distinctions between them. 2. Very little is known about the behavior of actual attackers. Research into the behavior of hackers could significantly increase our understanding of the motivations behind security attacks and incidents
76
3.
Future research on the contrasting impact of corporate hacking between
organizations of different sizes, different industries and, public and private sectors is recommended. 4. This research has shown that Government Heads play a pivotal role with
regard to security in their organizations. For example, in most cases, Government Heads lack of commitment in information security affects the level of security in their organizations. Therefore, new research could analyze the characteristics of effective security Government heads in more detail with the aim of validating or modifying the human issues security framework developed in this research. 5. The people issues must be studied individually and in greater detail within the context of security management in order for organizations to formulate strategies in tackling the human issues. 6. The research model used in this study has proven to be extremely helpful in determining the primary humanistic issues which are problematic to security in organizations. In addition it has allowed for the creation and future use of a security issues database which may serve as background material for subsequent research in this area. However, further refinement or redesign of this model in future research might allow for additional important insights regarding issues affecting security in organizations. 7. Research on developing a human security management model and a holistic security management model is recommended. 8. The complexity of the human nature of security seems to require detailed
77
explanation. Alternative research methodological techniques need to be utilized in order to learn more about the people issues affecting security in organizations. Action research and case study approaches are recommended.
78
BIBLIOGRAPHY Anderson, Terry and Kanuka, Heather (1997). On-line Forums: new platforms for Professional Development and Group Collaboration, JCMC, Vol. 3, No. 3, December; <http://jcmc.huji.ac.il/vol3/issu3/anderson.html> Bajarin, Tim B,. Technology's Role in Government Change, Todays Tech Speeds Up Change, March 7, 2011, 23 Sept. 2011, <http://www.pcmag.com/article2/0,2817,2381456,00.asp#fbid=coJAvlvtVul> Feldman, Matthew, Capitals in the Clouds - The Case for Cloud Computing in State Government Part I: Definitions and Principles, June 2011, <http://www.nascio.org/publications/ Bridis, T. Wanted: Hacker to Advise. The Associated Press, . 2000, March 2 Available:<http://more.abcnews.go.com/sections/tech/DailyNews/hackerconsulte d000302.html> Bycroft, A. The Advantages of Outsourcing Information Security Management., January 2002 .Available:< http://secinf.net/info/misc/outsorcing.htm > Cimino, K.. Whos Responsible for Internet Security?. June 14, 2000 Available: <http://siliconvalley.internet.com/news/article.php/3531_394691> Electronic Commerce, Reference for Business, September 23 2011, <http://www.referenceforbusiness.com/management/De-Ele/ElectronicCommerce.html> Fischer, Lynn F., Security Awareness in the 1990's: Feature Articles from the Security Awareness Bulletin, Septemer 23 2011, <http://www.powells.com/biblio/95-9781122150606-0> Friedman, Thomas L,. The Earth is Full , World Population Awareness , September 05, 2011, 23 Sept. 2011, <http://www.overpopulation.org/solutions.html> Garvin,Peggy, Two New Reports Assess Use of Government Websites, Information Today, Inc., April 29, 2010, September 23 2011, <http://newsbreaks.infotoday.com/NewsBreaks/Two-New-Reports-Assess-Useof-Government-Websites-66917.asp> Jennifer Rietbergen-McCracken, Participatory Policy-Making, 23 September 2011, PG Exchange,<http://pgexchange.org/index.php? option=com_content&view=article&id=140&Itemid=132> Justice, Madeline and Espinoza, Sue. Using Technology to Develop Culturally-Awre Pre-service Teachers (in) Diversity and International ed. by Willis,
79
Dee Anna & Isleib, Emma, SITE 96. 23 Sept. 2011, <http://www.coe.uh.edu/insite/elec_pub/html1996/01divers.htm#justice> Lineberry, Stephen, The Human Element: The Weakest Link in Information Security, Journal of Accountancy, November 2007, September 23 2011, <http://www.journalofaccountancy.com/Issues/2007/Nov/TheHumanElementThe WeakestLinkInInformationSecurity.htm> Levi Obijiofor, Sohail Inayatullah and Tony Stevenson, Impact of New Information and Communication Technologies (ICTs) on Socio-economic and Educational Development of Africa and the Asia-Pacifice: Private, 23 Sept. 2011, <http://www.metafuture.org/Articles/icts.htm> Louw, Karin, CSIR Information Services for the International Development Research Centre, The use of Information and Communication Technologies (ICTs) that add value to Development Programmes Sector Review: Employment Report, 31 August 1996;http://www.idrc.ca/acacia/old/studies/ir~csir.html Ma. Peafrancia D. Laysa, Juli Ana E. Sudario and Delfin Jay M. Sabido IX, Ph.D., Cooperative Actions in Implementing e-Government, 23 Sept. 2011, <http://library.asti.dost.gov.ph/gsdl/cgi-bin/library?e=d-000-00---0phipub--00-0-00prompt-14-Document---0-0l--1-en-50---20-help---001-001-1-0011&cl=CL1&d=HASH01afe982986f22dd5846f391.11&x=1> Odedra-Straub, M. (1995) "Contemporary issues in electronic communications in Africa: A summary of the Addis Ababa symposium," 6 November 1995.http://www.sas.upenn.edu/African_Studies/ASA/owen.html Paraz, Carlos Miguel A. and Escasa, Daniel O., A collectors item: Philippine Internet Review: 10 Years of Internet History (1994-2004), The Digital Filipino, September 23 2011, <http://www.digitalfilipino.com/a-collectors-item-philippineinternet-review-10-years-of-internet-history-1994-2004> Philippine Bill of Rights, Article III of the 1987 Constitution of the Republic of the Philippines. September 23 2011, <http://tagaloglang.com/ThePhilippines/Government/philippine-bill-of-rights.html> Suares, Debra A (1996) Resistance, Access and Power: Technology and EFL Teacher Education (in) Diversity and International ed. by Willis, Dee Anna & Isleib, Emma, SITE 96.<http://www.coe.uh.edu/insite/elec_pub/html1996/01divers.htm#justice> Sveningsson Elm, Malin. (2007). Gender stereotypes and young people's presentations of relationships in a Swedish Internet community. YOUNG, 15 (2), 145-167.
80
Teklehaimanot, B., Worku, M. & Alamineh, D. (1997) Distance learning Initiative for Ethiopia. ESS Telecom 97 Conference on Distance Learning. 1 July;<http://www.physics.ncat.edu/~michael/man/ib.html> Tynes, B. M.. (2007). Internet Safety Gone Wild?: Sacrificing the Educational and Psychosocial Benefits of Online Social Environments. Journal of Adolescent Research, 22 (6), 575 - 584. Utz, Sonja. (2009). The (Potential) Benefits of Campaigning via Social Network Sites.Journal of Computer-Mediated Communication conference, 14(2), 221243. Vergeer, Maurice, and Pelzer, Ben. (2009). Consequences of media and Internet use for offline and online network capital and well-being. A causal model approach. Journal of Computer-Mediated Communication, 15 (1), 189210. Warr, W. A.. (2008). Social software: fun and games, or business tools?. Journal of Information Science, 34 (4), 591 - 604. Weisbuch, M., Ivcevic, Z., and Ambady, N.. (2009). On Being Liked on the Web and in the 'Real World': Consistency in First Impressions across Personal Webpages and Spontaneous Behavior. Journal of Experimental Social Psychology. Weiwu, Zhang, Johnson, Thomas J., Seltzer, Trent, and Bichard, Shannon. (2010). The Revolution Will be Networked: The Influence of Social Networking Sites on Political Attitudes and Behavior. Social Science Computer Review, 28, 75-92. Yuan, Connie Y., Cosley, Dan, Welser, Howards T., Xia, Ling, and Gay, Geri. (2009). The Diffusion of a Task Recommendation System to Facilitate Contributions to an Online Community. Journal of Computer-Mediated Communication, 15 (1), 32 - 59. Zhao, Shanyang. (2006). Do Internet Users Have More Social Ties? A Call for Differentiated Analyses of Internet Use. Journal of Computer-Mediated Communication, 11 (3), 844-862.
APPENDIX 1
81
QUESTIONNAIRE (COVER LETTER)

