Phishing Attack Simulation and Training Design

to Improve Cybersecurity Awareness

A Thesis Paper

Presented to the Faculty of the Department of

Information Systems College of Computer Studies
MSU - Iligan Institute of Technology

In Partial Fulfillment to the Requirements for the Degree

Bachelor of Science in Information Systems

Gatela, Trizzia Mae C.

Silorio, Marie P.
Ramber, Khalid D.

May 2022
 ABSTRACT

Being aware of cybersecurity processes and understanding how to maintain security is

essential no matter what position a person has in an organization. Even institutions and various
organizations see cybersecurity as a critical component of long-term viability. Although many
individuals are aware of cybersecurity, the actions and urgency do not reflect a high level of
knowledge. Security awareness is defined as both the knowledge and action taken by an
employee to secure an organization’s information assets. Employees that are cybersecurity savvy
are aware of cyber risks, the possible consequences of a cyber assault on the organization, and
the measures necessary to decrease risk and prevent cybercrime from invading their online
workplace. According to Philippine authorities, phishing was the most prevalent cybercrime
committed in the Philippines during the COVID-19 pandemic. Phishing is an email-based attack
in which the attackers claim to be someone or a firm with whom the victim has business. As a
result, organizations opt to implement internal retraining programs to deal with the increasing
number of phishing attempts. The objective of this paper is to utilize phishing attack simulations
to assess the cybersecurity awareness of employees at the Sangguniang Panlungsod in Iligan City
and propose a training design to mitigate phishing attacks in the organization. Before engaging in
the phishing simulation, respondents were asked to complete a survey to obtain information
about their prior knowledge and possible misconceptions about phishing. GoPhish was the
phishing simulation tool of choice. GoPhish is a sophisticated open-source phishing platform that
makes it simple to assess an organization’s phishing risk. The phishing simulation involves basic
automated attacks on all employees, a generic type of approach. The vast majority of the
population were assessed and were introduced to the notion of phishing attacks. Main outcomes
and measures for this study were the phishing campaign duration, number of email campaigns,
number of emails sent, number of emails unopened, number of emails opened, number of clicked
links through emails, number of respondents who submitted data, and email contents. Emails
were classified into three categories: online promos, account activity, and bank related. The data
collection process was carried out during the last quarter of 2021. There were a total of 8
different campaigns of emails sent to 130 respondents. A total number of 1040 emails were sent
within the span of 4 weeks. The total number for emails unopened were 572 while the emails
opened were 468 out of 1040. A total of 62 respondents proceeded to click the links and 5
submitted data. In addition, there were no emails reported which also implies that the participants
were unaware of or have not practiced the appropriate response to phishing emails. As cyber
attacks are increasing, these click rates and responses represent a major risk for government
units. The results of this study can help organizations in enhancing their awareness and reducing
vulnerability to cyber attacks, particularly phishing, in the future.
 LIST OF FIGURES
Page
Figure 1. Research Framework 9
Figure 2. Overview of a Phishing Attack from Cloudflare 10
Figure 3. Overview of a Phishing Simulation from Elysium Security 11
Figure 4. Action Research Design from the study of Clune 26
Figure 5. Linear model from BetterEvaluation 27

Figure 6. Steps in Data Collection 23

Figure 7. Dashboard Sample from GoPhish as of June 2021 26
Figure 8. Cronbach’s Alpha test formula 37
Figure 9. Cronbach’s Alpha test results range 38
Figure 10. Graph of the respondent’s personal information 50
Figure 11. Graph of the respondent’s self-perception to their awareness of 51
cybersecurity and phishing scams
Figure 12. Graph of the respondent's response to the emails they received 52
Figure 13. Graph of the respondent’s self-perception of the detrimental effects 53
of phishing attacks
Figure 14. Graph of the respondent’s immediate response during a phishing attack 54
Figure 15. Graph of the respondent’s procedural knowledge responses 55
Figure 16. Graph of the simulation results; derived from GoPhish 56
Figure 17. Percentage of emails unopened to total email sent; derived from GoPhish 57
Figure 18. Percentage of emails opened to total email sent; derived from GoPhish 58
Figure 19. Percentage of clicked links to total email sent; derived from GoPhish 59
Figure 20. Percentage of submitted data to total email sent; derived from GoPhish 60
Figure 21. Laazada Email 62
Figure 22. Shoopee Email 63
Figure 23. Gramarly Email 64
Figure 24. iLandbank Email 65
Figure 25. Waowowin Email 66
Figure 26. iHotel Email 67
Figure 27. Gaysano Email 68
Figure 28. Robinsuns Email 69
 LIST OF TABLES
Page
Table 1. Email Campaign Schedule 36
Table 2. Cronbach’s Alpha Survey Form Results 37
Table 3. Distribution of Data Frequency on Respondent’s Age 39
Table 4. Distribution of Data Frequency on Respondent’s Responses 40
Table 5. Distribution of Data Frequency on Respondent’s Responses 42
Table 6. Distribution of Data Frequency on Respondent’s Responses 43
Table 7. Distribution of Data Frequency on Respondent’s Responses 45
Table 8. Distribution of Data Frequency on Respondent’s Responses 46
Table 9. Email Contents and Attachments 48
Table 10. Phishing Simulation Statistics 49
 TABLE OF CONTENTS
Page
ABSTRACT iii
LIST OF FIGURES iv
LIST OF TABLES vi
INTRODUCTION 11
1.1 Background of the Study 11
1.2 Statement of the Problem 12
1.3 Statement of Objectives 13
1.4 Scope and Limitations of the Study 13
1.5 Significance of the Study 14
1.6 Research Framework 15
1.7 Definition of Terms 17
1.8 Outline of the Study 18
REVIEW OF RELATED LITERATURE 19
2.1 Cybersecurity Skills Gap 20
2.2 An Organization’s Take on Cybersecurity Skills Gap 20
2.3 Phishing Simulation 21
2.3.1 Previous Studies 22
2.3.2 Common Factors Related to Phishing Susceptibility 23
2.3.2.1 Gender of the Respondent 24
2.3.2.2 Age of the Respondent 24
2.3.2.3 Various Contents Included in the Phishing Emails 24
2.3.2.4 Respondents’ Training Experience 25
2.4 Phishing Types 25
2.4.1 Phishing Attacks Recorded 26
 2.5 Phishing Simulation on Sustainability of Organizations 27
2.4 Outline of the Review of Related Literature 28
METHODOLOGY 29
3.1 Action Research Design 29
3.1.1 Theory of Change 30
3.2 Survey 30
3.2.1 Population 31
3.2.2 Instrument for Data Collection 31
3.3 Phishing Protection Program 33
3.3.1 Testing 33
3.3.2 Detecting 33
3.3.3 Protecting 33
3.3.4 Training 34
3.3.5 GoPhish 35
3.3.5.1 Functionality 36
3.3.5.2 Flexibility 36
3.3.6 Phishing Attack Simulation 36
3.3.7 Phishing Attack Simulation Timeline 37
3.4 Cronbach’s Alpha Test 37
3.5 Survey Score Analysis 37
RESULTS AND DISCUSSION 39
4.1 Survey Form Results 39
4.1.1 Cronbach’s Alpha Result 40
4.1.2 Respondents' Self-Perception to Their Awareness of Cybersecurity and Phishing
Scams 40
4.1.3 Respondent’s Response to the Emails They Receive 41
Response to the Email Received 42
4.1.4 Respondent’s Knowledge of the Detrimental Effects of Phishing on Victims 43
 4.1.5 Respondent’s Immediate Response During Phishing Attack 44
4.1.6 Procedural Knowledge 45
4.2 Simulation results 47
4.2.1 Email contents and attachments 48
4.3 Comparison of Survey Form and Phishing Simulation Result 50
4.4 Visual Interpretations 50
4.4.1 Level of Awareness on Cybersecurity and Phishing Scams 51
4.4.2 Respondent’s Response to the Emails They Receive 52
4.4.3 Respondent’s Self-perception of the Detrimental Effects of Phishing Attacks 53
4.4.4 Respondent’s Immediate Response During Phishing Attack 54
4.4.5 Procedural Knowledge 55
4.5 Phishing Simulation Result 56
4.5.1 Laazada 61
4.5.2 Shoopee 62
4.5.3 Gramarly 62
4.5.4 iLandbank 63
4.5.5 Waowowin 64
4.5.6 iHotel 65
4.5.7 Gaysano and Robinsuns 67
4.6 Training Design 68
4.7 General Discussion 71
CONCLUSION AND
RECOMMENDATION 72
5.1 Conclusion 72
5.2 Recommendation 73
APPENDIX A 79
APPENDIX B 80
APPENDIX C 81
APPENDIX D 82
APPENDIX E 83
REFERENCES 84
 CHAPTER 1
INTRODUCTION

1.1 Background of the Study

According to Datareportal, Filipino internet users increased to 73.91 million in 2020,
more than half of the overall population. Consequently, the internet has become the most popular
tool for consumers in the Philippines (Statista, 2020). Furthermore, through the internet, users
from many organizations can communicate, share information, and work remotely during the
pandemic (Eclipse, 2020). Indeed, the internet has aided many Filipinos in keeping their
employees working safely, particularly during the pandemic. However, with all of the internet’s
advantages, it also comes with risks (Kaspersky, 2021).
Cybersecurity is critical for mitigating these risks. Cybersecurity is the set of
technologies, strategies, processes, and practices that must be maintained to keep our systems,
networks, programs, and information safe and secure (Kaspersky, 2021). Various establishments
and even institutions consider cybersecurity as an essential factor towards sustainability. Since
sensitive information that brings beneficial and positive effects to one’s party is one of the top
priorities to protect through proper security measures (Groot, 2020). However, it is a fallacy that
cybersecurity is only the responsibility of an organization’s security and IT personnel. While
many individuals have heard of cybersecurity, people’s actions and urgency do not represent a
high level of awareness (Bruijn & Janssen, 2017).
Congruent with Yeo Siang Tiong’s statement, the Kaspersky General Manager for
Southeast Asia, Filipino Internet users continue to be victims due to general carelessness and
lack of online security awareness. According to Philippine authorities, phishing was the most
common cybercrime performed in the Philippines during the COVID-19 pandemic, followed by
online selling schemes and the transmission of fake news (Rappler, 2020). Phishing is an
email-based attack in which the attackers impersonate a trustworthy entity, such as a person or a
company with which the victim may do business (Fruhlinger, 2020). According to Statista, the
National Capital Region has the highest number of phishing incidents amounting to 58,160 in
2019. While in Region 10, there were a total of 720 phishing incidents recorded. However, these
numbers were presumed to increase since. The National Bureau of Investigation’s Cybercrime
Division recorded a 200% increase in phishing campaigns since the lockdowns started in March
2020 (Devanesan, 2020).
According to the study by Li (2021), cybercriminal activities in the private and public
sectors jeopardize the benefits of stakeholders who support the government’s efforts to promote
the usage of e-commerce and e-services in the Philippines. These cybercriminal activities
continued as a particularly concerning instance when banking clients got phishing emails that
seemed to be official bank emails. Despite its security system and reminders of best practices to
customers to avoid cyber fraud, the Land Bank of the Philippines announced in January 2022
that there were teachers whose bank accounts have lost money as fallen victims to phishing
scams (Philstar, 2022). It is important to note that Land Bank is a government-owned corporation
and also supports Local Government Units in all of the 81 provinces nationwide through its
lending programs. Also, the said victims are under DepEd, an executive department of the
Philippine government responsible for ensuring access to, promoting equity in, and improving
the quality of primary education. Thus, this incident implies that most government employees are
also at a high risk of falling into phishing scams, especially those posing as Land Bank emails.
Locally, there have been more than five occurrences of phishing attempts, according to
the researchers' interview with the Honorable City Councilor of Iligan City, Jesse Ray N.
Balanay, who is one of the heads administering the ICT department of the local government unit.
Some of the attackers pretended to be known members of the organization before using the
popular FoodPanda food delivery service to place orders from fast-food outlets and restaurants.
Another case was when the assailant pretended to be the Vice Mayor and placed a food catering
order. Fortunately, the attempt failed because the seller inquired with Councilor Balanay to
clarify if the Vice Mayor used the service. However, the Sangguniang Panlungsod of Iligan City
has not done any evaluation or training to ensure that its employees are aware of and capable of
defending themselves against phishing. As a result, we do not know how exposed the
organization is to the increasing number of phishing assaults.
From an organization’s perspective, training and educating their employees to protect
themselves and lower the risk of being victims of cyberattacks are substantial (Zoe, 2019). The
training and education provided to the employees should be able to elevate employees’ security
awareness. Security awareness is a combination of intelligence, attitudes, and behaviors that help
to safeguard our information assets (Martin, 2014). This awareness is essential for employees at
every level to ensure they have the skills to identify an attack (Deeney, 2020) since they have the
most access to sensitive government data (Ikhsan et al., 2019). Furthermore, every employee has
a fundamental responsibility to safeguard systems and data. However, based on the Cyber
Security Statistics for 2020, employees in the municipal sector, like those in the private sector,
lack the experience, expertise, and awareness to separate legitimate emails from phishing
attempts.
Employees’ working environment can be a factor that plays a significant role in their
perceptions of cybersecurity. According to Onumo et al. (2021), leaders and policymakers serve
as mentors and advisors in accomplishing better work. Therefore, employees who collaborate
with leaders and politicians on cybersecurity should promote appropriate employee security
behavior and organizational cultural norms to influence how employees behave and perform
duties. In attaining effective cybersecurity compliance, the researchers stated that the top-level
people of an organization should promote any practices and principles into the routines and daily
processes they face. Overall, the study seeks to emphasize and establish the vital function of
leadership and cultural values in the organization (Onumo et al., 2021).

1.2 Statement of the Problem

Given the rising amount of phishing attempts over the years, there are also altering tactics
for collecting an individual's information; as a result, sensitive information about individuals
may be endangered, especially in government entities. Employees of Iligan City's Sangguniang
Panlungsod, in particular, have an unmeasured level of cybersecurity awareness and must be
examined to identify what to focus on in cybersecurity training and efficiently improve digital
habits.
The main research question guides this study: how aware are the employees of Iligan
City's Sangguniang Panlungsod of phishing indicators, and how do they respond to simulated
phishing emails?
The following are specific research questions from the respondents’ self-perception
reflected on surveys:
● How aware are the employees of cybersecurity and phishing schemes?
● How do the employees behave when encountering a possible phishing attack?
● How aware are the employees of the harmful effects of phishing on its victims?
● How do the employees react when encountering a phishing attack?

