Appraising Institutional Capacity for Implementation of

Appraising Institutional Capacity for Implementation of the Nigerian Cybercrime Act 2015 ABUBAKAR, R., National Centre for Technology Management Federal Ministry of Science and Technology, Abuja, Nigeria KWON-NDUNG, L., Federal University, Lafia KAZEEM A., National Centre for Technology Management Federal Ministry of Science and Technology, Abuja, Nigeria

ABSTRACT Over the years, the landscape of cybercrime has remained dynamic and served as a source of economic, social and reputational retrogression. Nigeria has attempted several regulatory approaches/tools with the climax being the Cyber-crime Act, 2015. This legal shielding tool was targeted at securing critical national infrastructures against cybercrime, among other objectives. Law enforcement agen-cies are primarily vested with the responsibility of implementing this Act. This paper attempted to x-ray the capacity of major implementing institutions saddled with the responsibility of executing the 2015 cybercrime Act and to also assess the awareness level of end-users. Tailor-made self-administered questionnaire was used in retrieving data from respondents drawn from the public and relevant law enforcement agencies. The outcome of the survey pointed at a positive correlation between institutional framework and effectiveness of the Act. Unfortunately, about 66% of security agents reported insufficient institutional framework and 48.1% claimed technical challenges as major problem hindering effective implementation the cybercrime Act, 2015. The research submitted the need for an evaluation and review of implementing institutions based on international best practices and to employ public awareness campaign to increase public knowledge. Keywords: Institutional Capacity, Implementation, 2015 Cybercrime Act, Aware-ness

1.0 Introduction

Every part of our daily life has been transformed from the traditional ways to elec-

tronic ways. The ease that comes with electronic communications cannot be disput-

ed (Alan, 2010).With over “500 million Facebook users, over 50 million tweets,

over 450 million mobile internet users, and about 68 million bloggers, society has

changed and there is a paradigm shift in the way things are done worldwide

(Bonachristus and Ifeoma, 2014). Initially, most online activities were unregulated

Proceedings on Big Data Analytics & Innovation (Peer-Reviewed),

Volume 2, 2017, pp.59-80

P�� B� D�� A�� I�� (P��-R��)

60

because the extent to which the cyber space could be pervaded was not fully

known. However, with the growth of computers, internets and mobile devices, it

was obvious to government that some forms of regulations were imperative and

that institutions saddled with the responsibility of implementing the latter must be

well equipped.

Cybercrime can broadly be defined as any criminal activity involving the use

of an information technology infrastructure. Nigeria has had its fair share of this

menace. The Central Bank of Nigeria reported recently that the Nigerian banking

sector lost over ₦20b through internet fraud (PWC, 2013). Gbenga et. al. (2012)

also reported a huge sum of N2, 146,666,345,014.75 ($13,547,910,034.80) to have

been lost to cybercrime by Nigerian ICT end users. The exceptional outbreak of

cyber-crime in Nigeria in recent times is alarming and the effects on the socio-

economic indicators are highly disturbing (Ibikunle and Eweniyi, 2013). This im-

pact goes way beyond financial loss to reputational damage of organizations and

countries. Much as these facts may be mind-blowing, how prepared are the govern-

ment agencies to nip this menace in the board? What is the level of acceptance and

awareness of the Cybercrime Policy in Nigeria? How much role has law enforce-

ment agencies played in enforcing the 2015 Cybercrime Policy?

The Nigerian Cybercrime Act 2015 is the first comprehensive cyber law that

criminalised illegal online in Nigeria. The document created a legal, regulatory and

institutional framework for the prohibition, prevention, detection, investigation and

prosecution of cybercrimes and other related matters (Banwo & Ighodalo, 2015).

However, winning the war against the villains is beyond having a perfect regulato-

ry tool. It is expedient for implementing institutions to have the capacity required

in implement these laws. It is against this backdrop that efforts were made to ap-

praise the institutional capacity of major implementing security agencies as en-

shrined in the policy. The paper also attempted to consider the level of public

awareness of the cybercrime Act, 2015.

This paper is structured into 5 sections. Section 1 is a brief introduction to the

theme of the study. In Section 2, attempts were made to conduct a review of rele-

vant literatures on the field of study. Methodology adopted for the survey, results

and discussion were presented in sections 3 and 4 respectively. In chapter 5, we

concluded on the basis of the results obtained, while offering relevant policy direc-

tions for adoption by law enforcement agencies.