July 23, 2011 Dear Respondents, We are the senior students from Polytechnic University of the Philippines (Sta. Mesa, Manila Campus) and we would like to invite you to participate in our undergraduate thesis. General Information on Project: The project is to identify the most problematic issues with regard to security in Philippine Government Websites and examining the best possible ways in which these issues could be addressed. The primary objective of this project is to create greater awareness amongst organizations on the importance of a holistic approach when seeking security solutions. All information will be archived and used in our undergraduate thesis on the inhibiting factors affecting security in organizations. The information collected and used in the undergraduate thesis will be kept strictly confidential, and you will remain completely anonymous throughout data processing. The final report will be made available to you once all analyses are completed. However, this line will be kept open for as long as you wish to discuss website security issues. Participation is voluntary. If at any time you wish to discontinue your participation in this study, please contact us. Thank you very much for your consideration. If you have any questions or comments, feel free to contact us. Hopefully we can work together to make the Philippine Government Websites a good place to surf and to do safer transactions.
Best regards, The Researchers Noted: Prof. Ernest Vera Cruz, DPA Thesis Adviser
82
Name (Optional): _________________________________________________
PartI: Profile
1.What is the name of the faculty from which you are responding? 2.What is your job title? 3.Number of total years experience in the security field? More than 15 years 11 15 years 7 10 years 6 years Less than 3 years Not sure
Please add any additional comments, explanations, or issues below. Please contact Lawrence Santos or Email santoschristianlawrence@yahoo.com, to ask questions or discuss topics related to this survey/study.
Part II Government Security Measures 1. What kinds of security measures does the Government of the Philippines make use of? (Please check all that apply, and feel free to add any additional security measures not listed.)
83
Anti-virus software Authentication Authorization Encryption Firewalls Hacker Insurance Implementation of Security Policies Incorporating Security Culture Outsourcing Password Management People Management Security Awareness Training Other: 2. What do you perceive as the role of security in organizations? Avoiding bad press or reputation due to security breaches Avoiding legal and regulatory liability issues concerning security breaches Meeting international security standards (e.g. ISO17799) Nice to have rather than the need to have Protecting governments information Securing networks and systems Other:
3. Please list two of the greatest threats to security in Philippines government website
84
4. Who do you perceive as being responsible for security in Philippines government website? 5. Please list the 3 issues that you feel are inhibiting security effectiveness in Philippines government website (1) , (2) , (3)
6. Overall, how would you rate the effectiveness of security in Government Websites (0 being ineffective, 10 extremely effective)
7. How can the Philippine Government improve their security effectiveness in their websites?
Part III - Issues For the following seven sections please rate on a scale of 0-10, how problematic the issues listed are with regard to security in organizations. (0 being not at all problematic, 10 being extremely problematic) Please feel free to add and rate additional issues for each section.
85
(1) External Environmental Risks Issues
0 Availability of Effective Solutions Ineffective Laws Inherent Internet Flaws and Weaknesses Media Misrepresentations Rapidly changing security technology Ever changing security threats Other:
1 2 3
5 6 7 8
9 1 0
(2) Existing Technological Solutions Issues 0 Bugs in Security Software Difficult to Implement High Acquisition Cost Inherent Flaws in Security Technologies Lack of Holistic Planning Model Lack of Holistic Security Management Model Requires Security Expertise Other: 1 2 3 4 5 6 7 8 9 1 0
(3) External Human Threats Issues
86
0 Competitors Script Kiddies Social Engineers Software Pirates Phreakers Virus Creators Other:
1 2 3
6 7 8 9 1 0
(4) Organizational Issues 0 Adequate Staffing Budgeting Communication Interdepartmental Coordination Leadership Organizational Culture Organizational Directives Organizational IT Expertise Organizational Security Expertise Organizational Support Resistance to change Other: 1 2 3 4 5 6 7 8 9 1 0
87
(5) Security Management Issues 0 Failure to Upgrade Systems Lack of security awareness training Lack of Security Corporate Culture Lack of Security Policy No formal Security Plan Reliance on Outsourcers Role Ambiguity Other: 1 2 3 4 5 6 7 8 9 1 0
88
(6) Personnel Issues 0 Individual IT Expertise Poor Communication Lack of Funds Lack of Management Support Lack of Training Role Ambiguity Lack of Rewards and Recognition High workloads Uncertain policies and priorities Other: 1 2 3 4 5 6 7 8 9 1 0
Thank you for taking the time to answer the questions in the survey.
89
APPENDIX 2 ISSUES DATABASE
EXTERNAL THREATS ISSUES
ENVIRONMENTAL RISKS ISSUES Third Party Politics Visitors, consultants, suppliers, vendors Political crisis protests through hack attacks Terrorism through cyber attacks Hacktivism organizations ending up as innocent victims of cyber war attacks Legal No standardization of international cybercrime laws High legal costs Difficulty in prosecuting hackers due to the complex nature of hacking Ineffective laws Economic Hyper competition breeds rivalry amongst companies Hyper competition creates frantic need to gain competitive edge through illegal means Mergers, acquisitions, strategic partnerships and alliances Decreased security spending in times of economic slowdown High dependency on the Internet for daily business activities
90
Increased Internet connectivity due to globalization Enhanced value of information due to a knowledge based economy Media Wide spread coverage of external security breaches Focus reporting mainly on large corporate victims of hackers New Technologies Earthquakes, hurricanes, floods, lighting and fire can New technologies such as wireless devices introduce cause severe damage to computer systems new unknown security issues Ineffective Lack of Commercial Holistic Security Planning Model Lack of Commercial Holistic Security Management Model Rapidly changing security technologies - Always need latest technologies Newly developed security technologies introduced new security problems Intrusion detection systems not equipped to cope with newly created sophisticated hack attacks and viruses Flaws and weaknesses in security technologies Bugs in security software Outsourcing can generate savings in resources but carries high risk of breach confidentiality Failure to address people problems Internet Built and developed without security in mind Facilitate free sharing of hacking related information Lack regulations Phenomenal growth in the number of users worldwide has been accompanied by a corresponding increase of hackers Phenomenal growth in the number of e-commerce companies has been accompanied by a corresponding increase in credit card transactions