1.3 Statement of Objectives

The main objective of the study is to utilize phishing attack simulations to assess the
cybersecurity awareness of employees at the Sangguniang Panlungsod in Iligan City and propose
a training design to mitigate phishing attacks in the organization. The specific objectives will be
as follows:
● To conduct a survey to the Sangguniang Panlungsod in Iligan City;

● To conduct a phishing simulation;

● To assess the response of the LGU employees based on the survey and phishing attack
simulation;

● To provide recommendations and a training design focused on phishing.

1.4 Scope and Limitations of the Study

This study aims to evaluate the Sangguniang Panlungsod of Iligan City and its employees
in terms of cybersecurity awareness, specifically in dealing with phishing attacks to improve
information security. The Sangguniang Panlungsod plays a crucial role in providing technical
and logistical support to City Council members. Its responsibilities also include providing the
public with openness and quick access to information. Furthermore, with a large number of
employees answering public queries in the form of emails and chats, Sangguniang Panlungsod
can be easily targeted for phishing attacks.
All of the available employees under the chosen department were included in the study.
The researchers sought to define employee awareness by comparing and analyzing the results
based on the employees’ approach to the conducted survey and phishing simulation activity.
There were two limitations of this study. The first limitation was that the data gathering period
took longer than usual due to the employees’ hectic work responsibilities and preparations for the
upcoming election. Health protocols came as the second limitation since LGU Iligan imposed
strict rules to maintain the safety of everyone in regards to COVID-19, the researchers
coordinated remotely or booked appointments beforehand to visit on-site.

1.5 Significance of the Study

The results of the study yield significant benefits to the following:
Local Government. The study could be a tool for the local government to identify
specific sectors and departments that are vulnerable to phishing attacks that need improvement
and attention. It can also serve as a guide for employee training, strengthening cybersecurity
measures, and increasing the level of awareness of employees. Improved awareness of the local
government, by any means, enables them to respond quickly and effectively to phishing attacks
that would harm the integrity and safety of data.
Employees. This study will help improve the knowledge of employees in regards to
phishing attack subjects and develop an immediate but effective response when exposed to
certain situations to help prevent information loss and to keep them secured.
Information Security. The study will aid in developing projects with better information
security functions, such as fake email detecting features based on the results of the study on how
employees identify authentic emails from fake ones to ensure the confidentiality, integrity, and
availability of information.
Future Researchers. This study will provide new ideas and ways for future researchers
to use in their respective studies and highlight the importance of cybersecurity awareness. Future
researchers can take this knowledge in the mitigation of other cyber threats for the betterment of
society and educate more people on preventative measures against cybercrimes.
1.6 Research Framework

Figure 1. Research Framework

The research followed the IPOO or Input-Process-Output-Outcome model. There were
three necessary inputs focused on the employees’ profiles, responses with the distributed survey,
and the employees’ responses on the phishing attack simulation. Statistical data treatments were
introduced afterwards to help the researchers formulate interpretations and generate appropriate
recommendations. The process phase was the data gathering methods where the researchers used
a survey form to assess employee awareness and phishing attack simulation to assess employee
response.
 Figure 2. Overview of a Phishing Attack from Cloudflare (2019)
The concept of phishing attacks shown above from Cloudflare guided the researchers in
identifying the involved participants and factors essential to the activity. This helped provide
supporting information for the researchers in coming up with a suitable phishing simulation
(Cloudflare, 2019).
 Figure 3. Overview of a Phishing Protection Program from Elysium Security (2019)
The program for phishing protection represented in the figure shown above from Elysium
Security. Sylvain Martinez, the founder of Elysium Security, has been in the IT industry for 20
years focusing on information security. Martinez’s experience led him to create a phishing
protection program to introduce his expertise to the world (Elysium Security, 2019). That
includes the use of phishing simulation to identify the vulnerable individuals and be able to
validate the need for awareness and training.

1.7 Definition of Terms

(Cybersecurity) Awareness – the combination of both knowing and doing something to protect a
business or an organization’s information assets (Cyberguard, 2021).
Cyber Risk – the potential exposure to loss or harm stemming from an organization’s
information or communications systems (Sheth, 2020).
Cyber Threat – a malicious act that seeks to damage data, steal data, or disrupt digital life in
general (Tunggal, 2021).
Cyber-attack – is a type of attack that may be launched from one or more computers against
another computing device, multiple computers, or networks (Fruhlinger, 2020).
Cybersecurity Assessment – a type of assessment that analyzes the cybersecurity control of your
business or organization and the ability to remediate vulnerabilities (Meir, 2021).
Cybersecurity Awareness – refers to how much end-users know about their networks’
cybersecurity threats and the risks they introduce (Martic, 2014).
Cybersecurity – the practice of defending computers, servers, mobile devices, electronic systems,
networks, and data from malicious attacks, also known as information security (Kaspersky,
2020).
Cyberspace - refers to the virtual computer world, and more particularly, an electronic medium
for facilitating online communication (Techopedia, 2020).
End-users - is a term used to describe persons who utilize a product on a regular or consistent
basis as part of their work (Bruner, 2021).
Fake News - are examples of bogus news stories: The entire tale is made up, with no verified
facts, sources, or quotes (M-Library, 2021).
Information - useful facts, as opposed to raw data, because there must be some fascinating
information within all of this data (Definitions.net, 2021).
Information Security - refers to a collection of procedures designed to protect data from
unwanted access or modification (Fruhlinger, 2020).
IT Personnel - plan, create, install, program, and manage computer hardware and software; plan
technological solutions for corporate needs; and keep computer and networking systems secure
and operational (Kaft, 2018).
Organizational Culture - all team members' actions are guided and informed by a set of values,
expectations, and procedures (Wong, 2020).
Phishing campaigns - a set of time periods a group of emails has been deployed.
Phishing Simulation - is used to teach your employees how to spot fraudulent email warning
indications (KeepNetLabs, 2021).
Phishing – emails and websites that are deceptive enough are the instruments used in this method
to gather information (Fruhlinger, 2020).
Scam - any deceptive company or technique that takes money or other items from an
unsuspecting person is referred to as a con (Computer Hope, 2021).
Technology - the application of scientific knowledge to the practical goals of human life, or, as
it's sometimes called, the transformation and manipulation of the human environment
(Britannica, 2021).

1.8 Outline of the Study

The first chapter of this study elaborates on the main topics and discussions about the
background and its problem, as well as the importance, impact, and beneficiaries of the study.
Aside from the necessary background information of the study presented in the first chapter, a
framework was also introduced where it talks about the plans and direction of this study through
presenting the inputs, processes, possible output, and outcomes. The second chapter introduces
the related literature that this study has taken into consideration by mentioning previous studies
in the disciplines of the cybersecurity skills gap, phishing attacks, and phishing simulation. For
the last part, chapter 3 discusses the methodology used and followed by the researchers in
conducting this study, such as the introduction of the research design, research instruments, the
population and sample, the tools needed for the phishing simulation and its supporting processes,
as well as the data collection method and data analysis. For chapter 4, the findings and discussion
of the data includes the interpretation of the data gathered from both survey forms and phishing
attack simulation using different statistical methods. For chapter 5, the overall conclusion of the
study will be introduced together with the recommendations.
 CHAPTER 2
REVIEW OF RELATED LITERATURE

2.1 Cybersecurity Skills Gap

Organizations face a constant issue in attracting qualified cybersecurity specialists
capable of securing their systems against the threat of hostile actors as cyber threats become
more sophisticated (Lewis, 2019). In the context of local and national levels, the scarcity of
cybersecurity professionals has been measured (Zan, 2019). Macfee, one of the world's leading
independent cybersecurity organizations, conducted a study on the international scarcity of
cybersecurity skills (2017), which included Australia, France, Germany, Israel, Japan, Mexico,
the United Kingdom (UK), and the United States (US). According to the data, cybersecurity
education is lacking in all nations surveyed, and one out of three respondents believed that a lack
of expertise makes their firms more tempting hacking targets.
In comparison to its ASEAN neighbors, the Philippines has 84 CISSP-certified IT
professionals, compared to over 100 in Indonesia, Malaysia, and Thailand, and over 1,000 in
Singapore, Japan, and Australia (Philstar, 2016). Given the increased number of assaults that
numerous institutions have encountered in recent years, the Philippines' small circle of
cybersecurity experts is alarming (Gavilan, 2017). While the Cybersecurity Bureau conducts
statewide cybersecurity awareness and training programs, the need to address the scarcity of
cybersecurity-skilled personnel is also recognized. (Umali, 2018). National security communities
will need to invest in their workforce in order to strengthen their people's cybersecurity
capability and capacity through further education and training (Vogel, 2016). Furthermore, to fill
manpower shortages, businesses should consider implementing internal retraining programs.
(CSIS, 2019).
A study conducted by a group of professionals and the National Audit Office (NAO)
states that it would likely take 20 years to address the cybersecurity skills gap among the
employees and professionals that specialize in information security. This concern has been
considered as one of the reasons for the lack of cybersecurity skills and knowledge in every
organization. Included in their study is that organizations should know when and how to fight
back at cyber-criminals to protect their employees as well as the treasured information they hold.
If the worst-case happens, losing the battle with the cybercriminals will lead to consequences.
Fewer jobs all around the world of business will suffer the damage of a certain issue, cybercrime
(The Defence Works, 2019). The study introduced various factors that are expected to secure the
cyberinfrastructure of most organizations. The management support for the action plan and the
development of policies garnered the most response to it, followed by the qualified hired staff,
which cybersecurity professionals should be present in each organization to follow up their
strengths and weaknesses. Training of staff on security policy also garnered a large amount of
response in which it is the most viable way of instilling the cybersecurity knowledge and power
to the organization, thus educating the front liners of the entity. And the last one is to allocate a
budget that will effectively support the project. These mentioned strategies are considered to be
highly effective to highly observable factors (Caldwell, 2018).
2.2 An Organization’s Take on Cybersecurity Skills Gap
As the world becomes more technologically inclined, most organizations and other
entities have seen the importance of the internet, where there has been an increase in the
dependency on computers, computer networks, and communication for daily operations. The
government has been consistently targeted by cybercriminals for years, and for this time, the
ongoing global health problem has brought a significant increase in the risk of the organization.
Since the dependency of the organization on computer machines increases, the digital world
becomes the place where cybercriminals are most attracted. With the new landscape of the
threats of cybersecurity, LeClair et al. (2018) stated that it is important to provide the workforce
of any organization with ongoing training regarding cybersecurity. In this way, the mitigation of
the suspicious activities will be addressed as soon as possible (Elysium Security, 2019). The
researchers introduced the multipronged protection program where it includes educational
methodologies that will assess the employees even if they are geographically separated from the
organization and management with the constraint of time. An interdisciplinary approach is
followed by the researchers where the three major pillars of a cybersecurity program should be
highlighted, namely Technology, People, and Process, and to highlight each of them to the
employees through training and education programs. For the technology element, the familiarity
of the various software and hardware components in their work should be assessed, as well as
other computer infrastructures used to have an effective learning and knowledge management of
the things they deal with on a daily basis. For the people element, communication and
management should be a top priority in training to have teamwork and collaboration in times of
attacks, as well as to strengthen the trust of each employee. As for the process, technical writing
and management of the tasks they handle should be addressed in order to have traceability
measures to the actions executed by the employees in their respective working environments.
These elements are proven to be effective, according to the researchers. The overall purpose of
their study is to have a better framework for training and educating employees about
cybersecurity and the cybersecurity skills gap (LeClair et al., 2018).
Educating and training employees doesn’t guarantee that they will have an in-depth
learning experience. Clarke (2018) states that employee fatigue from the various training and
education courses will roughly bother and make them uninterested as time goes by. In order to
help the employees change their behavior and skills toward cybersecurity, the training should be
effective enough for them to learn from the experience (Clarke, 2018). In order to avoid the
shortcomings when it comes to educating the employees, such as the lack of enthusiasm and
getting bored along the way, effective key measures and practices to enable the employees to
participate are introduced. According to the researchers, staff training and education should not
only focus on the systematic and technical components, but also integrate their experiences and
personal lives in order to inculcate a calm mood and state of mind, which will minimize the
security fatigue for them. The employees and the organization to have effective training is to
connect it with emotional aspects to instill the knowledge more effectively (He & Zhang, 2019)
2.3 Phishing Simulation
According to The Defence Works (2019), the purpose of a phishing simulation is to train
the employees and key staff to identify the warning signs of malicious content on the internet. It
includes and disseminates typical email formats and templates that regularly arrive in everyone’s
inboxes. The fake emails are tailored to a specific target where it could be an organization or an
individual, and they are very good enough to mimic real phishing to have an effective simulation
activity.
2.3.1 Previous Studies
In the statement of Li et al. (2020), it will only require simulated phishing
campaigns, surveys, or both in order to perform and conduct a phishing study. Generally,
the phishing attacks do not inform the target respondents that are targeted to participate in
the study. Not unless the researchers and their study may only provide a warning of
possible phishing attacks and exploits to evaluate the effectiveness of the simulation as
well as with the warnings introduced. The first great example of such activity is with
Mohebzada et al. (2018), where they conducted phishing experiments with two phases,
garnered and targeted a total of 10,568 members of the American University of Sharjah,
including the staff, faculty, and students in the mid to late semester of spring in the year
2010. For their first attempt, they conducted the study with precautionary notifications to
the respondents or targeted victims about the simulation but found out that warning
messages were largely ignored. The researchers suggested that the early warning signs
may not be sufficient to prevent the respondents from falling for phishing attacks.
The previously mentioned survey from the previous study applies to all situations
where any researchers will conduct phishing simulations. The purpose of the survey is to
initially inform the respondents of the study’s objectives and purpose before conducting
and distributing them. This gives the researchers time to ask for their permission to
participate in the study, as well as for the respondents to have an insight into what the
survey is for. The objective of the study of Shang et al. (2017) is to examine whether the
demographic profile and factors will determine and affect the effectiveness of different
anti-phishing training programs introduced to the respondents. The researchers targeted
1001 online respondents through Amazaon.com’s Mechanical Turk, where they were
given survey questionnaires and a role-play task.
The next studies include the two methods for phishing study, an experiment and a
survey. In the spring of 2018, Diaz et al. (2018) conducted a study and launched an
experiment about phishing emails to study the demographic profile factors in relation to
phishing activities and misconducts at the University of Maryland, Baltimore County. A
total of 1,350 uninformed students were the targeted victims and received various phished
emails before the experiment. The survey was then sent after the experiment for the
researcher to analyze the relationship of the demographic factors, including the usage of
each student in their computers and training experiences. Another study was conducted at
the National Institute Standards of Technology, where a total of 70 staff were targeted
with the phishing study launched by Greene et al. (2018). The main purpose of the two
mentioned studies was to study why there are respondents who click and don’t click the
phishing link and attachments from the emails.
 Another study conducted on the employees of a health care institution based in
the United States resulted in a major driving factor of change in a two-way phishing
attack simulation. The main purpose of the study conducted by the researchers
spearheaded by (Gordon et al., 2019) is the increased importance of cybersecurity in the
delivery of health within organizations, and it happens that email phishing attacks are the
major issues in the hospital employees. This study has been on work for almost nine
years, starting from August 1, 2011, to April 10, 2018. The data collection is focused on
six different US health care institutions which are geographically away from each other.
The results have two types: primary and secondary phishing simulation. The statistics
show that it garners a high rate of responses ranging from clicking emails, opening
websites, viewing the content, etc. The primary phishing campaign garners a 16.7%
median click rate out of 95 simulations and 2,971,945 emails. In contrast, the secondary
phishing simulation, which included repeated phishing attempts, was proven to have a
significant decrease in the number of click rates. This proves that to test the employees’
knowledge and ideas about phishing attacks and their behavior, having only one phishing
simulation for a study will provide all the information needed and disregard the second
one as it becomes more costly and not time-efficient.
The study of Yeoh et al. (2021) tested the effectiveness of a simulated phishing
assault with embedded training materials in an Australian educational institutionThe goal
of the case study was to see if combining simulated phishing attacks with embedded
training programs will help individuals become more resistant to phishing attacks. A total
of 8,189 people were exposed to the baseline and all six cycles of the simulated phishing
campaigns on a regular basis. When results from the six cycles were compared to the
baseline period, it was discovered that the number of people who responded in an unsafe
manner decreased across the board. In the end, the rate of phishing emails being reported
climbed significantly across all departments. Although, only 137 people out of 8,189
reported a simulated phishing e-mail six or more times. Also, according to the study,
phishing awareness training is a requirement for everyone and should be done in
numerous cycles to establish a habit and make people more aware of phishing attempts.
Moreover, the study emphasizes the importance of phishing templates in catching aware
and well-educated individuals. Ultimately, the researchers of this study recommend to
cybersecurity stakeholders that simulated phishing attacks combined with embedded
training and education helps organizations save money on employee training.