2.0 Conceptual Outline

2.1 Cybercrime legislation on a global level The implementation of holistic, compatible and convergent cybercrime legislation on a global basis is an essential, if not the fundamental, component of any global

P�� B� D�� A�� I�� (P��-R��)

61

response to effectively combatting cybercrime (Zahid and Jamil, 2014). The United Nations Conference on Trade and Development (UNCTAD) warns that cybercrim-inals are increasingly targeting developing countries, first and foremost because the relevant legislation in those countries isn’t enforced as strictly as it should be (Jean & Amzath, 2016). We shall x-ray some global efforts targeted at preventing and controlling cybercrime

2.2 Global response to Cybercrime The Budapest Convention is the first international treaty on crimes committed via the Internet and its main objective is to pursue a common criminal policy aimed at the protection of society against cybercrime, especially by adopting appropriate legislation and fostering international co-operation (COE, 2016). It is considered the most relevant international instrument for fighting cybercrime to date and al-lows for harmonization of laws, supports improvement of investigation techniques, and facilitates international cooperation (Joyce, 2017). The Council of Europe (CoE) comprising 47 European member states in 2001 took the lead by putting in place the first international Convention on Cybercrime, drafted in conjunction with USA, Canada, and Japan and signed by its 46 member states but ratified by only 25 countries (Ajayi, 2016). The Budapest Convention is a criminal justice treaty that provides States with (i) the criminalization of a list of attacks against and by means of computers; (ii) procedural law tools to make the investigation of cybercrime and the securing of electronic evidence in relation to any crime more effective and subject to rule of law safeguards; and (iii) international police and judicial cooperation on cyber-crime and e-evidence (Alexander, 2016) Other global legislative effort includes the Global Cybercrime Agenda (GCA) by ITU launched May, 2007 as an international response where growing challenges to cyber security could be coordinated (Stein and solange, 2009); 2002 Common-wealth Model Law; ITU Global Cyber security Agenda launched in 2007; Combat-ing the criminal misuse of information technologies; UNGA Resolutions 55/63 and 56/121 on “Combating the criminal misuse of information technologies” (ITU, 2012) etc. With limited domestic resources, lack of inter-jurisdictional cooperation, and lack of regulatory enforcement in cyberspace, countries have attempted to increase cooperation with other countries and within international treaties (Avner and Daria, 2013).

P�� B� D�� A�� I�� (P��-R��)

62

Fig 2.0: Cybercrime legislation worldwide

From fig. 2.0 above 72% of countries have cybercrime legislation, 9% of countries have draft legislation, 19% of countries have o legislation and 1% has no data. (UNCTAD, 2017) Fig 2.1: Bilateral agreements and open dialogs between countries to combat cyber-crime Source: Avner and Daria, 2013

2.2 Cybercrime legislation at Regional level

Regions and international organizations have also deemed it fit to have a harmo-nized cybercrime policy. The regional cybercrime policies serve as a guide and reference for developing their internal policies, an example of which is The Coun-cil of Europe Convention on Cybercrime (2001). They emphasized that they can apply these policies according to their system and practice (Stein and Solange,2009). As a regional initiative, other countries may want to use the con-vention as a guideline, or as a reference for developing their internal legislation, by implementing the standards and principles it contains, in accordance with their own legal system and practice.

P�� B� D�� A�� I�� (P��-R��)

63

The African continent has had its fair share of cyber-attacks, in response the African Union (AU) recently responded to the surge in cybercrime by adopting the Convention on Cyber Security and Personal Data Protection (Eric, 2015). Howev-er, he further opined that many African states lack the technical expertise to draft and enforce such laws (Souhila, 2016). This Arab treaty on combating cybercrime is an Arab League international agreement adopted in December 2010 with the objective of enforcing its members to implement their national cybercrime legisla-tion (Riyadh, 2015) entered into force in February 2014 and was ratified by Jordan, UAE, Sudan, Iraq, Palestine, Qatar, Kuwait and Oman(Riyadh,2015). Other cybercrime policies include: ECOWAS draft directive (2009); Draft Afri-can Union Convention (2011); COMESA model bill (2011); HIPCAR cybercrime model law (2010); COE cybercrime convention (2001); ICB4PAC Cybercrime model law (2011); HIPCAR Cybercrime law (2010); Arab Treaty on Combating Cybercrime.

2.3 Previous Cybercrime Policies in Nigeria

In Nigeria, the development of cybercrime and cyber security related policies be-gan since 2004 (Odumesi, 2014) but never had a dedicated policy. Nigeria record-ed a milestone in October 2014, when the Cybercrime bill was passed by the Sen-ate (Adekola, 2014). We shall review the cybercrime and related policies in Nige-ria till date

2.3.1 National Policy for Information Technology, 2001

The National IT policy was approved in March 2001. The policy was intended to make Nigeria an ICT compliant and propelled nation. However, the work of Rose-line (2012) argued that while the policy achieved the objective of empowering youths with IT skills, they quickly turned these skills to negative use “cybercrime”. He further argued that while the policy narrowed the digital divide between Nigeria and other technologically more advanced countries, the policy brought many nega-tive effects like emergence of new phenomenon of online fraud of various kinds, most pernicious of which are those popularly known as ‘419’ or ‘Nigerian cyber-scams. These exposed the youths to the possibilities and ease of committing finan-cially lucrative and hard-to-detect criminal activities on the Internet. Though very few works have linked this policy with the emergence of cybercrime, a study done by Emmanuel in 2011 claimed the policy never met any of its intended objectives.