Existing Solutions
91
EXTERNAL THREATS
HUMAN ISSUE DESCRIPTION Targets banks and financial institutions for financial gain Targets Internet Service Providers (ISPs) preventing legitimate users from using their services The illegal copying and distribution of copyrighted software by software pirates affect businesses in the software publishing, movie and music industries Free phone calls made by phreakers through the use of technology caused huge financial losses for telephone companies Viruses are rampant causing an organizations files along with vital information to be deleted, making information inaccessible to employees and customers Targets government and commercial websites in protest of their violating human and animal rights Highly sensitive and confidential organizational information have been stolen by social engineers, simply by tricking employees into revealing network passwords Many companies have become vulnerable to theft of valuable information and trade secrets by relying on external consultants for their security needs
Network Hackers
Script kiddies
Software Pirates
Phreakers
Virus creators
Hacktivists
Social Engineers
External Consultants
INTERNAL SECURITY THREATS
ORGANIZATIONAL ISSUES
ISSUE DESCRIPTION
92
Interdepartmental Coordination
Non-cooperation between the security, IT, and human resources departments; or worse still, inter-departmental feuds Lack of support from directors / shareholders Lack of Tactical, strategic operational security goals and objectives Security role ambiguity
Support Directives
IT Expertise Security Expertise
Lack of competent IT personnel Lack of competent security personnel Using unqualified people to maintain security and providing neither the training nor the time to make it possible to do the job properly
Budgeting
Lack of financial resources High acquisition costs of security technologies High implementation costs of security technologies
Culture
Lack of Security Corporate Culture Authoritative leadership
Directives Communications
Competitive Advantage Top down communication Failure to communicate the importance of security Poorly informed security guards and/or IT personnel
Training
Lack of IT Training Non provision of security awareness training and training for all employees
93
SECURITY MANAGEMENT ISSUES Outsourcing
ISSUE DESCRIPTION
Over reliance on consultants, contract workers, or external security companies The false belief that close questioning during interviews can detect signs of untruths Fail to screen potential employees thoroughly A false confidence in the effectiveness of reference checking as a sufficient safety check on the job applicants background The need to fill vacancies is allowed to supersede thorough background checks Overlooking a required background verification because of heavy workload A once only background verification or security check with no further continuous monitoring of employees activities and behaviors Over-reliance on outsourcing to headhunters and recruitment agencies to supply safe recruits
Recruitment
Security Policy
Failure to establish and institute a security policy Outdated Security Policies Poor Implementation of security policies
Role Responsibility
Security is the sole responsibility of the IT/ Security department Role Ambiguity No appointment of security task force
94
Security Plan
Lack of a strategic / formal security plan
95
Internal Security Systems
Failure to upgrade
Seek mainly technical solutions Outdated Training Lack of Technical Training Lack of Security Awareness Training
SENIOR ISSUES
MANAGERS
ISSUE DESCRIPTION
Individual Security Expertise
Lack of Security knowledge
Nave about the real dangers of corporate hacking to their organizations and also their tolerance of security practices, and reasons for them Unaware of the benefits of having a security corporate culture Unaware of the legal implications of insecurity Failed to come to grips with the fact that security is a people problem Individual Support Not directly involved in the management of security Lack commitment Failure to provide adequate financial and human resources and empower those tasked with enterprise wide security Beliefs Information is of little value Security impedes productivity
Lack of senior management involvement Interdepartmental Coordination Non cooperation from fellow colleagues
96
Lack team spirit Inadequate Staffing Motivation High workloads Lack of rewards and recognition Inadequate pay and benefits
HUMAN ISSUES
THREATS
ISSUE DESCRIPTION
Disgruntled Employees
Disgruntled employees hack into their companies systems and networks to seek revenge for perceived wrongs causing information and financial losses
Temporary Consultants Highly sensitive information and confidential have been stolen by temporary consultants to be sold to a rival company or to be used to form another company Planted Workers Planted workers have stolen critical information and caused disruption of business operations to rival companies Malicious workers are those who hack into their organizations either for money or to seek revenge The majority of errors made by careless workers are the result of poor training Ignorant workers such as those who unknowingly give away password to social engineers are the result of poor security awareness training
Malicious Workers
Careless Employees
Ignorant Employees
97
Negligent workers
In a similar vein, negligent workers such as those who lose their notebooks and handheld computers which contain valuable company information are the result of poor security awareness training Working from home, telecommuters tend to adopt a lax attitude towards security, increasingly putting their companies at great risks
Teleworkers
98
APPENDIX 3 Description of Issues
Adequate Staffing In one sense, this issue is tied to general personnel issues in that it requires the recruitment and training of individuals for security and support staff positions within the organization. More specifically, it deals with the need for enough of these types of employees to make security planning, implementation and management feasible and effective. Adequate staffing is a quantity and quality issue. Adequate staffing issues relate to number of qualified staff, employee/individual IT and security expertise, recruitment, budgeting, leadership and training.