2.3.2 Common Factors Related to Phishing Susceptibility

Based on the results from the previously mentioned studies, there are 4 common
factors that define the overall experience of the phishing simulation on different
organizations.
2.3.2.1 Gender of the Respondent
There have been various results with the studies mentioned above,
especially with regards to the relationship between the respondent’s gender and
the likeliness of phishing susceptibility. The first major point is that women were
significantly more likely to be attacked with phishing than men, according to the
results of the studies of Jagatic et al. (2017), Sheng et al. (2017), and Halevi et al.
(2017). In the study of Mohebzada et al. (2018), the genders were equally likely
to be attacked with phishing, but the percentage of respondents being deceived in
the first and second simulation activity differed significantly with a 60.9% and
39.1% relation, respectively. For Diaz et al. (2018), there were only minor
differences with the previous results. However, the results of the previous studies
might not be applicable to this study.

2.3.2.2 Age of the Respondent

The results of the study of Sheng et al. (2019) concluded that the
differences in the age of the respondents do have significant accountability. For
the results of the role-playing in the study of Sheng et al. (2019), the age group of
18-25 are more likely to entertain any emails and likely to click the attachments
compared to other age groups (26 - above). The study of Downs et al. (2006)
resulted in no significant association between age groups and behaviors toward
entertaining the emails. However, these researchers concluded that most of the
respondents in the 18-25 age group are continuously engaging in risky online
activities and transactions.
With the results generated from the various studies mentioned above, it is
suggested that the respondents in the younger category of age group are more
susceptible to phishing compared to older age groups. The same with the previous
section, the results of these studies might not be applicable to this study.

2.3.2.3 Various Contents Included in the Phishing Emails

The email content, address, and organization of the elements are the
factors to enable the victims to respond to the email. The content and the
specifications, such as the visuals, including banners and logos, are usually the
ones that help entice people to click on any phishing emails, according to Furnell
(2017). The respondents may also be attracted to the sender address, so it is
usually better to come up with a phishing email address from the organization or
entity where the victim works or attends to because it will lower the victim’s
suspicions about the digital content (Jagatic et al., 2017). In the other perspective
of Greene et al. (2018), the context of the emails should be aligned with the
victim’s experience of knowledge in order to come up with a successful phishing
susceptibility test. The study results of Vishwanath et al. (2019) stated that the
subject of the emails calls for the attention of the victims or the cue to the urgency
 to reply where this will lead to the clicking response to the emails. Also, the
researchers stated that the attention to grammar or spelling errors would likely
affect the probability of the users engaging with the contents of the phishing
emails.

2.3.2.4 Respondents’ Training Experience

The victim or respondent’s engagement in the simulation activity will
most likely be influenced and affected by the previous experiences of phishing in
their timeline. The study of Sheng et al. (2019) states that their previous
respondents who underwent anti-phishing training experiences were more likely
to be not participative and fall for phishing attacks. The researchers gave advice to
future researchers that the examining of the respondent profile should include a
question or statement about previous anti-phishing attack training experiences in
order to come up with a better research design and a successful phishing
simulation study and activity.

2.4 Phishing Types

Phishing may be done in a number of ways. The most well-known is known as “spear
phishing.” Rather than spamming random people, this type of phishing involves sending emails
to specific groups of computer users. In general, the attackers conduct research on possible
victims and set the stage for spear phishing. The attacker can then send an email or a message
that appears to come from a legitimate company source. Furthermore, high-level targets are
pursued using spear-phishing (e.g., corporate executives or top management). The term for this
type of spear phishing is “whaling” (Chatchalermpun et al., 2020).
Hakim et al. (2020), a group of 10 researchers, conducted a lab-based task to evaluate the
behavior of an individual toward phishing detection and recognition last 2020. These researchers
define email phishing as a type of social engineering attack in which the main purpose of the
misconduct is to lure the receiver of such emails into performing actions that are out of their
control that will eventually lead to negative consequences. Because of the number of emails
being spread out, an ideal way to limit receiving these online materials is through the help of
technological solutions. However, the researchers feel that human judgment is still vulnerable
while making these judgments, making people liable for their actions and last line of protection.
It is included in the study that one of the results proves that phishing susceptibility is affected by
the cognitive and neural mechanisms of an individual. The researchers created a methodology
that is capable of identifying critically valid-based measurement of human cognitive mechanisms
involved in email phishing detection. They introduced the Phishing Email Suspicion Test
(PEST), a survey-based cognitive model that quantitatively assesses human behavior through the
inputs that use the Likert scale. This identifies how an email containing phishing attacks differs
from an authentic one (Hakim et al., 2020).
Kim et al. (2019) showed that the cause of threats to the information security of an
organization is primarily coming from internal forces followed by external factors. Employees
are prone to violating their organization’s information security protocol (ISP), and in order to
prevent such misconducts from happening all over again, researchers suggested that security
training programs and sanction policies should be implemented and treated as a serious matter
within any organization. The authors of this study stated that Phishing Attacks are the most
common cybersecurity threats organizations receive in the United Kingdom; few studies have
verified the practical effectiveness of the employees’ and individuals’ characteristics toward their
attitude and behavior on the internet within certain organizations. To determine and verify the
previous studies themselves, the researchers conducted a phishing simulation program that
assesses the knowledge of the employees. The methods of conducting the program are through
fabricating fake phishing schemes and distributing them to their working accounts. The results
lead the organization in providing information security education programs and courses to ensure
that their knowledge about the cyber issue will be instilled into their daily working lives.
Regarding the information security protocol, sanction policies have been applied to those who
failed the phishing simulation program. The researchers came to the conclusion that enforcing
penalty policies on employees has a substantial impact on how they behave after the assessment..
The phishing simulation program as well was treated as an effective tool in determining the
vulnerabilities of the employees to risks (Kim et al., 2019).
An experiment was undertaken in Saudi Arabia by Aljeaid et al. (2019), assessing the
end-user cybersecurity knowledge and awareness, as well as their susceptibility to phishing. The
experiment involves cloning the King Abdulaziz University (KAU) in Saudi Arabia using three
different tools; track, get, and serf-online. To avoid any attempts to degrade KAU, the
researchers cloned its website and only showed it to the control group. The researchers were
using chi-square statistics to determine whether there is a relationship between the categorical
variables “occupation” and “exposure to phishing attack”. The experiment results showed that
77% of the participants fell victim to this attack, and the majority of the victims were students
(41%). In addition, end-users would fall victim to phishing attacks if they do not have adequate
security knowledge and security awareness regardless of their educational background,
qualifications, occupation, age, or gender. Unfortunately, technology alone cannot withstand
cyberattacks. Passive awareness is insufficient, according to the report; hence combined
proactive training programs for end-users are recommended. A more successful anti-phishing
strategy design is to have a detailed grasp of the combination of diverse techniques.
2.4.1 Phishing Attacks Recorded
Published statistics in the year 2019 from a trusted and leading statistics
organization in the world, Statista, phishing attacks have been widely observed in the
sovereign nation. With a total of more than 7,000 islands, it is undeniable that each region
will vary depending on each state. The Statista organization concluded that the National
Capital Region (NCR) garnered a total amount of approximately 58.2 thousand people as
victims. Aside from the national capital region itself, phishing cyber attacks also often
occurred in Region 3 and Region 4-A (Statista, 2021).
According to the results included in the webinar hosted by the Department of
Justice Office of Cybercrime (DOJ-OCC), there is an increased number of phishing
attacks in the history of their department. The speaker of the NBI-CCD, Señora stated
that due to the outbreak of the deadline COVID-19 pandemic, there had been 30 phishing
cases only reported. But only after three weeks of operation and under the pandemic, a
 total of additional 70 cases were reported to them. The main reason, according to the
speaker, is that computers and other electronic devices that can access the internet and are
able to transact online are the target and opportunities for these bad guys on the internet
to attack them all at once (Rappler, 2020).

2.5 Phishing Simulation on Sustainability of Organizations

In the United States, six healthcare facilities were studied to see how vulnerable their
personnel were to phishing schemes by Gordon et al. (2019). Phishing attacks have seriously
threatened the security of health information systems, with more than half of doctors facing such
serious threats and having a high turnover of employees. The successful phishing attacks could
lead to security breaches and disruption to the hospital operations, which is mentioned in the
study. Many industries utilize phishing simulators to train employees on how to recognize the
danger signs of a malicious email (TheDefenceWorks, 2019). Therefore, like in other industries,
researchers consider phishing simulations to increase awareness and determine employees who
can gain learning and skills in combating phishing attempts. Thus, through simulated phishing
emails, they discovered that one in seven was clicked on by employees. The study also shows
that employees' exposure to repeated phishing attempts was linked to a lower probability of
clicking on the following phishing email. This also means that employees grow more aware of
the indicators of dangerous emails as a result of repeated phishing simulation efforts. Thus,
researchers concluded that phishing simulation is an efficient way to reduce information security
risks while also teaching staff how to identify malicious emails.
A year later, in 2020, a similar study by Chatchalermpun et al. (2020) was conducted
with a large financial services firm in Thailand. The study was conducted using a cybersecurity
drill, also known as a cyberdrill. Cyberdrill is a cybersecurity incident response training method
that stimulates a cyberattack on workers or persons who work in the field. It is defined by the
Bank of Thailand (BOT), which is Thailand’s financial services regulator, as the simulation of
cybersecurity attack scenarios with at least one kind of threat and technique to familiarize
workers or users with the dangers. Cyberdrills may also evaluate whether an employee is at a
high risk of becoming a victim of cybersecurity attacks. Rapid reaction to an event leads to a
high level of cybersecurity resilience that protects the company from the effects of assaults. The
reaction also aids the organization’s ability to keep service level agreements (SLAs) with
customers, including internal customers. As a result, cyber drills may raise employee awareness
of cybersecurity dangers and help them respond more effectively (Chatchalermpun et al., 2020).
A specialist from outside the organization was hired to conduct the drill test. For the drill
test procedures, the specialist sent two sets of emails to the company’s whole workforce, which
included around 20,500 employees and 700 executives across the country. Employees got an
email from a spear-phishing site promising Gmail storage. Meanwhile, this might be categorized
as whaling because high management or executives were given an email regarding the iPhone 11
promotion. It was discovered that the organization has a serious cybersecurity risk issue because
approximately 23% of employees and 27% of executives opened malicious emails, and 15% of
employees and 12% of executives entered their passwords into a fraudulent page, indicating that
they have a low awareness of risk and cybersecurity. As a result, every level of employee should
participate in a cybersecurity training session (Chatchalermpun et al., 2020).
2.6 Summary
The cybersecurity skills gap is one of the common factors of the common cybersecurity
issues. As discussed in the first part of this section, there are lacking cybersecurity professionals
in local, national and international organizations which result in a wide range of casualties and
damages to them. By that, each organization has their own way to at least provide a solution to
the cybersecurity skills gap. Organizations' employees are undergoing cybersecurity training and
education to equip them with knowledge and skills to better handle, prevent and protect them if
arising cybersecurity issues occur. One of the common ways to educate the employees is through
phishing simulation. Included in this section are the different types of phishing attacks, ways to
conduct it effectively, and common issues that will be encountered during the simulation.
Phishing attacks and simulation types are also discussed as it is important to determine the
degree of difficulty and the type of respondents involved because some phishing types would not
be suitable for a specific group of respondents. For reference, there are also phishing attack
records included to provide a wider understanding of the previous statement which is the
appropriate type of phishing simulation. As for the last part, there are other examples for
organizations that underwent phishing simulation, its results, and their respective solutions and
recommendations.
 CHAPTER 3
METHODOLOGY
This study used a quantitative approach to determine the degree of employees’ initial
knowledge of cybersecurity awareness and their responses to simulation activities. A structured
quantitative survey form was disseminated to the employees to assess their level of awareness
and to collect responses per topic through a Likert scale. At the same time, a phishing attack
simulation through an open-source phishing framework called GoPhish was introduced.