P�� B� D�� A�� I�� (P��-R��)

64

Source: UNODC, 2013

2.3.2 Criminal Code Act 1990 (Section 419)

The Nigerian Criminal Code Act can be used presently to prosecute cyber crimi-nals. Section 419 and 421 prohibits false pretenses and cheating, which are the activities of these cybercriminals. Section 418 gave a definition of what constitutes an offence under the Act: “ any representation made by words, writing, or conduct, of a matter of fact, either past or present, which representation is false in fact, and which the person making it knows to be false or does not believe to be true, is a false pretense” (Wada and Odulaja, 2011) this definition makes it grossly inade-quate in case of cybercrime compared to the definition given by the United King-dom on computer crimes “any fraudulent behavior connected with computerization by which someone intends to gain financial advantage”(Muhammed, 2009). Although cybercrime is not mentioned in the Act, it is a type of stealing pun-ishable under the criminal code. It accommodates certain aspects of cybercrime, it is inadequate to tackle cybercrime because the provisions are better suited for tradi-tional physically theft of tangible, however in the case of Cybercrime where we deal with theft of intangible things, the policy doesn’t properly apply. Furthermore, for a crime to have been committed a person must be deceived not a machine as in the case of cybercrime.

2.3.3 EFCC Act

The Economic and Financial Crimes Commission (Establishment) was adopted in June 2004 and deals with offences in relation to financial malpractices, offences in relation to terrorism, offences relating to false information and offences in relation to economic and financial crimes (Mohamed, 2009). Although this definition does not refer directly to advance fee fraud or internet scam it could be argued that a direct reference to email frauds in the Economic and Financial Commission Act is superfluous and therefore unnecessary, since the Commission is already charged inter alia, with administering the Advance Fee Fraud and other Related Offences Act, which directly governs advance fee fraud in cyberspace (Mohamed, 2009).

P�� B� D�� A�� I�� (P��-R��)

65

2.3.4 Advance Fee Fraud and Related Offences Act 2006 EFCC explained that this fraud is perpetuated by enticing their victims with large sum of money, out of which they will require series of upfront payments in antici-pation of a non-existing lump sum. Advanced-fee frauds are not something new in civilized human history, but this type of fraud has regained attention for its rapid increase use of email (Shun-Yung and Wilson, 2011). As at 2013, the policy was the only one in Nigeria that dealt with Internet crime issues, and it only covers the regulation of Internet service providers and cybercafés, it does not deal with the broad spectrum of computer misuse and cybercrimes (Maitanmi et al., 2013)

2.3.5 Money Laundering (Prohibition) Act 2011

This is not directly a cybercrime policy but it is related because it makes provisions to prohibit the laundering of the proceeds of crime or an illegal act (Muhammed, 2009). The Money Laundering Prohibition Act, 2011 is the directive as imposed by the Anti-Money Laundering framework that prohibits the laundering of the pro-ceeds of crime or illegality anywhere in the world (Osinbanjo, 2016).

• Offences under this Act include:

• money laundering offences

• other offences

• Retention of proceeds of a criminal conduct

• Conspiracy, aiding and abetting

• offences by a body corporate (MLPA, 2011) Functions of the policy include Limitation to make or accept cash payment, report international transfer of funds and securities, occasional cash transaction by designated non-financial institutions, special surveillance on certain transactions (MLPA, 2011).

2.3.6 BVN Policy

Financial institutions have always been a target of massive cybercrime attacks, the biggest cyber fraud in history (Carbanak) targets institutions rather than individuals (Abdul-Hakeem, 2015).In order to reduce fraud in the banking sector, the BVN was introduced February 14th ,2014.The BVN project was introduced by the Cen-tral Bank of Nigeria due to increasing incidents of compromise on conventional security systems (password and PIN) and a high demand for greater security for access to sensitive or personal information in the Banking System(Evans & Adeoye, 2016). A circular from CBN conveyed that the intention of the policy , which is to ensure the effectiveness of KYC(know your customer) principle by giving each bank customer a unique Identity across Nigerian banking industry (CBN, 2017). CBN (2017) highlighted the benefits of BVN as follows:

• Reduces exposure to fraud;

• Enhances credit advancement to bank customers;

P�� B� D�� A�� I�� (P��-R��)

66

• Checks identity theft; and

• Promotes a safe and sound financial system in Nigeria BVN solves the problem of dual identity and impersonation (Abdul-hakeem, 2015). A similar policy is been taken in India which mandates a unique 12 digit number be issued to every bank customer.There has not been any research on the impact analysis of the BVN policy on the rate of fraud.

2.4 Nigerian Cybercrime Act 2015

While many advanced countries had cybercrime policies a long time ago, Nigeria didn’t have any until May 2015. Hitherto the establishment of this policy, business-es, organizations and even government were victims of cybercrime without any regulation to turn to (Banwo and Ighodalo, 2014). The objectives of Nigerian Cybercrime Act 2015 as contained in the document are to –

(a) Provide an effective and unified legal, regulatory and institutional frame-work for the prohibition, prevention, detection, prosecution and punish-ment of cybercrimes in Nigeria;

(b) Ensure the protection of critical National Information Infrastructure; and (c) Promote Cyber security and the protection of computer systems and net-

works, electronic communications, data and computer programs, intellec-tual property and privacy rights.