Budgeting Issues IT and security technologies are expensive at a number of levels. This issue refers to the myriad of problems facing security administrators with regard to budgeting and its impact on security. Budget concerns for security require definition and measurement of operating costs, investment costs, training costs and the possible/achieved benefits of security. This issue includes organizational support, leadership, management support, training, rapidly changing technology, ever- changing security threats, existing systems, security planning and management. Communication Issues Communication issues refer to the ability of those responsible for security to interact, communicate, disseminate and share information with regard to security. Communication is important in all phases of security, but is especially crucial in planning, policies implementation, security role responsibility, organizational goals and objectives of security, and motivation, in ensuring that there are shared meanings as to the importance of security. Without effective communication, organizational members may lack a sense of purpose and disorientated towards organizational security goals and objectives in achieving security effectiveness. Hence, to achieve effective security, its implications need to be conveyed to organization staff so all can appreciate how it will affect their work in the future. Communication issues are related to leadership, organizational and management support, senior managers issues, and personnel issues.
99
Economic Issues Due to the global economic slowdown and intense international and domestic competition, companies are now resizing, downsizing, restructuring, reorganizing, reengineering or merging in their attempts to become more efficient, cut expenses, or in some cases to simply make more short-term profits. All of which will force organizations to cut or freeze security spending which has a profound impact to achieving effective security. The lack of funding and attention on security can place them in greater danger of failing to protect the integrity, availability and confidentiality of their data and communications. Economic issues include senior managers issues, organizational and management support and budgeting.
External Consultants This issue has become particularly important to organizations who often do not have the adequate and expert staff to address security issues within their organizations. Outside consultants are typically hired to act as advisors on various issues as well as to provide the security hardware and software for the organization. In terms of security, an important factor to consider in the use of external consultants is what the role of that consultant will be. In other words, will the individual or firm in question be asked to act as an advisor or a complete security service provider? The use of external consultants must be reviewed in the context of the whole organizations directives as well as the planning of security and their implementation. The external consultant issue is related to individual/organizational expertise, organizational directives, security planning, security implementation, and existing systems.
External Environment Risks Issues External environmental risks issues are externally led macro level issues that can have an impact on security in organizations either directly or indirectly. Changes in the political climate, ineffective laws, misrepresented media reports, the unavailability of effective solutions are some of the issues related to external environmental risks issues. Existing Security Solutions Existing security solutions issues are primarily those related to the
100
effectiveness of technical security systems that are available such as security technologies and software, and its impact. Currently, there are no foolproof solutions that organizations can adopt and those that are available have been known to be ineffective. Compounding the woes of ineffective security solutions are the lax attitudes of organizations towards security which make them easy preys to hackers. Existing security solutions issues are related to senior managers issues, budgeting, training,
Individual IT Security Expertise The issue of individual security IT expertise speaks to the technological savvy of each person within the organization. It is typical for an organization to employ individuals with a very diverse range of IT security competence. It is also typical that some of these individuals will have a willingness and desire to learn more about technology and how to use specific IT, and others will be quite resistant to adapting to new technologies. This issue is related to training, resistance to change, organizational support, and leadership.
Individual Support This issue refers to the support of individuals within the organization whether in favor of security or against. People at all levels of the organization have an impact on security - the more support available throughout the ranks, the more effective the implementation of security policies will be. Individuals can hinder progress at a number of junctures in the implementation process. It is therefore, essential to recognize the importance of this issue at the outset. The individual support issue includes resistance to change, training, leadership, and organizational support.
101
Interdepartmental Coordination This issue relates to the degree an organization is able to coordinate its implementation of security policies across departments. Personnel from the IT department usually assumed the primary job responsibility for security. With little senior management involvement, this highly centralized arrangement often leads to security administrators having difficulties coordinating formalized security planning and implementation among other problems across departments. Interdepartmental coordination is related to organizational structure, planning, standardization, budgeting, and internal leadership.
Internal Security Systems The security systems already in place within an organization may have a profound impact on security. Typically, these systems require the regular replacement of old hardware, and upgrading of software and features. More often than not, an organization has a significant investment in hardware and software but provide little and no training. One of the major causes of security breaches is that security systems are outdated or users make all kinds of mistakes and configuration errors. In these cases the stakes are very high with regard to security. The issue of internal security systems is related to training, resistance to change, rapidly changing technologies, and interdepartmental coordination.
Lack of a Strategic/Formal Security Plan This issue has become one of the more problematic with regard to security management and implementation. Pressure for quick solutions to very complex security problems has only served to work against formal security planning in organizations. Strategic security planning is viewed by many as the foundation of effective security. The successful implementation of security measures in an organization depends heavily on the strategic analysis of the organizations security needs and objectives. Organizations, which do not make use of formalized planning with regard to security, may find themselves without direction in a rapidly changing unsecured environment. Lack of a strategic/formal plan issues is related to organizational directives, organizational support, internal leadership, interdepartmental coordination, and planning models.