3.1 Action Research Design

An action research design was used in the development of the study since the alignment
of the target and objectives were very similar to other existing studies that used action research
design as well. In definition, an action research design is a type of educational research where it
involves collecting information regarding the current knowledge and situation of a certain target
population, analyzing the information gathered, developing plans and ways to improve the
results of the findings, and then implementing them (VanBaren, 2019). This helped the
researchers come up with better recommendations on the change imposed to the target
population.

Figure 4. Action Research Design from the study of Clune (2007)

The figure shown above was adapted as the framework of the researchers to execute the
study properly. This guided the researchers on how to start dissecting the problem of the target
population, coming up with alternative solutions, implementing them with backup research and
investigation, as well as recommend a plan as solution to the problems found (Clune, 2007).
 3.1.1 Theory of Change
The researchers used the theory of change in the phases of the action research to
properly assess that every change and idea implemented in the study would result in a
better outcome that would eventually help improve the overall quality of the conducted
study. The usual community-based change initiatives of even a larger target population
who will undergo change through proposing solutions are often considered to be
ambitious goals. According to Allen (2016), these steps toward change are difficult since
it involves a large number of the population and so, specific planning and effective
strategies are encouraged. The theory of change is vital to these types of studies because
it helps the researchers to develop a solution based on an iterative process where every
step was well planned and assessed. It is easier to sustain, bring them to scale, and
evaluate all of them since every step requires ideas or resources for the outcomes it hopes
to achieve (Allen, 2016). The figure below from BetterEvaluation (2019) supports the
statement in this section.

Figure 5. Linear model from BetterEvaluation (2019)

3.2 Survey
The researchers chose a survey research design since it was the best and appropriate
method to gather information, as well as a quantitative approach used in collecting relevant data.
The purpose of choosing a quantitative approach of gathering data was to highlight major
implications through the numbers of responses that affect the participant’s knowledge and
behavior towards cybersecurity and phishing. This survey was disseminated to employees from
the Sangguniang Panlungsod of Iligan City.
When it comes to an effective method of conducting research, a survey has been proven
to be the most effective one. According to Formplus (2020), survey research is a simple
systematic investigation conducted via a survey; it is a sort of study in which respondents are
polled using survey form. It is also a research method that is used to gather the opinions, beliefs,
and feelings of a selected group of individuals, often chosen for demographic sampling,
information included about survey research that is commonly used in academia, government, and
business (TechTarget, 2020).

3.2.1 Population
The chosen population for this study were the employees of Sangguniang
Panlungsod of the local government unit of Iligan City. Using the quantitative research
method, the amount of data collected was determined on the availability of the
employees. According to Creswell (2003), the researcher’s target population should have
common characteristics defined as a group or of an organization so that it will be easy for
the research to be completed as well as to help the researchers identify and study the
population.
The employees needed to satisfy a set of specifications. In this study, the
population was from all age groups, educational status, socioeconomic status and should
be on duty at the time of the data collection process.

3.2.2 Instrument for Data Collection

Before data collection, the researchers designed a survey form (see Appendix A)
with relevant statements stating the connection between the target population’s
knowledge or perceptions about cybersecurity and phishing. The survey form that the
researchers produced were primarily aimed at the employees under the Sangguniang
Panlungsod.

The survey form has 6 sections: Part I, II, III, IV, V, and VI. The researchers
adopted most of the statements from Muniandy et al. (2017), Chandarman & Niekerk
(2017), and KnowBe4 (2019), then customized it to make sure that it aligns with the
target population and to come up with a valid and reliable instrument for data collection.
● Part I is on the personal information obtained from the respondents,

● Part II is on the perception of the respondents with regards to their awareness on

Cybersecurity and Phishing scams,

● Part III is on the respondents’ response to the emails they recieve,

● Part IV concerns the common implications of falling victim to a phishing attack,

● Part V is on the respondents’ response during possible phishing attacks,

● Part VI samples real phishing links, attachments, and websites that respondents
need to verify its legitimacy.

A quantitative approach was followed in which the instrument was structured

using the 5-point Likert scale; the range starts from “strongly agree” (SA), “agree” (A),
“neutral” (N), “disagree” (D), and “strongly disagree” (SD), or vice versa. The
researchers structured the survey form in a manner that the target population responded to
it based on their degree of agreement or disagreement with the statements included in the
instrument handed out.
 3.2.3 Method of Data Collection

Through a collaboration with a government official and its office, the distribution
of the survey form was done by another employee to disguise as another data gathering
activity from the office. The total number of respondents and personal information were
introduced by the head of the office. Participants were not informed of anything in
relation to the study to obtain unbiased results. The allotted time to administer the data
collection through handling, answering, and collecting the survey form were expected to
be between 15-20 minutes only. The researchers collected the survey form after
completion.

The steps shown below were followed in collecting the data:

Figure 6. Steps in Data Collection

3.3 Phishing Protection Program

The previously mentioned concept of Elysium Security’s phishing protection program
was adapted in assessing the employees’ behavior towards phishing attack situations. The chosen
phishing simulation tool was GoPhish. According to ÖMER (2020), GoPhish is an open-source
software that enables someone to create a phishing attack scenario safely. The activity has four
phases: testing, detecting, protecting, and training.
3.3.1 Testing

Using the phishing simulation tool mentioned, GoPhish was used in the testing
phase to identify the vulnerability of the employees (Martinez, 2019). By introducing the
click URL method, the employees should identify:

● Obvious to difficult phishing links

● Redirected links that require users to release sensitive information

● Authentic from suspicious attachments

● Call-to-action buttons or links leading to requiring sensitive information

Prior to conducting the activity, GoPhish was installed on two host computers by
the researchers. Respondents randomly received phishing emails generated from the
simulator within a span of 4 weeks.

3.3.2 Detecting
The detecting phase helped the researchers identify and monitor the responses of
the employees through the GoPhish dashboard and degree of response from the
employees. The phishing simulation tool chosen generates statistics of sent and received
emails, opened emails, and URL/attachments click-times (Wallen, 2020).

3.3.3 Protecting
Reduction of phishing-related incidents can be achieved in two ways: to warn and
block. Warning the participants through alerting them of the potential risks of phishing
attacks as well as blocking identified senders or owners of the digital contents containing
phishing attacks (Martinez, 2019).
● Identify and label external emails and potential impersonation
● Move emails to spam folders to quarantine them
● Demonstrate the different types of website domains and their privacy
● Introduce common phishing emails, including some spear-phishing
emails, to raise awareness

The researchers provided a training course which incorporated all the necessary
protecting methods stated in this part.
3.3.4 Training
In order to instill knowledge on the employees from the simulation experience, it
is still considered that some phishing still goes through their cyber defences or of the
organizations they belong to. According to Martinez (2019), user awareness is the first
line of defence against phishing. In order to achieve it, training the employees to
understand phishing risks and what it looks like consistently would be the best possible
way.
● Introduce learning courses that are relevant to the risks found in the
previous phases
● Come up with scenarios of actual phishing attacks.
● Use relatable examples to properly train and educate each employee
The following methods included were presented to introduce guidelines that
consist of the dos and don’ts, according to Martinez (2019).
Dos:
● Think before you click
● Check email provenance
● Check email context
● Be careful of disappearing emails
● Report suspicious emails
Don’ts:
● Ignore security warnings
● Open expected attachments
● Click unexpected URL
● Enter passwords from URLs in emails
● Use work email for personal purpose
3.3.5 GoPhish

Figure 7. Dashboard Sample from GoPhish as of June 2021

GoPhish is an open-source software supported by ten programmers and
professionals as legitimate contributors (Yildirim, 2019). The researchers decided to
choose this particular software as the simulation tool for the phishing simulation because
of its reliability, flexibility, and functionality. The same simulator was used in the study
led by Luse and Burkman, where they implemented a real-world phishing exercise. The
previously mentioned researchers included in their discussion that training and education
should be largely influenced by having the target population or participants recognize the
characteristics of different kinds of phishing emails (Luse & Burkman, 2021).

3.3.5.1 Functionality
The simulator provides an overall view of the phishing attack. Figure 5
provides the dashboard of the simulator where it displays the result of a certain
 phishing campaign. Aside from displaying the percentage and statistics of the
numbers of employees who received, opened, clicked links, and submitted data
from the phishing emails, the researchers may also track the timeline of activity
for each participant or recipient involved, such as timestamps for each activity
(Wallen, 2020).

3.3.5.2 Flexibility
The simulator offers a customizable tool to compose emails. These
features greatly help the researchers in composing different types of phishing
emails. The simulator also offered releasing the campaign by batches of
recipients, a safe landing site attached in emails, URL customization, and etc.
(Wallen, 2020).

3.3.6 Phishing Attack Simulation

According to Martinez (2019), a phishing simulation attack would consist of its
most common type, the deceptive phishing attack. According to Bisson (2020), it is the
phase where fraudsters will impersonate legitimate companies in a situation where they
attempt to steal people’s personal data or login credentials. Basset (2019) highlighted the
common techniques used in the phishing attack simulation:
● Include modified links from various known organizations
● Redirects and shortened links are encouraged
● Modified brand or organization logo
● Verify account information from various organizations
● Re-enter information such as login credentials, including passwords
● Requesting payment credentials
● Come up with minimal email content; graphical contents are effective as
well
The researchers came up with modified phishing emails from the phishing attack
simulator, GoPhish, with the mentioned techniques provided by Basset (2019). The
phishing attack was expected to consume four weeks, and the results were identified as
well within the specified time frame.

3.3.7 Phishing Attack Simulation Timeline

 MONTH NOVEMBER DECEMBER

DAY 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 1 2 3 4 5

iLandbank

Gramarly
C
A Shoopee
T
M
A
P Waowaowin
L
A iHotel L
I
Y
G Gaysano
N
Laazada

Robinsuns

Table 1. Phishing Attack Simulation Timeline

The researchers sent different emails within the four-week period every Sunday
and Wednesday. Each email created was based on popular brands or niches and was
distinct from each other. The researchers limited the emails sent per week for participants
to avoid receiving simulated phishing emails frequently.
A study by researchers from Google, PayPal, Samsung, and Arizona State
University revealed that the first 21 hours of a phishing campaign was deemed as the
most critical. Within this period, the researchers were able to track, capture, and identify
essential elements that greatly impact the study’s success. In a year, more than 7.42%
(356,160) of 4.8 million victims gave out credentials and engaged in a fraudulent
transaction. As phishing schemes continue to stay rampant, it was concluded that it takes
an average of 21 hours before a campaign is shut down (Oest et al., 2020). The
researchers adapted the previously mentioned study in regards to the duration of each
phishing campaign. Then taking the first limitation of this study into consideration, the
researchers extended each phishing campaign by 51 hours, making a total of 72 hours or
3 days per campaign.

3.4 Cronbach’s Alpha Test

The researchers designed the items in the survey form in such a way that it
introduces similar statements to have a consistent measurement between each of them,
resulting in many achievable and transparent results. Statistical Consulting at the Institute
for Digital Research and Education (n.d) states that the purpose of this statistical analysis
method is to test the measurement of each set of items in a survey form’s internal
consistency which shows how closely related the statements are in terms of construction
and results.
 Figure 8. Cronbach’s Alpha test formula.
The researchers derived the equation specifically from the study of Lestari et al.
(2019) since it aims to scale multilevel data, the same way this study was aiming for as
well. Additionally, the way Lestari et al. elaborated on the use of the formula guaranteed
the researchers that it was fine to adapt because it provides guides and explanations.

No. Coefficient of Cronbach’s Alpha Reliability Level

1 More than 0.90 Excellent

2 0.80-0.89 Good

3 0.70-0.79 Acceptable

4 0.6-0.69 Questionable

5 0.5-0.59 Poor

6 Less than 0.59 Unacceptable

Figure 9. Cronbach’s Alpha test results range.

The researchers derived the range from the study of Arof et al. (2018).

3.5 Survey Score Analysis

The researchers adapted the National Center of Incident Readiness and Strategy for
Cybersecurity’s method of result analysis for business information security diagnostic sheets
(NISC, 2014), which is also used by the DICT for Cybersecurity awareness campaign. The NISC
information security diagnostic sheet is designed to not only measure but also inform each
individual about how to protect themselves from information security vulnerabilities.
Participants will know what steps they need to take to improve or reduce the number and severity
based on the given score range shown in Figure 10.
SCORE (%) INDICATION
Excellent
Employees' actions or responses are perfectly acceptable. However, there is
100% still a need for continuous improvement. Thus, the organization should
consider constantly improving employees' skills and knowledge, as
cybercriminals are always improving their methods of attack.
Satisfactory
The majority of employees' actions and responses are considered satisfactory.
70% - 99% However, due to a few unsafe practices, a security breach could still happen.
Thus, it's critical to address any remaining risky personnel behaviors before a
security breach occurs.
Somewhat satisfactory
50% - 69% Employees are not mindful enough about their actions or responses. Thus, an
action should be taken to address employees' risky behavior.
Unsatisfactory

49% and below Employees’ actions or responses are unsatisfactory. Therefore, these items
with unsatisfactory results should be highlighted in order to provide answers
to what needs to be done to reduce risks.

Figure 10: Survey Score Range and Indications for Correct Response
 CHAPTER 4

RESULTS AND DISCUSSION

The researchers elaborated possible implications and interpretations of the data gathered
in this chapter. Results were carefully explained along with supporting academic sources. Visual
representation and figures were provided to highlight trends and changes to the data. These
findings would serve as a basis on the researchers’ recommendations and materials to provide for
organizational improvement.

4.1 Survey Form Results

There were 5 sets of statements in the survey form. Each of them had 10 statements that
were grouped according to relevant cybersecurity or phishing knowledge and skills.
● The introductory part was about the respondent’s personal information including
their emails. This helped the researchers to determine their age that was used to
compare data and their email account that was essential for the phishing
simulation.