Penalties for cybercrimes range from one year imprisonment for offences like distributing unsolicited emails, attempting to steal an ATM card etc to life impris-onment for using the computer for terrorism. (Nigerian Cybercrime Act, 2015)

2.4.1 Level of Awareness

The success of any legislation or policy depends greatly on the level of awareness of the end-users of it. This appears to be one of the setbacks of the Nigerian cyber-crime Act, 2015.Odumesi (2014) argued that the law enforcement agencies per-ceive a low level of general awareness of cybercrime and cyber security among the Internet, using Nigerian public and they attribute this to the low penetration of In-ternet access, mass illiteracy etc. According to the Cybercrime and cyber security trends in Africa (2016), the main challenges the government of Nigeria facing is the general lack of awareness of cyber security measures and the risks associated with cybercrime. They further claimed that Nigeria does not yet work with civil societies/NGOs to educate and raise awareness of cyber risks and that there is no national cyber security aware-ness program currently. Cyber security policy strategy prescribed that Nigeria was meant to have trained 50% of the judiciary by 2016, However this is far from the situation. Odu-mesi (2014) also emphasized the need to train judges to properly understand cyber-crime; the likely consequences of lack of training are intuition based prosecution of offenders, which may result to losing of cases by implementing or prosecuting agencies.

P�� B� D�� A�� I�� (P��-R��)

67

2.4.2 Institutional framework There has developed in recent years some concern about the effectiveness of gov-ernment policy, especially concerning its implementation and the agencies respon-sible for it (Johnson,1999). Radbound (2017) opined that for a long time, imple-mentation of public policies was considered a rather mechanistic and apolitical activity, owing to lack of monitoring and control, over ambitiousness of policy objectives etc. The Nigerian Cybercrime Act has had its fair share of implementa-tion problems including technical, legal, and operational challenges. Ajayi (2016) claimed that factors responsible for lack of experts to prosecute cybercrime in Nigeria include poor training, remuneration and inadequate security and protection on the hazardous job for law enforcement agency officials. The work of Maitama et.al (2013) listed the following problems with enforcing the cybercrime policies:

i. Insufficient funding for cybercrime law enforcement ii. Lack of trained cyber experts within law enforcement officials iii. Lack of effective international cooperation and data sharing iv. Lack of universality of laws against cyber crime v. Statutory minimums in cybercrime cases hamper effective enforcement vi. The growing nature of mass unemployment in Nigeria is worrisome.

3.0 Research Methodology 3.1 Research Design This study adopted the descriptive and survey research approaches. Relevant liter-ature materials were obtained from both soft and hard secondary literary sources. A tailor-made research tool was used in gathering primary data from relevant re-spondents.

3.2 Research Instrument The major instrument used in collecting primary data was a self-designed question-naire. The structured questionnaire was divided into four (4) major parts with each part representing questions generated from one objective of the paper. Instructions on the instrument restrained end users from attempting to provide responses to security concerned issues as they may not have the requisite knowledge to respond to those questions designed for security personnel. On the other hand, security agents are also end users and are at liberty to respond as any or either of the two categories of respondents. Section A of the questionnaire concentrated on the demographic features of respondents. Sections B, C and D were targeted at ICT end users and security agents. While Section B concentrated on computer, internet knowledge and usage, sections C and D contained queries on Cybercrime awareness, level of experience

P�� B� D�� A�� I�� (P��-R��)

68

and institutional framework, capacity, problems hindering investigation and prose-cution, loopholes in the cybercrime Act and challenges mitigating proper imple-mentation of the Cybercrime 2015 Act.

3.3 Reliability of Questionnaire The alpha coefficient for the 61 items in the questionnaire is 0.927, This implies that the items have relatively high internal consistency and thus reliable.

3.4 Method of Sampling, Data Collection and Analysis The population for this study includes the law enforcement agencies and ICT end-users drawn from FCT, Abuja. A total of 400 feedback forms were administered using stratified sampling. The strata were designed base on the reliability of infor-mation that may be offered by respondents. Random sampling was adopted within the stratified groups. One of such strata includes the security personnel and the other is the end users. Data analysis was performed using SPSS with specific em-phasis on Correlation Analysis and descriptive statistics.

3.4.1 Sample size Adopted sample size was determined using the Taro Yamane formular. An estimated population size (N) was 2.153 million (Indexmundi, 2014).

Taro Yamane formular is presented as

Where ; n= sample size N=entire population e=degree of error 1=unit (a constant figure) For the purpose of this paper, N= 2.153 million e= 0.05 (with 95% confidence level and ±5% precision)

therefore,

P�� B� D�� A�� I�� (P��-R��)