102
Lack of Holistic Planning and Security Management Models This issue speaks to the availability and use of integrated planning and security management models with elements of the technical and human dimensions. There have been many debates on the ability of technical planning and security management models to enhance the success of security implementations. What is available are the many technical security models which addresses the issues of how to manage networks and systems. Currently, no holistic planning and security management models are available that addresses organizations specific human needs and issues on how to plan and manage the proliferation of human related threats affecting them. Lack of a planning model relates to strategic planning, existing solutions, ever changing security threats and rapidly changing technology.
Leadership issues Leadership issues reflect those areas that require the interaction, commitment, involvement and direction of the organizations board of directors and top management. This issue area reflects the premise that organizational change occurs from the executive level down, necessitating the involvement of top management in all areas of security. One of the problems with security and the workplace is that not everyone is ready or willing to become part of a security conscious organization. In many situations, leadership from top can help to enhance effective security by example. Internal leadership issues include training, individual expertise, organizational support, personnel issues, and resistance to change. Legal and Regulatory Issues This issue refers to any state or federal mandates which affect organizations with regard to information technology and its planning, procurement, and implementation. In addition it may also refer to any written procedures specific or internal to organizations meeting international standards such as ISO 17799.
103
Management Support This issue refers to the support of top management within the organization whether in favor of security or against. However, people at all levels of the organization have an impact on security - the more support available throughout the ranks, the more effective security will be. Individuals can hinder progress at a number of junctures in the security policy implementation process. It is therefore essential to recognize the importance of this issue with regard to security policy implementation at the outset. The individual support issue includes resistance to change, training, leadership, and support.
Organizational Culture This issue is intangible and particularly hard to explain because the culture of an organization is mainly a perception. However, for security to be effective the right kind of culture or environment is required. In most cases this means an organization must consistently find a common ground between individuals and security objectives within the organization. Organizational culture issues include: organizational support, leadership, organizational directives, and organizational IT and security expertise.
Organizational Directives This issue refers to the missions, objectives, and plans which a particular organization may possess with regard to security. Directives serve as guidelines for future security plans and actions of the organization. These directives must be strategic and well defined in order to facilitate effective security throughout the organization. Organizational directives relate to security role responsibility, leadership, security planning, organizational support, organizational IT security expertise, budgeting, and rapidly changing security technologies.
Organizational IS Expertise This issue refers to the overall security savvy of the organization. In addition, it could also refer to how supportive in its nature the organization may be.
104
That is, whether or not an organization focused financial and human resources to enhance organizational members security expertise to stay ahead of newly created and sophisticated security threats. Organizational IS expertise is related to organizational support, organizational culture, individual IS expertise, individual support, existing systems, and rapidly changing technology.
Organizational IT Expertise This issue refers to the overall technological savvy of the organization. In addition, it could also refer to how progressive in its nature the organization maybe. That is, whether or not this is an institution that has focused resources to enhance organizational members IT ability to stay on the cutting edge of technological developments. Organizational IT expertise is related to organizational support, organizational culture, individual IT expertise, individual support, existing systems, and rapidly changing technology.
Organizational Security Culture Like organizational culture, this issue is particularly hard to define because of its intangibility. However, for security to be effective the right kind of culture or environment is required. In most cases this means an organization must nurture and incorporate a security orientated culture. Organizational culture issues include: organizational support, leadership, organizational directives, and organizational security expertise.
Organizational Support Successful and effective implementation of security measures relies heavily on the support of every single member of the organization. This issue refers to an organizations predilection toward supporting strategic security vision, planning and implementation at all levels from shareholders, investors to employees--which in turn will allow it to achieve security effectiveness. The organizational support issue includes: budgeting, organizational directives, organizational culture, management and individual support.
105
Personnel Issues Personnel issues are the limiting factors or obstacles that employees face in preventing them from achieving security effectiveness within the organizations. Issues such as lack of management support, lack of communication and lack of training.
Politics Changes in the global political climate can have an impact on security in organizations. Government officials and business leaders must recognize and address the external political ramifications affecting security in their organizations. Security activities in general are political by nature (i.e. privacy, security, confidentiality, and data availability, and data integrity). This issue includes personnel issues, interdepartmental coordination, organizational culture, and external consultants.