● The first set of statements were about the respondent’s perception about their
awareness of cybersecurity and phishing scams. This introduced them to the
overall context of phishing attacks.

● The second set of statements concerns how respondents would behave from a
phishing attack encounter. The statements were mostly possible situations of
them falling into phishing attacks in which it measures their behavior.

● The third set of statements test their knowledge about the possible consequences
if they fall into phishing attacks. This part gives them an overview of the
aftermath of phishing attacks and measures their behavior and response as well.

● The fourth set of statements were about their immediate responses after
encountering related activities to phishing attacks. The statement in this part
provides possible actions or responses to avoid falling into. This measures how
they keep themselves safe when encountering such misconducts.

● The last set of statements test their familiarity with real examples of phishing
attacks, links, and attachments. Most of the figures included in this part were
relatable and obvious, it measured their ability to identify phishing attacks.
The complete copy of the survey form can be accessed in Appendix A.
 4.1.1 Respondents' Self-Perception of Their Cybersecurity Awareness and Phishing
Scams
The first set of statements reflects the awareness of the respondents about
cybersecurity and phishing scams. This introduced the whole context of the survey forms.
Awareness on cybersecurity and phishing scams

Agree Neutral Disagree

No. Statement
(%) (%) (%)
I am aware of the term cybersecurity and its
S1 73% 20% 7%
application towards myself and others.
I am confident I can identify suspicious activities on
S2 the internet and files such as virus, malware, spyware, 52% 37% 11%
adware, and phishing.

I have known and used several software programs that

S3 59% 27% 14%
protect me from getting cyber attacked.

I am confident that I will never be a victim of being

S4 52% 33% 15%
scammed or preyed on online.
I am aware of the phishing scam happening on the
S5 72% 18% 10%
internet.

Table 3. Distribution of Data Frequency on Respondent’s Responses

Table 3 presents the results of the respondents' self-perceptions of their
cybersecurity and phishing scam awareness. On both S1 and S5, a significant
number of respondents claimed that they were familiar with the term and
applications of cyber security and phishing scams that happen on the internet. The
remaining three statements, S2, S3, and S4, all of which were connected to
phishing scams, received barely satisfactory responses. Results show that
employees are aware of cybersecurity and some existing cyber threats such as
phishing. However, only 52% are confident that they can identify suspicious
activities and never be a victim of online scam. Thus, it can be concluded that
employees are aware of cybersecurity and phishing but they are not confident that
they have the ability to be able to protect themselves from the threats, especially
phishing.
 4.1.2 Respondent’s Response to the Possible Phishing Emails
For the second set of statements, the overall context was the respondents’
response to possible phishing emails received based on personal experiences. These statements
helped researchers know how respondents behave when encountering possible phishing attacks.
Response to the Email Received

Likely Neutral Unlikely

No. Statement
(%) (%) (%)
I can identify a phishing email or a social
S1 16% 35% 48%
engineering attack.
I click any URL from the email sent to me from
S2 12% 42% 47%
known and unknown organizations.
I sign up for any registration forms attached in the
S3 11% 39% 50%
email.
I open attachments sent from unknown people or
S4 15% 18% 68%
organizations.

S5 I entertain emails sent to me daily. 34% 20% 46%

I choose to agree with the conditions coming from

S6 9% 35% 56%
emails that use my personal information.
I am willing to share the good news attached in an
S7 17% 42% 41%
email to others.
Opening emails because the subject line caught my
S8 17% 44% 39%
attention.
Opening emails because a known sender sent me
S9 47% 15% 38%
one.
Willing to reply to each email received from an
S10 20% 17% 63%
unknown sender.

Table 4. Distribution of Data Frequency on Respondent’s Responses

Table 4 presents the results of the respondent's responses to possible
phishing emails. Results show S3, S4, S6, and S10 have somewhat satisfactory
correct responses while all remaining statements produce unsatisfactory
responses. All statements are related to employees' confidence to identify
phishing emails and actions that show whether they are vigilant about emails they
receive. In addition, since no item obtained a score greater than 69%, it is
reasonable to assume that employees are not cautious enough with what they do
 or how they respond to emails from known and unknown senders. It's important
to keep in mind that the responders are government employees who are frequently
prone to responding to public inquiries. Therefore , it's critical for employees to
be thorough to each email they receive and be able to identify if email
attachments are safe.

4.1.3 Respondent’s Knowledge of the Harmful Effects of Phishing on Victims

The third set of statements tests the respondents’ familiarity with the aftermath
when encountering phishing attacks over the internet. This section included situations
that were commonly observed during phishing attacks.

Knowledge on the effects of phishing on victims

Agree Neutral Disagree

No. Statement
(%) (%) (%)
A phishing attack would steal my personal information
S1 61% 26% 13%
without any permission.
S2 Phishing attacks would invade my privacy. 60% 19% 21%

When exposed to phishing emails, it will be dangerous

S3 66% 22% 12%
for the contents inside the gadget used.

Referring to the previous question, it is risky to use the

S4 55% 39% 6%
gadget again.
Phishing attacks will bring me more threats after
S5 participating in malicious content such as emails, 79% 14% 7%
surveys, and URLs.
The antivirus programs are displaying suspicious
S6 49% 43% 8%
activities from my gadget.

Table 5. Distribution of Data Frequency on Respondent’s Responses

Table 5 displays the results of the respondent's self-perception of
phishing's detrimental effect on victims, with all statements indicating somewhat
satisfactory responses except for S5. It shows that not more than 69% know the
risks and negative consequences of phishing on its victims. While 21% believe
phishing attacks will not compromise their privacy. Overall, results show that
employees are aware that phishing attacks will lead to more threats. However,
they aren't quite aware of the specific risks that phishing poses. Consequently, it's
 reasonable to presume that these individuals aren't well-versed in the threats of
phishing.
4.1.4 Respondent’s Immediate Response During Phishing Attack
The fourth set of statements includes mitigating decisions and situations during or
after encountering phishing attacks. This section tested the respondent’s survival
responses.
Response during possible phishing attack

No. Item Agree Neutral Disagree

I can identify an authentic email from fake and
S1 52% 35% 13%
suspicious ones.

I download any attachments immediately after reading

S2 25% 31% 44%
the email sent by known and unknown senders.

I screenshot any suspicious activities after opening the

S3 45% 45% 11%
unknown email and clicking any URL

S4 I immediately delete or hide emails that are suspicious. 47% 38% 15%

I report malicious emails and surveys requesting

S5 48% 45% 7%
personal and sensitive information.

I immediately open and run an antivirus program after

S6 65% 29% 5%
opening a link that contains suspicious content.

I immediately close any redirected links in the browser

S7 50% 43% 7%
after clicking unknown attachments or URLs.

Table 6. Distribution of Data Frequency on Respondent’s Responses

Table 6 presents the results of the respondent's behavior during phishing
attacks. For best practices to do after receiving malicious emails and attachments,
statements S2, S3, S4, and S5 did not produce satisfactory results. Less than half
of the respondents claimed to record, report and immediately delete malicious
emails and attachments. In addition, only 44% claimed that they do not download
attachments sent by known or unknown senders after reading (S2). While
remaining statements, S1, S6 and S7, produce somewhat satisfactory responses.
Overall, the findings show that even when respondents follow some best practices
to avoid being phished, they still engage in risky activities, such as opening and
downloading suspicious files, which puts them at risk.
 4.1.5 Procedural Knowledge
The last set of statements were real-life copies of phishing emails, websites, links,
and other images. This tested the respondent’s familiarity with phishing using real
instruments.

Procedural Knowledge

No. Statement Agree Neutral Disagree

I can verify that the link below is safe:
S1 http://www.facebook.com/nestlecream.ph 75% 14% 11%

I can verify that the email below is safe:

S2 29% 42% 29%

I can verify that the link below is safe:

S3 https://www.microsoftpro.com/en-ph/windows11/ 54% 38% 8%

I can verify that the attachment below is safe:

S4 42% 35% 23%

 I can verify that the attachment below is safe:

S5 52% 31% 18%

Table 7. Distribution of Data Frequency on Respondent’s Responses

Table 7 presents the results of the respondents' ability to recognize the
authenticity of presented contents. It shows the highest percentage from all
statements was on S1 where 75.38% of the respondents agreed that the link
provided was safe. On the other hand, the lowest percentage was on S3, with only
8% disagreeing that the link is safe. It also shows that on S2, S3, S4 and S5 more
than 30% were uncertain whether the content presented was safe. This could
indicate that these respondents have a weak ability when it comes to verifying
whether the link or attachment is safe. Thus, these individuals are susceptible to
phishing.

4.1.6 Cronbach’s Alpha Result

Table No. Cronbach’s Alpha Result Reliability Level

1 0.79 Acceptable

2 0.70 Acceptable

3 0.78 Acceptable

4 0.87 Good

5 0.76 Acceptable

Table 8. Conbrach’s Alpha Survey Form Results

 Based on Figure 11, the result of the survey form evaluated using
Cronbach’s Alpha garnered positive results as 5 sets of survey form were
on an acceptable reliability level, and one of them had a good reliability
level (0.87) which was significantly higher than the others.
4.2 Simulation results
The researchers conducted a phishing attack simulation on the relevant
respondents in order to measure their knowledge about cybersecurity, not just at the
conceptual level but also in practice. Using the GoPhish software, the researchers were
able to utilize its functionalities in order to deliver a functional simulation by deploying
authentic copies of email in order to achieve genuine results, which was very important in
determining and assessing the respondent’s knowledge about cybersecurity in real life.
The researchers incorporated other essential elements in order to create a
functional phishing attack simulation. Each component of the simulation has its own set
of capabilities. The following were the elements gathered together by the researchers in
conducting the phishing attack simulation:
● Email Contents and Attachments
● Landing Pages
● URL Listener Site
● Sending Profiles
● Recipients (Email Addresses of the Employees)
Also, with these elements, the researchers initially determined the responses of
the respondents to the deployed phishing emails. These responses were treated as
valuable in the latter part of the study as a factor in determining the respondent’s
knowledge and skills about cybersecurity and phishing.

4.2.1 Email contents and attachments

The researchers selected the email type contents and attachments as the
only variables that were needed to determine the results. The set of email types
and attachments as shown in the table below.

Email type and contents Number of Emails Sent

Laazada 130

Shoopee 130

Gramarly 130
 Email type and contents Number of Emails Sent

Laazada 130

Shoopee 130

iLandbank 130

Waowowin 130

iHotel 130

Gaysano 130

Robinsuns 130

Total Number of Emails Sent 1040

Table 9. Email Contents and Attachments

Based on the table shown above, the researchers sent 8 different types of
emails to the recipients. Each of the emails has its corresponding amount of total
recipients, which were 130 people, accumulating a total number of 1040 emails
sent within 4 weeks.

Phishing Simulation
Week 1 Week 2 Week 3 Week 4
Period
Total
Date of Email Sent Nov. 7 Nov. 10 Nov. 14 Nov. 17 Nov. 21 Nov. 24 Nov. 28 Dec. 1
Email Template iLandbank Gramarly Shoopee Woawowin iHotel Gaysano Laazada Robinsuns

Total Email Sent 130 130 130 130 130 130 130 130 1040

Emails Unopened 50 92 73 71 16 72 111 87 572

Emails Unopened
38% 71% 56% 55% 12% 55% 85% 67% 55%
(% to Total Emails)
Emails Opened 80 38 57 59 114 58 19 43 468
Emails Opened
62% 29% 44% 45% 88% 45% 15% 33% 45%
(% to Total Emails)
Clicked Links 8 1 24 11 4 10 3 1 62
Clicked Links
6% 1% 18% 8% 3% 8% 2% 0% 6%
(% to Total Emails)
Submitted Data 2 0 0 1 0 2 0 0 5
 Submitted Data
2% 0% 0% 1% 0% 2% 0% 0% 0%
(% to Total Emails)
Reported Emails 0 0 0 0 0 0 0 0 0
Reported Emails
(% to Total Emails) 0% 0% 0% 0% 0% 0% 0% 0% 0%

Table 10. Phishing Simulation Statistics

Table 10 shows the statistics of the phishing simulation with the timeline
that each email template sent to participants. There were a total of 130
participants who were constantly exposed to simulated phishing emails in 4
weeks. Based on the timeline and result, the emails sent on the third week have
garnered the highest number of opened emails (172) from iHotel and Gaysano,
while the email sent on the fourth week have the lowest number of opened emails
(62) from Laazada and Robinsuns. Indicating that the subject and contents of the
emails have caught the attention of participants. The highest total number of
clicked links (35) is in the second week from Shoopee and Woawowin, and the
lowest number of click links (4) is in the fourth week from Laazada and
Robinsuns. Furthermore, the emails sent on the first week and third week
garnered the highest number of submitted data (2), and the lowest number of
submitted data (0) on the emails sent on the fourth week. Although there were a
total of 468 opened emails, there were no simulated phishing emails that have
been reported.

4.3 Comparison of Survey Form and Phishing Simulation Result

Regarding the ability of respondents to identify whether the email is safe, the survey
results show that 48% claimed that they can identify a phishing email. However, when they were
asked to identify whether the email presented to them in the survey is safe, only 29% answered
correctly while 42% were undecided. On the other hand, simulation results show that 6 out of 8
email templates were unopened by more than 55% of the respondents. While the remaining 2
email templates that had been opened by more than 60% were then ignored by 90% to 96%.
Although the simulation presented better results compared to the survey, respondents are still at
risk. It could be that respondents would rather ignore the simulated emails since they were
unsure if it was safe. Thus, respondents lack awareness and ability to spot a phishing email.

As for the respondents’ ability to identify the authenticity of attached links, based on the
survey, 47% and 68% stated that they were unlikely to click or open attachments from known
and unknown senders, respectively. In addition, 1 out of 2 presented links in the survey were
correctly identified by more than 70%. While based on the simulation, only 1 out of 8 links were
opened or clicked by more than 15%. Results from survey and simulation practically correspond,
however it also shows the respondents' lack of ability to identify authentic links from fake ones.
Clicking suspicious links could put them to a lot of risk. Moreover, only 50% claimed that they
were unlikely to sign any registration form linked to an email. The simulation produced better
results with only 2 recorded submitted data from 2 out of 8 simulated emails. However, even if
there were few recorded click linked and submitted data this could still lead to a high probability
of security and information breach within the organization.

