臺灣博碩士論文加值系統

在資訊爆炸的社會中，各個組織對於資訊科技的依賴程度越來越深，其組織內的資訊安全維護工作也越來越重要。為了檢測資訊安全管理工作是否週密且落實，許多標準制定團體紛紛訂定驗證標準，其中英國標準協會(BSI)所提出的BS_7799，已經在2005年正式成為ISO 27001，成為國際公認的資訊安全管理驗證標準。我國政府也規定A、B級政府單位需在民國97年底通過BS7799的認證，象徵著我國對於資訊安全的重視。
截至民國95年6月為止，我國已有92個單位通過了BS7799的認證，這些單位在導入過程中，經常遇到導入困難與適應不良等現象。這些現象包括了人員士氣受到打擊、業務執行效率低落、或者是敷衍應付的不良心態，導致政府規定導入驗證標準的美意大打折扣。因此，要了解導入單位的資訊安全管理水準是否確實提升，深入了解導入困難背後的現象、原因與解決方法，很可能比取得證照更為重要。
為了因應變遷快速的環境，組織必須提昇學習能力，才能面對各種挑戰與困難。因此，從組織學習觀點來探討BS7799的導入與執行，並且深入探索導入困難與組織學習的關係，成為本研究的研究目的；而在現有的文獻中，尚未出現相同的探討角度。為了深入挖掘取得BS7799認證單位所經歷過的困難點，本研究採取質性研究的方式，實地走訪四家已通過BS7799認證的公務單位，藉由訪談與資料研讀來瞭解這些單位的組織學習狀況、導入BS7799時曾經發生的困難點以及導入所產生的組織變革。本研究所蒐集到的原始資料，包含訪談錄音轉謄而成的逐字稿以及文件資料，經由「編碼」、「圖形化展示」、「關聯性分析」等步驟之後產生研究結論。
本研究發現，組織在導入BS7799時，可能會發生「時間不夠、人力不夠、工作量太大」、「BS7799或資安知識不足」、「與顧問溝通需要較長時間」、「員工配合度不夠」、「一般人員警覺性不夠」、「跨組別溝通困難」、「主管重視度不夠」、「預算不夠」、「執行人員權力不夠」等九個困難點。導入BS7799可能造成組織在「人員與角色」構面的明顯改變。另外，透過關聯性分析，我們建立出一些研究命題，確立了組織學習關鍵要素與導入困難點間的關聯性，也找出了組織學習關鍵要素與組織變革間的關聯性，並且針對將來要導入BS7799的組織提出一些具體的建議，例如：增加上級支持度、培養員工溝通協調的能力、舉辦相關競賽活動等方式，幫助資訊安全管理系統的導入。

Modern organizations increasingly rely on information technology in daily operations. To maintain the correctness and availability of information systems, the importance of information security has also been recognized. In order to evaluate if information security is well managed in enterprises, standardization organizations have established the security management standards, including BS7799, which was established by the British Standard Institution (BSI) and had formally been approved as ISO27001 in 2005. In Taiwan, the government mandated the adoption of BS7799, indicating the special emphasis on information security management.
The organizations implementing BS7799 have encountered difficulties such as employee resistance, work overloaded, and dealing with perfunctorily. These difficulties prevented the introduction of BS7799 from producing as much effects as expected. However, it remains unclear that what factors lead to those difficulties. Therefore, this thesis attempts to find out the phenomena, causes and solutions of the difficulties in implementing BS7799.
For accommodating the fast-changing environment, organizations need to upgrade the learning ability in facing various kinds of challenge and difficulty. So, this thesis explores the introduction and implementation of BS7799 from an organizational learning perspective, which seems to be missing in our survey in the related literatures. To find out all the potential factors that influence BS7799 implementation, interviews are conducted with four public organizations which have passed the BS7799 certifications. After those interviews, data collected is encoded before being displayed in figures. To explain the possible associations between factors, this study analyzes the relationships of all the encoded data and obtains the following conclusions.
It is found that there are nine difficulties which may occur in organizations implementing BS7799, including that “employees don’t have ample time, labor power and they have large workload”, “employees don’t have sufficient knowledge of information security and BS7799”, “it’s time-consuming to communicate with consumers”, “the staffs don’t cooperate adequately”, ”the staffs don’t have sufficient information security awareness”, “it’s difficult in communication with people in other departments” , “the leaders don’t take the implementation processes seriously enough”, “the budgets are not enough”, and “the staffs who are in charge of introducing BS7799 don’t have sufficient power”. To introduce BS7799 may cause the organization change in “individuals and roles” part. In addition, we proposed some research topics based on association analysis to establish the correlations between organizational learning and implemention difficulties, and the correlations between organizational learning and the organizational changes. We propose some suggestions to help the organizations which will introduce the BS7799 standard, for example: “to increase leaders’ support”, “to increase the staffs’ communication ability”, and “to conduct some interesting contests to encourage staffs to learn information security knowledge”.