Rapidly Changing Security Technology This issue refers to the difficulties of managing security due to the rapidly changing nature of security technologies. Information Security Technologies are developed and enhanced so swiftly that an organization may find its planned--for acquisitions are obsolete before the ink on the purchase orders are dry. The changing nature of security technology in general is a primary cause of a multitude of security management conflicts from development to implementation. Rapidly changing security technology issues are related to budgeting, management support, internal security systems, training, individual and organizational security expertise.
Resistance to Change This issue is generally seen as a human resources issue. Part of resistance is couched in fear: fear of security; fear of being displaced by security policies and fear of the unfamiliar. Many individuals (especially those in support staff positions) have a pervasive fear that the implementation of security policies may impede their job functions. Even more predominant in todays organization is the fear of change. Individuals are often put off by the extra work and effort required in learning new software or a whole new security system. These issues are significantly impacted by the human
106
conditions related to interactions, personal feelings, and perceptions. Resistance to change includes training, individual expertise, security culture, existing systems, individual and organizational leadership.
Security Management Issues Issues characterized as security management relate specifically to administrators and their role in the functional operations of security in organizations, as in budgeting, personnel management, network and systems management and implementation of security policies. In essence, any issues which require specific attention or directives from an administrator with regard to security. It does not matter how well designed or whatever the latest and most sophisticated an information system that an organization has if it does not have the right personnel it requires to fully manage security and the people they manage. Managing people is one of the most important issue areas and in many cases one that is chronically ignored. Security management issues include resistance to change, leadership, organizational IS expertise, training, recruitment, and retention of competent security personnel.
Senior Managers Issues In general, senior management issues provide a window for viewing a variety of senior management behaviors and concepts towards security and its management. Those characterized as senior management issues speak to senior managers attitudes, beliefs, perceptions towards security, such as: security risks, adoption of security measures, security knowledge, security threats and security management. For example: What are top management beliefs about security threats? Are they different from what they really are? What impact does it have on security countermeasures adopted? These are just a few of the kinds of questions that are spoken of within the contexts of senior management issues.
107
Training This issue is of particular importance regardless of the kind of security measure currently being adopted within an organization. As careless employees pose one of the greatest threats to security in organizations, it has become crucial to make sure that adequate training is provided for all employees. Lack of training can act as a powerful restraint to effective security and overall organizational success. Training issues include: resistance to change, rapidly changing security technology, ever changing security threats, retaining quality employees, decision- making and individual/organizational IT and IS expertise.
108
APPENDIX 4 TECHNICAL
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26.
Invest in network intrusion detection systems and host-based security systems, as well as virus and worm protection Anti-virus software and firewalls must be updated regularly. Encryption is the most effective way to achieve data security Keep your sensitive data offline, on non-networked machines that aren't dial-up-accessible. Encryption. Without the decryption key, getting at content is virtually impossible. A holistic approach combining intrusion detection and a vulnerability scanner. Identification, authentication and authorization The solution is to design secure networks and to secure the computers that are being compromised to launch the distributed attacks from. Encryption and authentication processes are the way to go. The implementation of PKI solutions will undoubtedly help to improve security Keep up with security bugs Perform simulation attacks on networks and systems. Matching fingerprints and facial features in a database Packet filtering is very, very important, and should be done on all critical systems. Absolutely no services that aren't vital to running the system should be run. There should be no exceptions. Use PKI software Regular network & system monitoring and alerting The system should be secured using as many of the latest technological techniques and software tools as possible. Improve the security of your site by breaking into it. Fingerprint-identification Use of software specially designed for an e-commerce environment Increased use of encryption technology Regular third party audits and upgrading of security software Biometrics Encryption, firewalls and intrusion detection systems Lock up data with latest security technologies and software
109
27. 28. 29. 30. 31. 32. 33. 34. 35.
Encryption and Biometrics Penetration testing Invest in Internet filtering and monitoring technology Password management Four basic components to improved security anti-virus, anti-hackers, authentication and access control Access control Authorization Vulnerability testing Data encryption VPN Wireless security Adopting security technologies that help automate key processes while enhancing overall management and control Web content filters Encrypt data that need to be kept secret. Installation of virus protection software is a must Establish a policy that all mobile computers must use the desktop firewall and a VPN PKI authentication Security could be most improved by regular system testing Anti-virus program and good password management practices The best weapon to improve security is a firewall which will hide and disguise an organizations presence on the Internet. Encryption and firewalls Smart cards and access control PKI/Digital Certificates Digital certificates and virtual private networking Invest in network intrusion detection systems and host-based security systems, as well as virus and worm protection Anti-virus software and firewalls must be updated regularly. Encryption is the most effective way to achieve data security Keep your sensitive data offline, on non-networked machines that aren't dial-up-accessible. Encryption. Without the decryption key, getting at content is virtually impossible. A holistic approach combining intrusion detection and a vulnerability scanner. Identification, authentication and authorization The solution is to design secure networks and to secure the computers
36.
37. 38. 39. 40. 41. 42. 43. 44. 45. 46. 47. 48. 49. 50. 51. 52. 53. 54. 55. 56. 57. 58.
110
that are being compromised to launch the distributed attacks from.