For respondents' ability to counter phishing email, despite the fact that 48% of
respondents said that they report phishing emails requesting personal or sensitive information,
GoPhish records show that no emails have been reported. Reporting suspicious emails is
important for organizations' cybersecurity teams to take immediate preventive measures. Overall,
results prove that respondents do not practice and lack awareness of preventive protocols for
phishing to keep themselves, as well as the organization, secure.

4.4 Visual Interpretations

Based on the data from the previous section of this chapter, the results have been
garnered already from both survey form and phishing attack simulation results. This
section provides perspective and understanding of the data that have been gathered.
Visual and numerical presentations were used in this section as well as other
interpretation methods in the discipline of statistics.
4.4.1 Level of Awareness on Cybersecurity and Phishing Scams

Figure 11. Graph of the respondent’s self-perception to their awareness of

cybersecurity and phishing scams
Figure 11 presents respondents' correct (safe), partially correct (partial safe) and
incorrect (unsafe) responses to their self-perception of awareness of cybersecurity and
phishing scams. Where 15% is the highest percentage of incorrect or unsafe responses
regarding respondents’ confidence of becoming a victim of phishing. While the highest
percentage of partially safe responses on the statement about phishing scams is 37%, and
the highest percentage of safe responses is 73% found in the statement concerning
cybersecurity and its applications. Although all statements produce a high percentage of
safe responses, the overall result is still unsatisfactory due to the number of unsafe and
partially unsafe responses. Thus, it is reasonable to say that respondents show unsafe
responses.
4.4.2 Respondent’s Response to the Possible Phishing Emails

Figure 12. Graph of the respondent’s responses to the possible phishing

emails they received
Figure 12 shows the respondents' correct (safe), partially correct (partial
safe) and incorrect (unsafe) responses to the emails they received. Where 55% is
the highest percentage of unsafe responses about entertaining emails daily. While
45% of partially safe responses to opening attachments from unknown people and
63% of safe responses about replying to an unknown sender. All these findings
indicate that respondents are unsafe with almost all statements showing
unsatisfactory responses.
4.4.3 Respondent’s Self-perception of the Harmful Effects of Phishing Attacks

Figure 13. Graph of the respondent’s self-perception of the harmful

effects of phishing attacks
Figure 13 presents the respondents' correct (safe), partially correct (partial
safe) and incorrect (unsafe) responses to their self-perception of the detrimental
effects of phishing attacks. It shows 79% as the highest percentage of safe
responses regarding opening or participating in malicious content such as email,
surveys and links. While the highest percentage of incorrect or unsafe responses is
21% about phishing attacks as a way to steal personal information without
 permission, and the highest percentage of partially safe responses is 43%
regarding antivirus programs displaying suspicious activities after getting
phished. All these findings indicate that a high percentage of respondents are
aware of the implications of falling victim to phishing. Since there are still many
respondents who are unsure or unaware of the presented risks that phishing poses.

4.4.4 Respondent’s Immediate Response During Phishing Attack

Figure 14. Graph of the respondent’s immediate response during a

phishing attack
 Figure 14 was that all of the statements garnered a higher percentage of
correct responses compared to the incorrect response. The highest percentage of
correct responses is 64% to the statement regarding running an antivirus program
after opening a suspicious link. While the highest percentage of unsafe responses
is 26% regarding downloading any attachments from known and unknown
senders, and 43% is the highest percentage of only partially correct or safe
responses regarding reporting malicious emails and surveys requesting personal
and sensitive information. All these findings indicate that a high percentage of
respondents know how to respond to possible phishing attacks.

4.4.5 Procedural Knowledge

Figure 23. Graph of the respondent’s procedural

knowledge responses
 Figure 23 shows that out of the five statements, only S1 has a higher
percentage (73%) of correct responses than incorrect responses. While 54% is the
highest percentage of unsafe responses to the fake Microsoft link, and 42% is the
highest percentage for partially safe responses to the presented suspicious email.
All these findings indicate that respondents are unsafe as they fail to verify the
authenticity of given contents.

4.5 Phishing Simulation Result

Figure 16. Graph of the simulation results; derived from

GoPhish Results
The graph shows all the relationships of the responses garnered from the phishing
simulation. There were 4 major categories of knowledge in the phishing simulation:
emails opened, clicked links, submitted data, and reported emails. Each of the categories
has the same amount of emails to measure their overall transparency. Each of the
categories and their information were discussed in the following sections.
 Figure 18. Percentage of Emails Opened to Total Email Sent; derived from
GoPhish

Figure 26 shows that iHotel had the highest percentage of opened emails
(88%), and was 83% higher than Lazada, which had the lowest number of
unopened emails (15%). The simulated email template from iHotel includes a free
night stay at any nearby or local hotel. It's possible that the high number of
opened emails is related to the email's designated location, which is the city where
the participant works. Moreover, the total number of emails that were opened
ranged from 19 to 114 across all 8 kinds of emails.
 Figure 19. Percentage of Clicked Links to Total Email Sent; derived from
GoPhish
Figure 27 shows that Shoopee had the highest percentage of clicked
links(18%) and was infinitely higher than Robinsuns, which had the lowest
percentage of clicked links(1%). The Shooppee template is based on Shopee, a
well-known online store. Since Shopee provides a lot of promo to its members, it
could be one of the reasons why so many people click on the attached link.
Moreover, across all 8 Email Types, the sum of clicked links ranged from 0 to 24.
 Figure 20. Percentage of Submitted Data to Total Email Sent; derived from
GoPhish
Figure 28 shows that iLandbank and Gaysano tied for the highest
percentage of submitted data (2%), followed by Waowowin (1%).Gaysano
imitates the popular mall (Gaisano Mall) , while iLandbank imitates the
well-known bank (Landbank) in Iligan City. The templates, like iHotel, are based
on well-known companies in the city, making them relevant to the targeted
individuals. This could be one of the motivators for participants to provide
information. The Woawowin email template, on the other hand, is based on the
popular television show Wowowin. It is well-known for its games that reward
winning players with cash. As a result, this could be one of the reasons why
participants are susceptible to these kinds of emails.
4.5.1 Laazada

Figure 21. Laazada Email

The content of the email was based on common unauthorized access

notifications for any apps that require an account to sign in. The researchers
customized the email resulting in a much more authentic and realistic copy of the
email.
4.5.2 Shoopee

Figure 22. Shoopee Email

The same with the Laazada email, this was based on the replicated popular
online shopping app named Shopee. The contents were solely based on common
unauthorized access notification for any apps that require an account to sign in.
Most of the elements of the email have been altered out to give it an authentic
feel, helping it to become more realistic.

4.5.3 Gramarly
Grammarly has been one of the most common service providers whose
reputation when it comes to reliability is very strong, as well as their ways to
market their service. In this case, the researchers came up with a fake clone of the
popular grammar and spelling service app. There were a lot of similar emails of
an advertisement from them on a consistent basis and the researchers decided to
come up with a copy one by altering the subject of the email only.
 Figure 23. Gramarly Email

The same with other emails, 20% was the basis of success in the phishing
simulation. The email was somehow successful with an email open rate of
28.46%. The link click rate was rather very low as it only gathered 1 response, a
percentage of 2.70%, lower than the success rate.

4.5.4 iLandbank
Even though common phishing attacks were from banks and other
financial organizations, the researchers also decided to come up with a phishing
email that contains personalized information such as financial transactions, dates,
and other sensitive information. For this, the researchers decided to copy a well
known bank in the country and provide a fake copy of its name, address, and
other information.
 Figure 24. iLandbank Email

The researchers consider this simulation as the second most successful

one. Based on the responses, it shows that when it comes to financial-related
matters, people were willing to share personal information. The email has a
53.85% success rate when it comes to emails opened, higher than the success rate.
10% on the clicked open rates, lower than the success rate but still has an impact
on the population. And a submitted data rate of 1.54%, indicating that even
though it was lower than the success rate, it still manages to trick the respondents.

4.5.5 Waowowin
The TV Show’s presence has been observed recently in the internet as the
recent launch of the program online. One of the most common pieces of
information from the show was that they look for players to join a segment. The
researchers came up with a fake clone of the popular tv game show and with an
invitation email for them to play the show with a money prize. The email has
garnered a total of 59 opened emails, 11 click rate and 1 submitted data. However,
the respondents fail to report the email garnering a 0% report rate.

Figure 25. Waowowin Email

This simulation was considered the second unsuccessful email since the
responses were very low. A percentage of 8.46% on the emails opened rate and
9.09% on the clicked link rates were both lower than half of the passing rate. It's
possible that the failure was due to the fact that respondents were not enticed with
the content of the email, making it unsuccessful.

4.5.6 iHotel
Hotel stay-in promos were an uncommon type of phishing scam, and
apparently, this garnered the highest when it comes to email opening rate and
links clicked rate. The email contains convincing statements such as exclusive and
selected winners-only invitations. It was a plain text-simple email, but it garnered
a total of 114 emails opened and 4 times the links have been clicked. However,
the respondents fail to report the email garnering a 0% report rate.
 Figure 26. iHotel Email

An 88% rate for emails opened was more than enough when referring to
the success rate. The impact was very high as it generated a 3.51% link clicked
rate. The most common feedback from the respondents was that the booking was
suspicious; however, they still opened the emails. It clearly shows that they were
not just tricked by the subject of the email, but as well as its contents.
4.5.7 Gaysano and Robinsuns

Figure 27. Gaysano Email

Gift cards were usually the common type of giveaway from various
known malls and shops. The researchers came up with an imitation of the popular
mall chains in Iligan city; Robinsons Mall and Gaisano. The contents of the
emails include redeemable gift point cards. The first email garnered 58 emails
opened, 10 clicked links, and 2 submitted data. The second however garnered
only 58 emails opened. There was a significant reason why they have a large gap
in the results. However, the respondents fail to report the email garnering a 0%
report rate.
 Figure 28. Robinsuns Email

The first email sent to the respondents yielded a total email open rate of
44.62%, higher than the success rate. It also has 17.24% link click rates, higher
enough to surpass the success rate. And 1.54% data submitted rate. Even though it
garners low rates on the data submitted category, it was still one of the most
successful emails in the three categories, the same with iLandbank. In the same
situation and explanation with iLandbank, people become too serious when it
comes to financial-related topics, ignoring whether it was legitimate or not.

4.6 Training Design

I. Identifying information

A. Event Title: “Think Before You Click/Don’t Take the Bait” A Phishing
Awareness Symposium to Improve Cybersecurity Knowledge
 B. Venue:

C. Proponent: Hon. Jesse Ray N. Balanay

D. Participants: Sangguniang Panlungsod Employees

E. Resource Person: Department of Information and Communications Technology

F. Total: 130 participants

G. Duration: 1 Hour

II. Rationale:

Given the rising amount of phishing attempts over the years, there are also altering tactics
for collecting an individual's information; as a result, sensitive information about individuals
may be endangered, especially in government entities. Employees of Iligan City's Sangguniang
Panlungsod, in particular, have an unmeasured level of cybersecurity awareness and must be
examined to identify what to focus on in cybersecurity training and efficiently improve digital
habits.

Moving forward, the results from the survey and phishing simulation showed that many
respondents can’t identify a phishing email without opening them. As there were a total number
of 406 out 468 emails opened that have been ignored after opening. Despite the fact that the
simulated emails were disregarded, the participants took no time to report them. The zero
number of emails reported also implies that the participants are unaware of or have not practiced
the appropriate response to phishing emails.

Implementing new protocols for work and introducing the learning courses prepared by
the researchers, will help strengthen and build their skills to counter phishing. In order to achieve
so, a monthly phishing simulation should be held to constantly expose employees to timely and
various forms of phishing.

III. Objectives:

The training design provided by the researchers in partnership with the office of the
Sangguniang Panlungsod of Iligan City spearheaded by Hon. Jake N. Balanay, entitled “Think
Before You Click/Don’t Take the Bait” aims to:

1. Introduce the concept and definition of cybersecurity;

 2. Introduce phishing as the most common cybercrime during the pandemic in the
Philippines and elaborate its different approaches;
3. Provide real-life examples of phishing attacks in the Philippines;
4. Display phishing simulation results and interpretation of the respondents’ behavior;
5. Present protocols through guidelines, practices, and recommend immediate responses
when dealing with phishing attacks;

IV. Methodology: The modes of delivery included in this training program are
provided below:

Topics Duration Resource Person Target Issues Aiming to

Address

Introduction to Cybersecurity 12 minutes Department of • Government plans to

Information and improve cybersecurity
Communications awareness
Technology
• Pros and cons of
cybersecurity

Introduction to Phishing and 12 minutes Department of • Types of phishing scams

Why Its Rampant Information and happening on the internet
Communications in local setting
Technology
• Rampant phishing scams
through text messaging
and the internet; the
reasons behind and their
targets

• Common format of a
phishing email: clickable
links, attachments,
headers, etc. and how to
identify them

• Authorities that handle

phishing related issues

• Relatedness to social
engineering

• Lower knowledge base

of the general public
 regarding phishing attacks
and other cybersecurity
issues

Phishing Examples in the 12 minutes Department of • Different real-life

Philippines Information and phishing incidents in the
Communications country: ranging from
Technology local residents, businesses
and governments to
universities, private and
large companies

Presentation of the Phishing 12 minutes Department of • Negative behavior when

Simulation Results Information and dealing with phishing
Communications emails
Technology
• Survey response does
not reflect the same
response in the phishing
simulation

• High rate of opening

emails and no report rate

• Low chances of
identifying secured links
from fake ones

Demonstrate Proper 12 minutes Department of • What are the things to do

Responses to Phishing Information and before, during, and after
Attacks and Present Communications receiving phishing emails
Guidelines Technology
• Immediate actions and
solutions taken if victims

• Proper ways to use your

devices and protect
yourself from violators

• Know when and how to

respond to random
messages, emails, or
people online

• Determine which apps

and platforms available on
 the internet contains
malicious contents that
will eventually put your
personal information at
risk

4.7 General Discussion

Employees of Sangguniang Panlungsod can be at risk, according to both survey and

phishing attack simulation data. An average number of emails opened (59), clicked links (8),
submitted data (1), and reported emails (0) throughout the phishing simulation period implies
that employees within the Sangguniang Panlungsod could still fall victim to a phishing attack.
These results correlate to the survey results that assess employees' level of awareness of
cybersecurity and response to phishing attacks. Additionally, even though there were only a few
respondents who clicked links and submitted data, the fact that there were zero-reported emails
indicates that employees need training to properly respond to a possible phishing attack. Early
reporting assists authorities to take preventative measures to safeguard the organization’s
information (Yeoh, 2021).