第一章 緒論 - 1 -
第一節 研究背景 - 1 -
第二節 研究動機 - 4 -
第三節 研究目的 - 6 -
第二章 文獻探討 - 8 -
第一節 BS7799資訊安全管理系統標準 - 8 -
第二節 組織學習能力- 23 -
第三節 組織變革 - 36 -
第三章 研究方法 - 43 -
第一節 採用質性研究的理由 - 43 -
第二節 研究流程 - 45 -
第三節 研究模型 - 48 -
第四節 研究個案 - 52 -
第五節 研究大綱 - 53 -
第六節 資料分析 - 60 -
第四章 資料分析 - 71 -
第一節 組織學習關鍵因素分析- 71 -
第二節 導入BS7799期間組織學習狀況分析- 88 -
第三節 導入BS7799所遭遇的困難點分析- 92 -
第四節 導入BS7799所產生的組織變革分析- 99 -
第五節 組織學習關鍵因素與導入BS7799困難點間的關聯性分析- 105 -
第六節 組織學習關鍵因素與導入BS7799產生的組織變革間的關聯性分析- 122 -
第五章 結論與建議- 132 -
第一節 研究結論 - 132 -
第二節 研究建議 - 152 -
第三節 研究限制及對未來研究之建議 - 154 -
參考文獻 - 156 -

一、英文部分：
1.Argyris, C. & Schon, D. A. (1978), Organizational Learning: A Theory of Action Perspective, M.A.: Addison-Wesley.
2.Bennett, J. K. & O 'Brine, M. J. (1994), The Building Blocks of The Learning Organization, Training, 31(6), pp.41-49.
3.Bennett, J. K. & O 'Brine, M. J.(1994), Measuring and Building a Learning Organization: A Systems Approach, Eighth IEEE-USA Careers Conference.
4.BS 7799-1（1999）,Information Security Management –Part 1:Code of Practice for Information Security Management, British Standard Institution, London.
5.BS 7799-2（2002）,Information Security Management –Part 2:Specification for Information Security Management, British Standard Institution, London.
6.BS 7799-1（2005）,Information Security Management –Part 1:Code of Practice for Information Security Management, British Standard Institution, London.
7.BS 7799-2（2005）,Information Security Management –Part 2:Information Security Management System (ISMS) - Requirements , British Standard Institution, London.
8.Carnall, C. A. (1990), Managing Change in Organization, United Kingdom: Prentice Hall.
9.Connor, P. E. & Lake L. K. (1988), Managing Organizational Change, New York: A division of Greenwood Press, Inc.
10.Cummings, T. G. & Worley, C. G.(1997), Organization Development and Change, St. Paul: West Publishing.
11.Daft, R. L. (1997), Organization Theory & Design, New York: West.
12.Dodgson, M.(1993), Organizational Learning: A Review of Some Literatures, Organization Studies,14(3), pp.375-394.
13.DuFour, P. (1997), The School as a Learning Organization: Recommendations for School Improvement, National Association of Secondary School Principals, NASSP Bulletin
14.Duncan, R. & Weiss A.（1979）, Organizational Learning: Implications for Organizational Design, Research in Organizational behavior, 1, pp.75-123.
15.Elofson, G.S., Konsynski, B.R. (1993), Performing organizational learning with machine apprentices, Decision Support Systems, 10(2), pp.109.
16.Fried, L. F. &. Brown, L.D. (1974), Organization Development, Review of Psychology.
17.Fishbein,M.&Ajzen I.(1975),Belief, attitude, intention and behavior: an introduction to theory and research, MA: Addison-Wesley.
18.Fiol, C.M. & Lyles, M.A.(1985), Organizational Learning, Academy of Management Review, 10(4), pp.803-813.
19.Galer, G. & Kees, H. (1992). The Learning Organization: How Planners Create Organizational Learning, Marketing Intelligence and　Planning, 10(6), pp.5-12.
20.Calvert, G., Mobley, S. & Marshall, L. (1994). Grasping the Learning Organization, Training and Development Journal, 48(6), pp.39-43.
21.Garratt, B. (1990), An Old Idea that Has Come of Age, People Management, 1(19), pp. 25-28.
22.Garvin, D.A. (1993), Building a Learning Organization, Harvard Business Review, 71(4), pp.78-91.