59. 60. 61. 62. 63. 64. 65. 66. 67. 68. 69. 70. 71. 72. 73. 74. 75. 76. 77. 78. 79. 80.
Encryption and authentication processes are the way to go. The implementation of PKI solutions will undoubtedly help to improve security Keep up with security bugs Perform simulation attacks on networks and systems. Matching fingerprints and facial features in a database Packet filtering is very, very important, and should be done on all critical systems. Absolutely no services that aren't vital to running the system should be run. There should be no exceptions. Use PKI software Regular network & system monitoring and alerting The system should be secured using as many of the latest technological techniques and software tools as possible. Improve the security of your site by breaking into it. Fingerprint-identification Use of software specially designed for an e-commerce environment Increased use of encryption technology Regular third party audits and upgrading of security software Biometrics Encryption, firewalls and intrusion detection systems Lock up data with latest security technologies and software Encryption and Biometrics Penetration testing Invest in Internet filtering and monitoring technology Password management GENERAL
1. 2. 3.
Security auditing and monitoring should be done on a regular and ongoing basis. Better utilization of outside expertise. Security auditing
111
4.
Small companies should demand that developers and suppliers of security products do more to develop, market and package security products which address their needs at an affordable price. Enterprise security management Monitoring and audits by third party Regular security audits by external specialists Organizations should place greater emphasis on security as a core competency rather than an added expense. To be fully effective, information security must be treated as fully equal to all other business issues. View information needs to business value Small companies need to demand better security from their vendors, whether they are their ISPs, hardware, or software providers. As long as organizations are connected to the Internet, theres no such thing as security. It called control access. If you control the access, everything should be fine. However, if you lose control of the access, thats when there are problems.
5. 6. 7. 8. 9. 10. 11. 12.
HOLISTIC
1. 2.
Developing security programs that integrate people, process and technology while optimizing resources to improve productivity Information security requires a whole-hearted organizational commitment of resources (financial, human and technological) to an enterprise-wide program designed to evolve and adapt to new dangers. Pay attention to all aspects of security: personnel security, physical security and home security. Attend to the issues of training, staffing, budgeting as well as bulking up with the latest proven technologies Security should be designed to make best use of the facilities provided by technology, but must also cover the people and the processes.
3. 4. 5.