69

4.0 Results and Discussion 4.1 Acceptance and Awareness of the Cybercrime Policy in Nigeria The popularity of a policy is a function of the level of awareness and acceptance it has gained from the consumers of such policy. However, there is no generally ac-ceptable template for measuring the awareness and acceptance level of a policy, but there are general opinion that popular policies are easier to implement and it is a demonstration of the level of education or advocacy the implementing agency must have given to the policy (Kannan, 2012), lack of which may have accounted for the high rate of cybercrime in Nigeria despite having a cybercrime policy. Sta-tistics from the study as presented in figure 4.1a showed that only about 50.3% of respondents were aware of the cybercrime Act, 2015. Apart from the EFCC Act shown in fig 4.2a which has 68.7% awareness, the awareness rate of other cyber-crime and related policies are poor, especially because the target respondents were people who use ICT for personal or business purposes. For instance, awareness of Advanced Fee Fraud Act, 2006 was 47.8%, Criminal Act section 419 was 49.5%, other cybercrime policies 24.8%, please refer to figs 4.2a, 4.2b and 4.3 below. This is however contrary to the work of Boniface et al. (2014), who asserted that there was an 80% level of awareness, this discrepancy may have occurred because the data was collected only from cybercafé users. Respondents were also asked about their perceived rate of awareness of the cybercrime policy and the result is as presented in figure 4.1b below. Most of the respondents (57.4%) claimed only about 10-30% of stakeholders are aware of the 2015 act. On the average, about 27.7% ranked the awareness level of the policy between 31-60% of citizens. Another 13.5% respondents opined that only 61-90% of stakeholders were aware of the policy while only 1.4% believes the level of awareness is high (above 90%). Largely, this result supported the findings of Aye-sha et al. (2015) whose study revealed that 84% of people were not aware of the cybercrime enforcement agencies and further strengthens the position of policy education in a policy-benefiting society vis-à-vis the ease of implementing poli-cies. Advocacy and partnership with relevant development partners were veritable tools advanced by the Nigeria STI policy, 2012 in mitigating these challenges.

P�� B� D�� A�� I�� (P��-R��)

70

Fig 4.1: (a) Awareness of the cybercrime Act, 2015, (b) Perceived level of Aware-ness of cybercrime Act, 2015 (c)Awareness of Advanced Fee Fraud, 2006

Source: Field Survey, 2017 The similarity in the awareness level of the Cybercrime Act, 2015 and the Ad-vanced Free Fraud, 2006 gives an indication that government was not committed to policy advocacy, even when the cybercrime environment has remained turbulent, the Nigeria government might have maintained an average effort over the past 10 years within the intervals of both policies. On another hand, maintaining an aver-age of 49.7% and 49.5% ignorance of the cybercrime Act, 2015 and advanced Fee Fraud, 2006 respectively amongst respondents who are ICT end users is an indica-tion that strengthens the argument for the need for more awareness.

P�� B� D�� A�� I�� (P��-R��)

71

Fig. 5 (a) Awareness of EFCC Act, 2004 and (b) Awareness of Criminal Act, 419

Source: Field Survey, 2017 Figure 4.2a above shows the level of awareness of the EFCC Act, 2004 and Crimi-nal Act-419 respectively. For the EFCC Act, the result revealed that about 30.3% were not aware of the Act, while 68.7% are aware of the policy. This policy had a fairly high-level of awareness compared to other policies. The methods applied in promoting the EFCC, 2004 Act may also be employed to fashion a better advocacy model for the Cybercrime act 2015. The popularity of this act may have been at-tributed to the popularity of EFCC as an agency. It was named by UNODC as the most effective government agency (EFCC, 2017). Figure 4.2b above shows the level of awareness of the Criminal Act-419. 50% of respondents are not aware of the policy while 49.5 % are aware. It can be de-duced that it has an average level of awareness.

P�� B� D�� A�� I�� (P��-R��)

72

Figure 4.3: Awareness of other cybercrime related policies

Source: Field Survey, 2017 Further efforts were also made to appraise the level of awareness of other cyber-crime related policies aside the Cybercrime Act, 2015, the EFCC Act and the Criminal Act. The figure presented above shows that most of the respondents were not aware of any other cybercrime related policy. This is an indication of the level of ignorance of the populace as regards relevant cybercrime policies. This leaves the research community with a challenge of promoting the policies for acceptabil-ity or even conducting impact assessments of the current and past cybercrime and other related policies. Figure 4.4a Victims of Cybercrime, figure 4.4b Problems faced by Cybercrime law enforcement agents

Source: Field Survey, 2017 Figure 4.4a above shows that 69.7% of respondents have not been victims of cy-bercrime while 30.3% of respondents reported been victims of cybercrime, this

P�� B� D�� A�� I�� (P��-R��)

73

figure is similar to the survey of Gbenga et. al. (2013), who recorded that 41% of respondents have been victims of cybercrime. Chances are high for ICT end users to fall preys of cyber criminals when there is low level of awareness of cybercrime and its regulating policies. Another implication may be the possibility allowing other ICT users to stampede on the rights of others. Cases that can be addressed legally may be left unattended to out of ignorance of the policies and laws. Statistics reflected in figure 4.4a may also be an indication that people may not be aware that they are victims of cybercrime, this assumption is supported by VOAG (2017), who opined that many victims of cybercrime may be completely unaware till it’s too late. Fig 4.4b above shows what the security agents saw as the problem of imple-menting the Cybercrime Act, 2015.It reflects that 10% responded legal problems, 48.2% responded technical problems and 34.1% responded institutional problems. Table 4.1: Correlation between awareness of the cybercrime Act 2015, attitude towards change in illegal online activities and rate of criminal convictions

Table 4.1 above shows the correlation analysis between awareness of the cy-bercrime act and change of attitude toward illegal online activities and influence on the rate of cybercrime. It shows there is a positive correlation between the depend-ent and independent variables. The implication is that awareness of cybercrime influences people’s attitude towards illegal online activities and prevalence of cy-bercrime. Interestingly, there is a strong relationship between change of attitude towards online illegal activities and the rate of cybercrime at 99% and 95% confi-dence levels respectively in relationship to the cybercrime act.