23.Goh, S.C. (1998), Toward a Learning Organization: The Strategic Building Blocks, Sam Advanced Management Journal, 63(2),　pp.15-22.
24.Guns, B. (1996), The faster learning organization: Gain and Sustain the Competitive Edge, San Francisco: Jossey Bass.
25.Hammer, M. & Champy, J. (1993), Reengineering the Corporation -a Manifesto for Business Revolution, New York: Harper Business.
26.Harvey, D. F. & Brown, D. R. (1988), An Experimental Approach to Organization Development, San Francisco: Prentice Hall.
27.Huber, G. P.(1991), Organizational Learning：the Contributing Processes and the Literatures, Organization Science, 2(1), pp.88-115.
28.Jashapara, A. (1993). The Competitive Learning Organization: A Quest for Holy Grail, Management Decision, 31(8), pp.5-15.
29.Kim, D.H. (1993), The Link Between Individual and Organizational Learning, Sloan Management Review, 34(1), pp.37-50.
30.Leavitt, H. J. (1964), Applied Organizational Change in Industry: Structural Technical and Human Approaches, New Perspectives in Organizational Research, New York: Wiley.
31.Levitt, B. & March, J.G. (1988), Organizational Learning, Annual Review of Sociology,14, pp.319-340
32.March, J.G. & Olsen, J.P. (1976), The Uncertainty of the Past：Organizational Learning Under Ambiguity, European Journal of Political Research- 3th , pp.147-171
33.Marquardt, M. J. (1996), Building the Learning Organization: A System Approach to Quantum Improvement and Global Success, New York: McGraw-Hill.
34.Marquardt, M. J. & Reynolds, A. (1994), The Global Learning Organization, N.Y.: IRWIN.
35.Mosher, F. C. (1967), Governmental Reorganization: Case and Commentary. New York: The Bobbs-Merrill Company.
36.McGill, E., Slocum, W., & Lei, D. (1992), Management Practices in Learning Organizations, Organizational Dynamics, 23(2), pp.33-47.
37.Meyers, P. W. (1990), Non-linear Learning in Technological Firms, Research Policy, 19, pp.97-115.
38.Michael, S. R. (1982), Organizational Change Techniques: Their Present,Their Future, Organizational Dynamics, Summer, 11(1), pp.67-80.
39.Morgan, G. & Ramirez, R. (1983), Action Learning：a Holographic Metaphor for Guiding change, Human Relations. 37(1), pp.1-28.
40.Nevis, E. C. , DiBella, A. J. & Gould, J. M. (1995) ,Understanding Organizations as Learning Systems, Sloan Management Review, 36(2), pp.73-85.
41.OECD（2001）, OECD Guidelines for the Security of Information Systems，Information Security Objective, http://www.oecd.org/oecd/pages/home/displaygeneral/0,3380,EN-document-43-nodirectorate-no-no10249-13,FF.html#title.
42.Porter, L. W., Lawler, E. E. & Hackman, R. (1975), Behavior in Organization, New York: Mcgraw-Hill.
43.Recardo, R. J. (1991), The What, Why and How of Change Management, Manufacturing System, 9(5), pp.52-58.
44.Redding, J. (1997), Hardwiring the Learning Organization, Training & Development, August, pp.61-67
45.Robbins, S. P. (2001), Organizational Behavior-9th,　New Jersey: Prentice- Hall.
46.Rockart, J. F. & Scott Morton, M. S. (1984), Implications of Changes in Information Technology for Corporate Strategy, Interfaces, January-February, pp. 84-95.
47.Senge , P. M. (1990), The Fifth Discipline: The Art and Practice of the Learning Organization, New York: Doubleday.
48.Simon, H. A.(1953), Birth of a Organization：the Economic Cooperation Administration, Public Administrative Review, 13(4), pp.227-236.
49.Stata, R. (1989), Organizational Learning: the Key to Management Innovation, Sloan Management Review, 30(1), pp.64-73.
50.Swieringa, J. & Wierdsma, A. (1992), Becoming a Learning Organization: Beyond the Learning Curve, M.A.: Addison-Wesley.
51.Tichy, N. M. (1983), Managing Strategic Change: Technical, Political,and Cultural Dynamics, New York: John Wiley & Sons.
52.Tyson, S. & Jackson, T. (1992), The Essence of Organizational Behavior- The Essence Of Management Series, New Jersey: Prentice-Hall.
53.Webber, R. A. (1979), Management: Basic Elements of Managing Organization, Homewood Illinois： Richard D. Irwin Inc.
54.Watkins, K. E. & Marsick, V. J. (1993), Sculpting the learning organization, San Francisco: Jossey Bass.