Two simulated email templates drew the attention of the majority of the employees, with
80 to 114 participants opening these emails. Based on the findings, the researchers conclude that
the content of the two email templates proves relevant to the targeted individual. With this, the
researcher agreed with Furnell (2017), Yeoh (2021) and Vishwanath et al. (2019) that the email
templates to be used for phishing simulation should be authentic and customized enough to catch
the attention of target individuals or groups, especially those who are highly educated.
Furthermore, the iLandbank simulated email template which was one of the email templates that
garnered the highest number of opened emails proves Greene's (2018) statement. As the
researcher tries to imitate the famous government-owned bank in the Philippines, it aligns with
the target individuals' experience of knowledge as government employees resulting in a
successful phishing susceptibility test.

As employees were constantly exposed to simulated phishing email templates, the results
of opened emails, clicked links and submitted data show a downward trend. Indicating that
employees were getting better at identifying simulated phishing emails. Agreeing with the study
of Gordon et al. (2019) that frequent phishing simulation attempts help employees be more
aware of the indicators of malicious emails. Even though the researcher used and sent different
email templates each week.

The results of this study call for desperate measures within the employees under the
Sangguniang Panlungsod. The capacity of the respondents to overlook the survey statements
suggests that they were unprepared for cybersecurity training. Thus, the results of the survey
create a huge impact on the phishing simulation. With that, since there were high numbers of
negative responses from phishing simulation results, necessary training and education should be
provided as soon as possible to lessen possible issues. According to Yoeh et al. (2021), the
simulated emails did not generate enough reports, leading researchers to conclude that there may
be additional ways to enhance the low report rate. By that, the researchers also followed the same
procedure which was to include and encourage reporting of suspicious emails. To proceed, the
researchers provided learning courses and training through phishing simulations that were stated
in the last chapter.
 CHAPTER 5
CONCLUSION AND
RECOMMENDATION

5.1 Conclusion
● How aware are the employees of cybersecurity and phishing schemes?
According to the survey findings, employees are generally aware of cybersecurity
and specific cyber threats. However, just 52% feel confident in their ability to detect
suspicious activity and avoid being a victim of online fraud. Employees are conscious of
the risks, but they are not confident in their abilities to protect themselves against
cybersecurity attacks, particularly phishing.
● How do the employees behave when encountering a possible phishing attack?
All survey statements from table 4 are about employees' confidence in detecting
phishing emails and behaviors that demonstrate if they are careful about emails they
receive. Furthermore, because no item had a score higher than 69 percent, it is plausible
to believe that employees are not being cautious in what they do or how they reply to
emails from known and unknown senders. Finally, it is crucial to remember that the
responders are government officials routinely called in to answer general questions. As a
result, it is vital for employees to review each email they receive thoroughly and to be
able to determine if email attachments are secure.
● How aware are the employees of the harmful effects of phishing on its victims?
Survey results demonstrate that 69% of respondents know the hazards and
negative implications on its victims. While 21% say, phishing attempts will not
jeopardize their privacy. The findings indicate that employees are aware that phishing
attempts will lead to other concerns. They are, however, unaware of the precise threats
that phishing presents. As a result, it is plausible to assume that these individuals are not
well-versed in the effects of phishing.
● How do the employees react when encountering a phishing attack?
Less than half of the respondents claimed to immediately record, disclose, and
delete fraudulent emails and attachments. Moreover, roughly 44% indicated that they do
not download attachments offered by known or unknown senders after reading the email.
The survey results suggest that even when respondents implement some recommended
phishing preventative measures, they still participate in unsafe actions, such as opening
and downloading suspicious files, putting them at risk.
● How aware are the employees of Iligan City's Sangguniang Panlungsod of phishing
indicators, and how do they respond to simulated phishing emails?
 There are various forms of phishing attacks that have been targeting the
employees of the local government unit in Iligan City. Although the upper management
have warned employees to be cautious with who they are conversing with online, there
are still individuals who fall into phishing. This proves that there is a need to educate
government employees with best practices in cybersecurity for users to lessen the risk
associated with cyber security threats. Thus, there should be effective training and proper
assessment for employees to continuously improve their ability to protect themselves
against phishing.
The results from the survey and phishing simulation showed that many
respondents can’t identify a phishing email without opening them. As there were a total
number of 406 out 468 emails opened that have been ignored after opening. Despite the
fact that the simulated emails were disregarded, the participants took no time to report
them. The zero number of emails reported also implies that the participants are unaware
of or have not practiced the appropriate response to phishing emails.
Employees' ability to detect phishing emails has improved as a result of their
regular exposure to simulated emails. Making simulated phishing emails unsuccessful
unless the email template is designed with great attention regarding its relevance and
authenticity to the target set of individuals. Even though there are employees who still
have fallen victim to the simulated emails, the number of victims gradually decreases
over the course of the campaign. Thus, the study proved phishing simulation as an
effective approach for the Sangguniang Panlungsod of Iligan City to assess and train their
employees.

5.2 Recommendation
Through the introduction of a training design tailored from the simulation results, this
will help strengthen and build awareness to counter phishing. In order to achieve so, a monthly
phishing simulation would be recommended to constantly expose employees to timely and
various forms of phishing.
This study has some limitations that provide opportunity for further research. First, this
study focuses only on Iligan City's Sangguniang Panlungsod; hence, future research can look at
other sectors and compare the outcomes. Second, the participants in this study were mainly
accommodating to the general public. Thus , future research could look into study in different
sets of individuals and compare the results.
 APPENDIX A

The Sangguniang Panlungsod of LGU Iligan’s take on Cybersecurity

Introduction
Good day! We are third-year students from Mindanao State University – Iligan Institute
Technology taking up Bachelor of Science in Information Systems. For our research, we are here
to conduct a survey. Your attention, time, effort, and opinions regarding the assessment of local
government units in relation to cybersecurity awareness/risks are appreciated. Responses will be
treated carefully and kept confidential for academic purposes, together with the results, once
determined.

Please write today’s date here: / /

About the Respondent

1. Name
______________________, _______________ _____.
Last Name First Name M.I

2. Email address*

____________________________________________

* The researchers will require an email to confirm your participation.

3. Age
(Check only one)

17 or less

18-25

26-35
 34-45

45-55

56-65

66-75

76 and above

Instruction: Please check the box of your desired response to each statement. Kindly
double-check your responses after answering the survey form.

Awareness on Cybersecurity and Phishing Scams

Strongly Agree Neutral Disagree Strongly
agree Disagree
Statements
1 2 3 4 5

S1. I am aware of the term cybersecurity

and its application towards myself and
others.
S2. I am confident I can identify
suspicious activities on the internet and
objects such as virus, malware, spyware,
adware, and phishing.

S3. I have known and used several

software programs that protect me from
getting cyber attacked.
S4. I am confident that I will never be a
victim of being scammed or preyed on
online.
S5. I am aware of the phishing scam
happening on the internet.

Response to the Email Received

Strongly Agree Neutral Disagree Strongly
agree Disagree
Statements
1 2 3 4 5
S1. I can identify a phishing email or a
social engineering attack.

S2. I click any URL from the email sent to

me from known and unknown
organizations.
S3. I sign up for any registration forms
attached in the email.
S4. I open attachments sent from unknown
people or organizations.

S5. I entertain emails sent to me daily.

S6. I choose to agree with the conditions

coming from emails that use my personal
information.
S7. I am willing to share the good news
attached in an email to others.
S8. Opening emails because the subject
line caught my attention.

S9. Opening emails because of a known

sender sent me one.

S10. Willing to reply to each email

received from an unknown sender.

Knowledge on the Effects of Phishing Attacks

Strongly Agree Neutral Disagree Strongly
agree Disagree
Statements
1 2 3 4 5

S1. A phishing attack would steal my

personal information without any
permission.
S2. I am aware that a phishing attack
would steal my personal information
without permission.
S3. When exposed to phishing emails, it
will be dangerous for the contents inside
the gadget used.
S4. Referring to the previous question, it is
risky to use the gadget again.

S5. S5. Phishing attacks will bring me

more threats after participating in
malicious contents such as emails,
surveys, and URLs.
S6. The antivirus programs are displaying
suspicious activities from my gadget.

Response During Possible Phishing Attack

Strongly Agree Neutral Disagree Strongly
agree Disagree
Statements
1 2 3 4 5

S1. I can identify an authentic email from

fake and suspicious ones.

S2. I download any attachments

immediately after reading the email sent
by known or unknown senders.
S3. I screenshot any suspicious activities
after opening the unknown email and
clicking any URL
S4. I immediately delete or hide emails
that are suspicious.
S5. I report malicious emails and surveys
requesting personal and sensitive
information.
S6. I immediately open and run an
antivirus program after opening a link that
contains suspicious content.
S7. I immediately close any redirected
links in the browser after clicking
unknown attachments or URLs.

Procedural Knowledge
 Strongly Agree Neutral Disagree Strongly
agree Disagree
Statements
1 2 3 4 5

S1. I can verify that the link below is safe:

http://www.msn-verify.com/

S2. I can verify that the email below is

safe:

S3. I can verify that the link below is safe:

https://www.microsoft.com/licenserenewal/
S4. I can verify that the attachment below
is safe:

S5. I can verify that the attachment below

is safe:

All statements are adapted and modified from the studies of

Muniandy et al. (2017), Chandarman & Niekerk (2017), Hakim et al. (2020),

and KnowBe4 (2019).

APPENDIX B
APPENDIX C
APPENDIX D
APPENDIX E
 REFERENCES

Allen, W. (2016, April 12). Using a theory of change (ToC) to better understand your program.

Using a theory of change (ToC) to better understand your program. Retrieved June 28,

2021, from https://learningforsustainability.net/post/theory-of-change/

Arof, K. Z. M., Ismail, S., & Saleh, A. L. (2018, July). Contractor’s Performance Appraisal

System in the Malaysian Construction Industry: Current Practice, Perception and

Understanding. International Journal of Engineering & Technology, 7(3:9), 1-46.

10.14419/ijet.v7i3.9.15272

Basset, R. (2019, March 10). Hello, world! Hello, world! Retrieved June 17, 2021, from

https://www.vadesecure.com/en/blog/5-common-phishing-techniques

BetterEvaluation. (2019, 18 January). Describe the Theory of Change. Describe the Theory of

Change. Retrieved June 28, 2021, from

https://www.betterevaluation.org/en/managers_guide/step_2/describe_theory_of_change

Bisson, D. (2020, October 20). 6 Common Phishing Attacks and How to Protect Against Them.

State of Security. Retrieved June 17, 2021, from

https://www.tripwire.com/state-of-security/security-awareness/6-common-phishing-attac

ks-and-how-to-protect-against-them/

Britannica. (2021, July 15). Technology. Technology. Retrieved August 17, 2021, from

https://www.britannica.com/technology/technology
Bruijn, H. D., & Janssen, M. (https://doi.org/10.1016/j.giq.2017.02.007). Building Cybersecurity

Awareness: The need for evidence-based framing strategies. Government Information

Quarterly, 34(1), 1–7. https://doi.org/10.1080/15332861.2010.487415

Bruner, B. (2021, August 2). End User: Definition & Role. End User: Definition & Role.

Retrieved August 17, 2021, from

https://study.com/academy/lesson/end-user-definition-role.html

Chandarman, R., & Niekerk, B. v. (2017, December 23). Students' cybersecurity awareness at a

private tertiary educational institution. The African Journal of Information and

Communication, 2017(2077-7213), 133-155. https://doi.org/10.23962/10539/23572

Chatchalermpun, S., & Daengsi, T. (2021). Improving cybersecurity awareness using phishing

attack simulation. IOP Conference Series: Materials Science and Engineering,

1088(012015), 1-6. https://doi.org/10.1088/1757-899X/1088/1/012015

Chatchalermpun, S., Daengsi, T., & Wuttidittachotti, P. (2020). Cybersecurity Drill Test Using

Phishing Attack: A Pilot Study of a Large Financial Services Firm in Thailand. 2020

IEEE 10th Symposium on Computer Applications & Industrial Electronics (ISCAIE),

283-286. https://doi: 10.1109/ISCAIE47305.2020.9108832

Clarke, I. (2018, November 28). What is an Internal Audit? Answers to Common Questions.

What is Internet Audit. Retrieved June 7, 2021, from

https://linfordco.com/blog/what-is-internal-audit/

Cloudflare. (2019, April 25). What is a phishing attack? Phishing Attacks. Retrieved June 7,

2021, from https://www.cloudflare.com/learning/access-management/phishing-attack/

Clune, S. (2007). Sustainability literacy for industrial designers through action research. Shaping

The Future? : Proceedings Of The 9Th International Conference On Engineering &

Product Design Education, 232-227.

https://www.researchgate.net/publication/259751556_Sustainability_Literacy_for_Industr

ial_Designers_through_Action_Research

Creswell, J. W. (2003). Research design: Qualitative, quantitative and mixed methods

approaches (2nd ed., pp. 1-16). London, UK.

CSIS, & Lewis, J. A. (2019, January). The Cybersecurity Workforce Gap.

https://www.csis.org/analysis/cybersecurity-workforce-gap

Computer Hope. (2021, January 2). Scam. What is a scam? Retrieved August 17, 2021, from

https://www.computerhope.com/jargon/s/scam.htm

Cyberguard. (2021, September 4). The Importance of Cyber Security Awareness. Cyberguard

Technologies. Retrieved June 9, 2021, from

https://www.ogl.co.uk/the-importance-of-cyber-security-awareness

DataReportal. (2021). Top 10 Digital Trends in April 2021.

https://datareportal.com/?utm_source=Statista&utm_medium=Data_Citation_Hyperlink

&utm_campaign=Data_Partners&utm_content=Statista_Data_Citation

Devanesan, J. (2020, August). Phishing scams dominate the Philippines cybercrime landscape.

https://techwireasia.com/2020/08/phishing-scams-dominate-the-philippines-cybercrime-l

andscape/
Definitions.net. (2021, March 5). What does information mean? What does information mean?