P�� B� D�� A�� I�� (P��-R��)

74

4.2 Institutional Capability in Enforcement of the Cybercrime Policy Putting in place the right implementation framework is as important as having the right policy. Many policies in Nigeria are done without considering implementa-tion hence they end up unutilized. The implementing agencies are meant to be the driving forces of these policies, the cybercrime policy is not an exception to this. Unfortunately, there has been wide spread complaints amongst professionals about the vague implementation framework of the cybercrime act 2015.In line with this, the study attempted to measure the ability of the institutions to meet the set objec-tives of the cybercrime policy. Questions were asked pertaining the enforcement agencies will and ability to make the policy a success, for example agencies were asked if they had a dedicated unit for the implementation of the policy. The survey also appraised the sufficiency of the implementing institutions to implement these policies, problems faced in implementing the policy etc. An unremarkably 65.3% of security agents opined that there was insufficient institutional capacity. An appraisal of the impact of in-stitutional capability on the level of success of the cybercrime policy showed a positive relationship between the duos. This survey further established the view of many professionals who claimed that the government has been paying leap ser-vices to the issues of cybercrime since implementing institutions are weaken by the day, due largely to lack of the most required political will Table 4.2 below shows the correlation analysis between having an entity/unit exclusively dedicated to implementation of the cybercrime act, 2015 (Independent variable) and its impact on number of criminal convictions (dependent variable), change in attitude towards online illegal activities (dependent variable) and number of criminal convictions (dependent variable). The Independent variable was corre-lated with the 3 dependent variables at 0.001 and 0.005 level of significance which means we are 99% and 95% positive of a relationship between these variables. Result shows a relationship between having an entity charged with the responsibil-ity of implementing cybercrime and the rate/number of criminal convictions (please refer to table 4.2 below). This shows that when we have a unit responsible for fighting cybercrime more convictions and arrests would be made. So many cybercrimes go unpunished and much more go undiscovered, according to the analysis, this problem can be addressed by having an entity whose functions are dedicated to cybercrime. Analysis also showed that having a unit/entity dedicated for implementation of cybercrime policy has a positive relationship with the impact of the policy (please refer to table 4.2 below). For this work the impact of the policy refers to how well it has been able to fulfill its objectives and how it has curbed the rate of cybercrime. Hence having a dedicated unit charged with implementing the cyber-laws and legislations will ensure reduction in rate of cybercrime and also help achieve its set objectives. Further analysis shows a positive relationship between having a dedicated unit and having a change in attitude to online illegal activities. This result proved that for the policy to translate into change in people’s attitude of illegal online behav-iors, there is need to create a dedicated entity/unit charged with the responsibility

P�� B� D�� A�� I�� (P��-R��)

75

of implementing the policy. The ultimate of the cybercrime policy is not to serve as a tool of punishment but to serve as a tool to change the psyche of the average cy-bercriminal from perverting the internet and seeing it as a means of negative liveli-hood. From table 4.2 below, a dedicated entity for cybercrime will result to change toward online illegal activities. Table 4.2 Correlation between specifying a unit whose functions are exclusively dedicated to handling cybercrime and the impact of the policy, rate of criminal convictions and change in attitude

5.1 Conclusion The implication of the finding of this work is that we have a deficient policy instru-ment to fight cybercrime in Nigeria and these loopholes will be exploited by the cybercriminals, thereby making it of minimal or no impact. This paper established a linear relationship between awareness of the policy and its effectiveness. Having a policy which people are unaware of is as good as not having one. The first step in ensuring success of a policy should be advocacy and awareness campaign. Howev-er, even among the ICT end users, there seem to be limited or no knowledge about the cybercrime policy and other related regulatory tools. Cybercrime is majorly a youth phenomenon; unfortunately, most parents are reluctant at regulating their children online activities. Less effort has been deployed by both parents and gov-ernment agencies on enlightening the youth about the policy as well as the negative effect of cybercrime on their lives and nation at large. The efficacy of a policy is hinged on adequate implementation and enforcement machinery. Unfortunately, the cybercrime Act, 2015 appears has weak institutional and implementation framework, since implementing institutions lack the competence and capability. A multi-agency approach to the implementation of the Act is an impediment to effec-tive implementation.

P�� B� D�� A�� I�� (P��-R��)