55.Wick, C. W. & Leon, L. S. (1995), From Ideas to Action: Creating a Learning Organization, Human Resource Management, 34(2), pp.299-311.
56.Wishart, N. A., Elam, J. & Robey, D. (1996), Redrawing the Portrait of a Learning Organization: Inside Knight-Ridder Inc., Academy of Management Executive, 10(1), pp.7-20.
57.Yeung, A. K., Ulrich, D. O., Nason, S. W., & Von Glinow, M. A. (1999), Organizational Learning Capability, New York: Oxford University Press.
二、中文部分：
1.行政院資通安全會報（2004），各政府機關（構）落實資安事件危機處理具體執行方案，http://www.nicst.nat.gov.tw/content/application/nicst/general/guest-cnt-browse.php?cnt_id=69
2.行政院資通安全會報（2005），政府機關（構）資訊安全責任等級分級作業施行計畫，http://www.nicst.nat.gov.tw/content/application/nicst/general/guest-cnt-browse.php?cnt_id=70
3.朱愛群（1997），學習型組織意涵之探討，警學叢刊，27（5），P.153-170
4.林愛玲（1997），人力資源發展資訊系統架構之研究，國立臺灣師範大學工業科技教育研究所碩士論文
5.林育理(1999)，企業研發部門知識學習能力、組織能耐與研發績效關係模式之研究—台灣高科技產業之實證，長榮管理學院經營管理研究所碩士論文
6.林祝興、張真誠(2003)，電子商務安全技術與應用，旗標出版社
7.周芸薇(2000)，「學習型組織」評鑑量表之建立，國立中央大學人力資源管理研究所碩士論文
8.英國標準協會台灣分公司（2005），如何建立您的優質管理制度，資訊安全暨資訊管理國際發展研討會
9.胡夢鯨（1998），成人教育學理論與模型-國中補校文科教學的一項質性研究，台北：師大書苑
10.陳慶安(2001)，高職工業類科學校組織學習能力與學校效能關係之研究，彰化師範大學工業教育學系碩士論文
11.張峻源(2001)，組織文化、組織承諾與組織變革態度之研究—以中央信託局為例，國立成功大學企業管理學系碩士論文
12.張芬芬（2005），質性研究資料分析-2版，台北：雙葉書廊有限公司。原著：Miles M.B. & Huberman A.M.(2005)，Qualitative Data Analysis: An Expanded Sourcebook (2nd ed.)
13.單秀元(2003)，資訊部門之組織變革與績效，銘傳大學資訊管理研究所碩士論文
14.黃亮宇（1992)，資訊安全規劃與管理，松岡電腦圖書
15.黃慶堂（1999），我國行政機關資訊安全管理之研究，政治大學公共行政研究所碩士論文
16.黃漢臣（2000），「BS7799」--國際「資訊安全稽核規範」簡介，資訊中心新聞評論知識庫，http://www.secureonline.com.tw/sol_main_t06-1a.asp?id=117
17.黃光雄（2002），質性教育研究，嘉義：濤石。原著：R. C. Bogdan & Biklen, S. K.(1998）， Qualitative Research for Education: An Introduction to Theory and Methods.
18.黃國華(2004)，個人變項、組織文化與員工對組織變革態度關係之研究 — 以花蓮地區公立醫院為例，國立東華大學公共行政研究所碩士論文
19.曾朝聖(2004)，員工對學習型組織特徵的知覺與組織承諾關係之研究，國立中山大學人力資源管理研究所碩士論文
20.楊幼蘭譯（1994），改造企業-再生策略的藍本-三版，台北：牛頓出版社，頁76-116。原著Hammer, M. & Champy, J. (1993). Reengineering the Corporation- a Manifesto for Business Revolution.
21.楊國德(1999)，學習型組織的理論與應用：成人教育領域的實踐經驗，台北：師大書苑
22.葉相妤（2002），運用BS7799檢測醫療院所資訊安全作業文件之研究，國立陽明大學衛生資訊與決策研究所碩士論文
23.詹志文（2005），探索證書背後的價值-導入BS7799週年之後的心得分享，資安人，NO.19，P.28-33
24.鄭明仁（2002），台灣企業推行學習型組織之個案研究--阻力與助力因素之探討，國立中正大學企業管理研究所碩士論文
25.盧偉斯（1996），組織學習的理論性探索，國立政治大學公共行政研究所博士論文。
26.劉永禮（2002），以BS7799資訊安全管理規範建構資訊安全風險管理模式之研究，元智大學工業工程與管理研究所碩士論文
27.劉寧(2003)，企業文化、組織承諾、及組織變革態度之關係研究--以日月光集團半導體後段製程三家公司整合為例，國立成功大學企業管理學系碩士論文