Thesis Confidence Final2 (97-03)

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Thesis Confidence Final2 (97-03)

Uploaded by

Copyright:

Available Formats

1

Chapter 1 THE PROBLEM AND ITS BACKGROUND

Background of the Study

Figure 1. Conceptual Framework

Statement of the Problem

2. What are the issues met by the Philippine Government Website?

d. Organizational Issues e. Security Management Issues f. Personnel Issues

Scope and Limitation of the Study

Significance of the Study

For security developers and researchers who study information

Attack is an attempt to bypass security controls on a computer

Bug is an error or defect in software or hardware that causes a program to malfunction

Computer abuse is the willful or negligent unauthorized activity that affects

Cybercrime is a crime related to technology, computers, and the Internet

H-Factor is equivalent to human factor.

are any of the above.

Organization in this study is Philippine Government entity.

Warez are illegally-copied software or hacking tools

REVIEW OF RELATED LITERATURE AND STUDIES

2.1 Foreign Literature

2.2 Local Literature

2.3 Foreign Studies

information, including government databases, industry statistics, and competitor practices.

In recent years, the availability, integrity and confidentiality of information are

user-based access rules.

Identification and authentication of system users must be in place.

applications and data.

A recent study commissioned by Price Waterhouse Coopers9 suggests

Virus creators have a profound negative impact on the global economy.

for the right to legal relief in computer-related cases (Halbert 1994).

SOURCES OF SECURITY THREATS

2.4 Local Studies

2.5 Synthesis and Relevance of the Reviewed Literature and Studies

Chapter 3 RESEARCH METHODOLOGY

POPULATION AND SAMPLE SIZE

DATA GATHERING PROCEDURE

X 100 N where: P = Percentage F = Frequency N = Number of Respondents

PRESENTATION, ANALYSIS AND INTERPRETATION OF DATA

Respondents Security Experience

Security Measures in Place

TABLE 4.2 SECURITY MEASURES IN PLACE

100 39.2 49.5 64.9 84.5

39.2 3.1 39.2 21.6 12.4 10.3

Perceived Role of Security

PERCEIVED ROLE OF SECURITY

35.1 26.8 21.6 100

Top 2 Potential Threats

Security Role Responsibility

SECURITY ROLE RESPONSIBILITY

Percentage 6.2 17.5 45.4 15.5 10.3 5.2 100

Effectiveness Ineffective Somewhat Effective Highly Effective Total

Number of Responses Percentage 61 62.9 24 24.7 12 12.4 97 100

Improvement Areas Number of Technical 80 General Holistic 12 5

Percentage 82.5 12.4 5.1

ANALYSIS OF PRIMARY DATA

Impacting External Environmental Risks

TABLE 4.8 EXTERNAL ENVIRONMENTAL RISKS

Inherent Internet Flaws

53.6 (52 Respondents) 3.1 (3 Respondents )

32% (31 Respondents) 9.3 (9 Respondents)

14.4 (14 Respondents) 87.6 (85 Respondents)

Rapidly Changing Technology