76

5.2 Recommendations

There is need for advocacy and awareness campaign of the cybercrime policies in Nigeria. There should be more awareness campaign particularly targeted at the youth. There should be policy campaign on the social media, mass media, religious centers and academic institutions. While increasing awareness for the policy, awareness should also be made on the implications of cybercrime. This campaign should be a continuous exercise. Apart from the end-users, there is also a need to educate staff of implementing agencies on the technicalities of the policy. The institutional framework is very vague, while acknowledging the place of collaborative effort amongst agencies, there is a need for an agency to be funded to carry out the policy. The inconsistencies in the enforcement may hinder the effica-cy of the policy. Cybercrime is not a new phenomenon, it is recommended that Nigeria uses best practices or follow other successful cybercrime policies particu-larly in areas of their institutional, enforcement and legal framework. For instance, everywhere around the world, cybercrime policies are implemented by cooperating with other countries. Because of the nature of cybercrime, there is need to extend the institutional and legal framework across our national boundaries. The technical capacities of enforcing institutions should also be strengthened. The cybercrime fund mentioned in the policy (a levy of 0.005 of all electronic transactions by the businesses) Is not assigned to any agency neither is the purpose for this fund speci-fied, this should also be clarified. There should be an effective regional policy, because most cybercriminals operate from outside Nigeria, hence for the cybercrime policy to be effective, it has to interact with regional policies. Finally, there is need for evaluation, monitoring and review of the cybercrime Act, 2015 according to international best practice. It is recommended that a similar study be carried out in our institutions of higher because of the nature of that target population.

Correspondence Rufai Abubakar National Centre for Technology Management Federal Ministry of Science and Technology North Central Office, Abuja, Nigeria Email: [email protected] Tel.: +2347032515943

P�� B� D�� A�� I�� (P��-R��)

77

References Abdul-hakeem, A. (2015). Bank Verification Number (BVN) & Cybercrime in Nigeria. Retrieved online at https://www.linkedin.com/pulse/bank-verification-number-bvn-cybercrime-nigeria-abdul-hakeem-ajijola on 28th September 2017 Ademola, T. A. (2014). An examination of the Nigerian cybercrime bill 2014. Department of business studies, Landmark University Omu Aran.

Ajayi,E.F.G (2016) Challenges to enforcement of cyber-crimes laws and policy. Journal of Internet and Information Systems. Vol. 6(1), pp. 1-12, August 2016 DOI 10.5897/JIIS2015.0089 Article Number: 930ADF960210 ISSN 2141-6478

Alan, C. (2010). Cyber Crime Strategy. Retrieved online at https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/228826/7842.pdf

Alexander, s. (2016). The Budapest Convention on Cybercrime: a framework for capacity building. Global forum on cyber expertise. Cybercrime Division at the Council of Europe in Strasbourg, France.

Avner, L. and Daria, I. (2013). International Comparism of Cybercrime, Tedrogers School of Management. Ryerson University. Privacy and cybercrime institute.

Banwo and Ighodalo (2015). Milestone in Electronic Commerce: How the Cyber-crimes Act 2015 impacts businesses. Retrieved online at http://www.banwo-ighodalo.com/assets/grey-matter/f1b82d5ef0ea07557c144ff3991ffb8f.pdf on 2th September, 2017

Bonachristus, U. and Ifeoma, O. (2014). The Internet Communication and the Mor-al Degradation of the Nigerian Youth. International Journal of Computer and Infor-mation Technology. ISSN: 2279 – 0764.Volume 03 – Issue 02, March 2014

Central bank of Nigeria (2014). Exposure draft on the regulatory framework for bank verification number (BVN) operations and watch-list for the Nigerian finan-cial system. Circular to all banks, money operators and payment terminal service operators. Retrieved online at https://www.cbn.gov.ng/Out/2017/CCD/Circular%20and%20Exposure%20Draft%20on%20the%20Framework%20for%20BVN%20Operations%20and%20Watchlist.pdf on 28th September 2017

Council of Europe (2016). Convention on Cybercrime. Retrieved online at http://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185

Cybercrime and Cyber Security (2016). Cyber Security Trends in Africa. Symantec corporation world headquarters. 350 Ellis Street Mountain View, CA 94043 USA. Retrieved online at https://www.thehaguesecuritydelta.com/media/com_hsd/

P�� B� D�� A�� I�� (P��-R��)

78

report/135/document/Cyber-security-trends-report-Africa-en.pdf on 30th August 2017 Economic and financial Crimes Commission (2017). EFCC Adjudged Most Effec-tive Govt Agency. EFCC Media and publicity 17th august 2017.Retrieved online at https://efccnigeria.org/efcc/9-uncategorised/2714-efcc-adjudged-most-effective-govt-agency on 28th september, 20017 Emmanuel E.B. (2001). A Critical Examination of Information and Communica-tion Technology Policies: Effects on Library Services in Nigeria. Niger Delta Uni-versity Library Amassoma, Bayelsa State, Nigeria. ISSN 1522-0222.

Eric, R.L. & Majid,y .(2014). Applying Routine Activity Theory to Cybercrime: A theoretical and empirical analysis. Journal of deviant behaivour. Vol. 37, Iss. 3,2016. Pages 263-280.

Eric,T.(2015) . The AU’s cybercrime response A positive start, but substantial challenges ahead. Institute for security studies. Policy brief 73. January 2015.Retrieved online at https://www.files.ethz.ch/isn/187564/PolBrief73_c yber-crime.pdf on 29th August 2017.