Retrieved August 17, 2021, from https://www.definitions.net/definition/information

Diaz, A., Sherman, A. T., & Joshi, A. (2018, November 14). Phishing in an Academic

Community: A Study of User Susceptibility and Behavior. Cryptography and Security.

https://doi.org/10.1080/01611194.2019.1623343

DICT. (n.d.). National Cybersecurity Plan 2022. National Cybersecurity Plan 2022. Retrieved

June 7, 2021, from https://dict.gov.ph/national-cybersecurity-plan-2022/

Downs, J. S., Holbrook, M. B., & Cranor, L. F. (2006). Decision strategies and susceptibility to

phishing. SOUPS '06, 19-90. https://doi.org/10.1145/1143120.1143131

Eclipse, L. (2020). Filipino Remote Remote Workers: How Fast Should Your Internet Be in the

Philippines? Remote Staff.

https://www.remotestaff.ph/blog/filipino-remote-remote-workers-how-fast-should-your-i

nternet-be-in-the-philippines/

Elysium Security. (2019, July 1). PHISHING PROTECTION FRAMEWORK. Security News.

Retrieved June 7, 2021, from https://www.elysiumsecurity.com/blog/Security/post98.html

Formplus. (2020, November 3). Survey Research: Types, Examples & Methods. Survey

Research. Retrieved June 9, 2021, from https://www.formpl.us/blog/survey-research

Fruhlinger, J. (2020, September 4). What is phishing? How this cyber attack works and how to

prevent it. Today's top stories. Retrieved June 7, 2021, from

https://www.csoonline.com/article/2117843/what-is-phishing-how-this-cyber-attack-work

s-and-how-to-prevent-it.html
Furnell, S. (2017). Phishing: can we spot the signs? Computer Security and Reliabiility, 2017(3),

10-15. http://dx.doi.org/10.1016/S1361-3723(07)70035-0

Gavilan, J. (2017, April). The state of cybersecurity in the Philippines.

https://www.rappler.com/newsbreak/in-depth/state-cybersecurity-philippines

Groot, D. J. (2020, August). What is Cyber Security? Definition, Best Practices & More.

https://digitalguardian.com/blog/what-cyber-security

Gordon, W. J., Wright, A., Aiyagari, R., Corbo, L., Glynn, R. J., Kadakia, J., Kufahi, J.,

Mazzone, C., Noga, J., Parkulo, M., Sanford, B., Scheib, P., & Landman, A. B. (2019,

March). Assessment of Employee Susceptibility to Phishing Attacks at US Health Care

Institutions. JAMA Network Open 2, 2(3), 1-9. 10.1001/jamanetworkopen.2019.0393

Greene, K., Steves, M., Theofanos, M. F., & Kostick, J. (2018). User Context: An Explanatory

Variable in Phishing Susceptibility. Workshop on Usable Security.

http://dx.doi.org/10.14722/usec.2018.23016

Hakim, Z. M., Ebner, N. C., Oliveira, D. S., Getz, S. J., Levin, B. E., Lin, T., Lloyd, K., Grilli,

M. D., & Wilson, R. C. (2020, September 30). The Phishing Email Suspicion Test

(PEST) a lab-based task for evaluating the cognitive mechanisms of phishing detection.

Behavior Research Methods, 52(5), 11. https://doi.org/10.3758/s13428-020-01495-0

Institute for Digital Research & Education Statistical Consulting. (n.d.). What does Cronbach's alpha

mean? | SPSS FAQ. WHAT DOES CRONBACH’S ALPHA MEAN? | SPSS FAQ. Retrieved

November 30, 2021, from https://stats.idre.ucla.edu/spss/faq/what-does-cronbachs-alpha-mean/

Jagatic, T. N., Johnson, N. A., Jakobsson, M., & Menczer, F. (2017). Social Phishing.

Communications of the ACM, 50(10), 94-100.

http://dx.doi.org/10.1145/1290958.1290968

Kaft, D. (2018, December 31). The Job Description of IT Personnel. The Job Description of IT

Personnel.Retrieved August 17, 2021, from

https://careertrend.com/about-6640443-job-description-personnel.html

Kaspersky. (2021, August). Internet Safety for Kids: How to Protect Your Child from the Top 7

Dangers They Face Online.

https://usa.kaspersky.com/resource-center/threats/top-seven-dangers-children-face-online

Kaspersky Lab. (2021, March). What is Cyber Security?

https://www.kaspersky.com/resource-center/definitions/what-is-cyber-security

KeepNetLabs. (2021, May 5). What is a Phishing Simulation? What is a Phishing Simulation?

Retrieved August 17, 2021, from

https://www.keepnetlabs.com/what-is-a-phishing-simulation/

Kim, B., Lee, D.-Y., & Kim, B. (2019, August 19). Deterrent effects of punishment and training

on insider security threats: a field experiment on phishing attacks. Behavior &

Information Technology, 39(11), 1156-1175.

https://doi.org/10.1080/0144929X.2019.1653992

KnowBe4. (2019, January 14). Phishing Examples. Phishing Examples. Retrieved June 17, 2021,

from https://www.phishing.org/phishing-examples
M-Library. (2021, July 22). What is "Fake News"? What is "Fake News"? Retrieved August 17,

2021, from https://guides.lib.umich.edu/fakenews

Muniandy, L., Muniandy, B., & Samsudin, Z. (2017). Cyber Security Behaviour among Higher

Education Students in Malaysia. Journal of Information Assurance & Cyber security.

2017(14), 145-165.

https://doi.org/10.5171/2017.800299

Lestari, I., Maksum, A., & Kustandi, C. (2019, September). Mobile Learning Design Models for

State University of Jakarta, Indonesia. International Journal of Interactive Mobile

Technologies (iJIM), 13(09), 1-152. 10.3991/ijim.v13i09.10987

Luse, A., & Burkman, J. (2021, January). Gophish: Implementing a Real-W Gophish:

Implementing a Real-World Phishing Ex orld Phishing Exercise to Teach Social

Engineering. Journal of Cybersecurity Education, Research and Practice, 2020(2), 1-13.

https://digitalcommons.kennesaw.edu/cgi/viewcontent.cgi?article=1072&context=jcerp

Malaya, B. (2020, January 29). Cybersecurity Awareness Month: Why Filipinos should start

securing its online presence. Cybersecurity Awareness Why Filipinos Should Bother.

Retrieved June 7, 2021, from

https://www.whatalife.ph/cybersecurity-awareness-why-filipinos-should-bother/

Martin, J. (2014, October 1). Cybersecurity Awareness Is About Both ‘Knowing’ and ‘Doing’.

Security Intelligence. Retrieved June 7, 2021, from

https://securityintelligence.com/cybersecurity-awareness-is-about-both-knowing-and-doi

ng/
Martinez, S. (2019, July 1). PHISHING PROTECTION. Slideshare. Retrieved June 7, 2021, from

https://www.slideshare.net/SylvainMartinez5/phishing-protection-152853164

Meir, M. (2021, January 17). What is a Cybersecurity Assessment? (Definition & Types).

Security Scorecard. Retrieved June 7, 2021, from

https://securityscorecard.com/blog/what-is-a-cybersecurity-assessment-definition-types#:

~:text=A%20cybersecurity%20assessment%20analyzes%20your,would%20for%20a%20

cybersecurity%20audit.

Microsoft Asia. (2017, March). Cybersecurity in 2017: How organizations in Asia Pacific can

safeguard against cyberattacks.

https://news.microsoft.com/apac/2017/03/16/cybersecurity-in-2017-how-organizations-in

-asia-pacific-can-safeguard-against-cyberattacks/

Mohebzada, J. G., El Zarka, A., Bhojani, A. H., & Darwish, A. (2018). Phishing in a university

community: Two large scale phishing experiments. International Conference on

Innovations in Information Technology. 10.1109/INNOVATIONS.2012.6207742

Oest, E., Zhang P., Wardman B., Nunes E., Burgis J., Zand A., Thomas K., Doupe A., & Ahn G.

(2020, August). Sunrise to Sunset: Analyzing the End-to-end Life. Proceedings of the

29th USENIX Security Symposium. Retrieved March 15, 2022 from

https://www.usenix.org/system/files/sec20-oest-sunrise.pdf

ÖMER. (2020, June 2). What is Gophish? Gophish Installation and Scenario. What is Gophish?

Gophish Installation and Scenario. Retrieved June 17, 2021, from

https://www.systemconf.com/2020/06/02/what-is-gophish-gophish-installation-and-scena

rio/
Onumo, A., Awan, I. U., & Cullen, A. (2021, February 3). Assessing the Moderating Effect of

Security Technologies on Employees Compliance with Cybersecurity Control

Procedures. 12(1), 1-29. https://doi.org/10.1145/3424282

Philstar. (2022, January 26). NBI to probe phishing scam targeting teachers. NBI to probe

phishing scam targeting teachers. Retrieved February 21, 2022, from

https://www.philstar.com/nation/2022/01/26/2156397/nbi-probe-phishing-scam-targeting-

teachers

Rahman, N. N. B., & Widyarto, S. (2013, February). Information Security: Human Resources

Management and Information Security Incident Management.

https://www.researchgate.net/publication/245025557_Information_Security_Human_Res

ources_Management_and_Information_Security_Incident_Management

Rappler. (2020, July 12). Phishing is top PH cybercrime during pandemic – authorities. Phishing

is top PH cybercrime during pandemic – authorities. Retrieved August 22, 2021, from

https://www.rappler.com/nation/phishing-top-philippines-cybercrime-during-pandemic

Robbins, N. B. & Heiberger, R. M. (2011). Plotting Likert and Other Rating Scales. Section on

Survey Research Methods – JSM, 1058-1066. Retrieved June 17, 2021, from

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=

8&ved=2ahUKEwi03MHr857xAhUKdCsKHZdBCpkQFjAXegQIAhAD&url=https%3A

%2F%2Fwww.montana.edu%2Fmsse%2FData_analysis%2FLikert%2520Survey%2520

Graphs.pdf&usg=AOvVaw0Nd12Ve2VAuwfNSzGMyOvJ
Schwartz, J. (2020). 10 Steps to A Successful Simulated Phishing Program. 10 Steps to A

Successful Simulated Phishing Program.

https://www.mediapro.com/blog/10-steps-simulated-phishing-program-success/

Shang, H., Jang, R., Li, A., & Wang, W. (2017, June 29). A Framework to Construct Knowledge

Base for Cyber Security. IEEE International Conference on Data Science in Cyberspace

(DSC), 1(1), 1-25. https://doi.org/10.1109/DSC.2017.55

Sheng, S., Lanyon, M. B., Kumaraguru, P., & Cranor, L. (2019). Who falls for phish? A

demographic analysis of phishing susceptibility and effectiveness of interventions. 28th

International Conference on Human Factors in Computing Systems.

http://dx.doi.org/10.1145/1753326.1753383

Statista Research Department. (2021). Philippines: number of internet users 2015–2020.

https://www.statista.com/statistics/221179/internet-users-philippines/

Statista. (2021, June 21). Total number of phishing incidents in the Philippines in 2019, by

region. Total number of phishing incidents in the Philippines in 2019, by region.

Retrieved August 22, 2021, from

https://www.statista.com/statistics/1136171/philippines-number-phishing-incidents-by-re

gion/

TheDefenceWorks. (2019). The Benefits of Using Phishing Simulations.

https://thedefenceworks.com/blog/the-benefits-of-using-phishing-simulations/

Torres, T. P. (2016, April). Lack of IT security professionals makes Philippines prone to cyber

crime.
 https://www.philstar.com/business/banking/2016/04/11/1571843/lack-it-security-professi

onals-makes-philippines-prone-cyber-crime

Techopedia. (2020, September 30). Cyberspace. Cyberspace. Retrieved August 17, 2021, from

https://www.techopedia.com/definition/2493/cyberspace

Tunggal, A. T. (2021, May 25). What is a Cyber Threat? Cyber Threat. Retrieved June 7, 2021,

from https://www.upguard.com/blog/cyber-threat

VanBaren, J. (2019, January 22). What Are the Types of Action Research Design? What Are the

Types of Action Research Design? Retrieved June 28, 2021, from

https://bizfluent.com/list-7608678-types-action-research-design.html

Umali, T. (2018, November). Cybersecurity in the Philippine academe to bridge skills gap.

https://opengovasia.com/cybersecurity-in-the-philippine-academe-to-bridge-skills-gap/

Vogel, R. (2016). CLOSING THE CYBERSECURITY SKILLS GAP. Salus Journal, 4, 32–46.

https://www.academia.edu/25380112/CLOSING_THE_CYBERSECURITY_SKILLS_G

AP

Vishwanath, A., Herath, T., Chen, R., & Wang, J. (2019). Why do people get phished? Testing

individual differences in phishing vulnerability within an integrated, information

processing model. Decision Support Systems, 54(3), 576-586.

http://dx.doi.org/10.1016/j.dss.2011.03.002

Wallen, J. (2020, September 15). How to run a phishing attack simulation with GoPhish. How to

run a phishing attack simulation with GoPhish. Retrieved June 17, 2021, from
 https://www.techrepublic.com/article/how-to-run-a-phishing-attack-simulation-with-goph

ish/

Fruhlinger, J. (2020, September 4). What is phishing? How this cyber attack works and how to

prevent it. Today's top stories. Retrieved June 7, 2021, from

https://www.csoonline.com/article/2117843/what-is-phishing-how-this-cyber-attack-work

s-and-how-to-prevent-it.html

Yeoh, W., Huang, H., Lee, W. S., Jafari, F. A., & Mansson, R. (2021). Simulated Phishing Attack

and Embedded Training Campaign. Journal of Computer Information Systems.

https://doi.org/10.1080/08874417.2021.1919941

Yildirim, O. (2019, September 8). Gophish “Open-Source Phishing Framework”. Gophish

“Open-Source Phishing Framework”. Retrieved June 17, 2021, from

https://medium.com/@orhan_yildirim/gophish-open-source-phishing-framework-fe4662e

60721#:~:text=Gophish%20is%20an%20opensource%20program,check%20statistics%2

0all%20of%20them.

Zan, T. D. (2019, February). Mind the Gap: The Cyber Security Skills Shortage and Public

Policy Interventions.

https://www.researchgate.net/publication/331160765_Mind_the_Gap_the_Cyber_Securit

y_Skills_Shortage_and_Public_Policy_Interventions