Gbenga, S., Babatope, S. and Bankole, O. (2012). Economic cost of cybercrime in Nigeria. Report of the cyber stewards network project of citizens lab, Munk univer-sity of global affairs, university of Toronto.Retreived online at https://www.opennetafrica.org/?wpfb_dl=7 on 27tth September 2017 Ibikunle, F. & Eweniyi,O.(2013).Approach to cyber security issues in Nigeria: challenges and solution. Department of electrical & information engineering, cove-nant university, Nigeria. International Journal of Cognitive Research in Science. ITU (2012). Cybercrimes/e-crimes assessment report: Establishment of Harmo-nized Policies for the ICT Market in the ACP Countries. Retreived online at http://www.itu.int/en/ITU-D/Cybersecurity/Documents/HIPCAR%20Assessment%20Cybercrimes.pd on 27th September 2017

Jean, S. & Amzath, F. (2016). Cybercrime in Africa: Facts and figures. SciDev.net. Retrieved online from http://www.scidev.net/sub-saharan-africa/icts/feature/cybercrime-africa-facts-figures.htm Johnson, R. (1999). The Role of Institutions in Policy Making. No 123822, 1999 Conference (43th), January 20-22, 1999, Christchurch, New Zea-lan from Australian Agricultural and Resource Economics Societ.Retreived online at http://ageconsearch.umn.edu/record/123822/files/JohnsonRobin2.pd on 30th August 2017.

P�� B� D�� A�� I�� (P��-R��)

79

Joyce,H.(2017). Cybercrime and the Digital Economy in the GCC Countries. Inter-national Security Department. June 2017. ISBN 978 1 78413 235 4.Retrieved online at https://www.chathamhouse.org/sites/files/chathamhouse/publications/research/2017-06-30-cybercrime-digital-economy-gcc-hakmeh.pd on 29th August, 2017. Maitanmi, O., Ogunlere, S., Ayinde, S. and Adekunle, Y. (2013). Cyber Crimes and Cyber Laws in Nigeria. The International Journal of Engineering and Science (IJES). Volume 2. Issue 4, Pages 19-25. ISSN(e): 2319 – 1813 ISSN(p): 2319 – 1805

Mohamed, C. (2009). Nigeria Tackles Advance Fee Fraud. Journal of Infor-

mation, Law & Technology. Retrieved online at http://go.warwick.ac.uk/

jilt/2009_1/chawk

Money laundry prohibition act (2011). Retrieved online at http://www.icnl.org/research/library/files/Nigeria/5_NigeriaMLPA2011.pd on 28th September 2017

Odumesi, J.O. (2014). Combating the menace of cybercrime. International Jour-nalof Computer Science and Mobile Computing. IJCSMC, Vol. 3, Issue. 6, June 2014, pg.980 – 991.

Odumosu,J.O.(2014). A socio-technological analysis of cybercrime and cyber se-curity in Nigeria. International Journal of Sociology and Anthropology. Vol.6 (3), pp. 116-125, March, 2014.DOI: 10.5897/IJSA2013.0510.ISSN 2006-988x

Osinbajo,Y.(2003).Regulatory Framework For Curbing Internet Crimes And Mon-ey Laundering in Nigeria. PWC (2013). Dealing with cybercrime threat in the financial sector.PWC Nigeria cybercrime event. Retrieved online at http://www.pwc.com/ng/en/assets/pdf/pwc-nigeria-cybercrime-presentation-17-november-2013.pd Radbound University (2017). Implementation: Putting Policy into Prac-tice.Retreived online at http://www.ru.nl/publicadministration/research/our-research-0/read-more on 28th September 2017

Riyadh (2015). Arab treaty on combating cybercrime. Retrieved online at http://www.riyadh.om/2015/arab-treaty-on-combating-cybercrime on 29th August 2017 shun-Yung, K.W. and Wilson, H. (2011). The evolutional view of the types of identity thefts and online frauds in the era of the internet. Inter-net Journal of Criminology 2011. ISSN 2045-6743 (Online)

P�� B� D�� A�� I�� (P��-R��)

80

Souhila, A. (2016). African Union Perspectives on Cybersecurity and Cybercrime. ITU-ATU Workshop on Cyber Security Strategy in African Countries Khartoum, Sudan (Republic of the), 24 – 26 July 2016. Stein, S. & Solange, G. (2009). A Global Protocol on Cyber security and Cyber-crime. ISBN: 978-82-997274-2-6. Retrieved online at http://www.cybercrimelaw.net/documentsA_Global_Protocol_on_Cybersecurity_ and_ Cybercrime.pdf on 29th August 2017 Virginia Office of Attorney General (VOAG) (2017). New protection for virginia employees goes into effect july 1. Virginia office of attorney general press re-lease.Retrieved online at http://www.publicnow.com/view/ 041F93D3444 D811B4DF61EC831BB9AF4124C4BDD?2017-06-29-14:30:08+01:00-xxx4248 on 28th September, 2017. Wada, F. & Ojulaja,G.O. (2012).Electronic Banking and Cyber Crime In Nigeria -A Theoretical Policy Perspective on Causation Africa J. of Comp & ICTs. Vol 5. No. 1. pp 69-82. African Journal of Computing & ICT January 2012- ISSN 2006-1781 Yamane, T. (1967). Statistics, an introductory analysis, 2nd Ed., New York: Harper and Row. Zahid, J. and Jamil& Jamil (2013). Cybercrime model laws. Discussion paper pre-pared for the Cybercrime Convention Committee (T-CY). Strasbourg, France Ver-sion 9 December 2014.