近年來，雖然資訊安全攻擊數量快速提升，公司卻沒有擁有足夠受過良好訓練的資訊安全人才。為改善資訊安全的管理，越來越多公司採用或考慮資訊安全外包，藉由資訊安全服務供應商的防護及管理，來提升公司資訊安全管理的品質。資訊安全外包也漸漸受到學者重視，然而，多數文獻是從以往探討外包意圖的經濟理論觀點來做探討，但公司不該只單從外包獲取經濟上的利益，還需要藉此機會提升自己的學習能力，才能在風險較高的資訊安全外包合作關係下，順利完成所有任務。因此，我們採用組織學習理論為基礎，發展適合的模型來研究採用資訊安全外包的意圖。收集資料驗證此模型的假設，結果顯示在與資訊安全服務提供商合作的期間，公司的確有明顯的學習過程，進而提升公司的能力和與外界合作的信心。

The number of information security attacks has been increasing rapidly these days. However, most organizations do not have enough well-trained information security professionals, because of the security talent shortage. To improve information security management, more and more firms adopted or considered information security outsourcing. Under the protection and the control by managed security service providers (MSSP), firms relieved stress from security attacks. Besides, MSS gradually draws attention from scholars. Most literature analyzed the intention to outsource from economic perspective. Even though most firms generated benefits from production cost advantages, they should learn from providers to improve their own capabilities. Therefore, based on organizational learning theory, we constructed a model to analyze the intention to outsource information security management to MSSP. The result showed that learning processes occurred during the cooperation. Firm improved their learning capabilities and had more confidence to cooperate with other firms in the future.

摘要 iv
Abstract v
List of Tables vii
List of Figures viii
Chapter 1 Introduction 1
1.1 Research Motivation and Scope 1
1.2 Research Objective 4
Chapter 2 Literature Review 5
2.1 Development of Outsourcing Services 5
2.2 Theoretical Models of Outsourcing 12
2.2.1 Economic Theory Perspective 13
2.2.2 Organizational Theory Perspective 17
Chapter 3 Theoretical Framework 21
3.1 Organizational Learning Model 21
3.2 Research Model 23
Chapter 4 Research Design 30
4.1 Survey Design 30
4.2 Control Variables 32
4.3 Respondent Profile 34
Chapter 5 Analysis and Results 36
5.1 Reliability and Validity Assessment 36
5.2 Hypotheses Testing 38
Chapter 6 Discussion 40
6.1 Hypothesis Discussion 40
6.2 Implication of Theory and Practice 42
6.3 Limitation and Suggestion for the Future Research 44
Chapter 7 Conclusion 47
Reference 49
Appendix A. Questionnaire Instrument 62

Amburgey, T., &; Miner, A. (1992). Strategic momentum: The effects of repetitive, positional, and contextual momentum on merger activity. Strategic Management Journal, 13(5), 335-348.
Ang, S., &; Straub, D. (1998). Production and transaction economies and IS outsourcing: a study of the US banking industry. MIS quarterly, 535-552.
Aubert, B., Patry, M., &; Rivard, S. (1998, January). Assessing the risk of IT outsourcing. In System Sciences, 1998., Proceedings of the Thirty-First Hawaii International Conference on IEEE, 6, 685-692.
Aubert, B., Rivard, S., &; Patry, M. (1996). A transaction cost approach to outsourcing behavior: some empirical evidence. Information &; management, 30 (2), 51-64.
Aubert, B., Rivard, S., &; Patry, M. (2004). A transaction cost model of IT outsourcing. Information &; Management, 41(7), 921-932.
Bagozzi, R. (1977). Structural Equation Models in Experimental Research. Journal of Marketing Research (JMR), 14(2).
Bahli, B., &; Rivard, S. (2005). Validating measures of information technology outsourcing risk factors. Omega, 33(2), 175-187.
Bakari, J., Magnusson, C., Tarimo, C., &; Yng. (2006). Outsourcing ICT Security to MSSP: Issues and Challenges for The Developing World. In ISSA, 1-11.
Baker, D., &; Cullen, J. (1993). Administrative reorganization and configurational context: The contingent effects of age, size, and change in size. Academy of Management Journal.
Baker, W., &; Sinkula, J. (1999). The synergistic effect of market orientation and learning orientation on organizational performance. Journal of the academy of marketing science, 27(4), 411-427.
Belsis, P., Kokolakis, S., &; Kiountouzis, E. (2005). Information systems security from a knowledge management perspective. Information Management &; Computer Security, 13(3), 189-202.
Bernstein, I., &; Nunnally, J. (1994). Psychometric theory.
Borman, M. (2006). Applying multiple perspectives to the BPO decision: a case study of call centres in Australia. Journal of Information Technology, 21(2), 99-115.
Brancheau, J. C., &; Wetherbe, J. C. (1987). Key issues in information systems management. MIS quarterly, 23-45.
Burpitt, W. (2003). Organizational Learning and Knowledge Based Resources: Antecedents to New Entry. the Journal of Behavioral and Applied Management.
Cezar, A., Cavusoglu, H., &; Raghunathan, S. (2010). Competition, speculative risks, and IT security outsourcing. In Economics of Information Security and Privacy. Springer US., 301-320.
Cha, H., Pingry, D., &; Thatcher, M. (2008). Managing the knowledge supply chain: an organizational learning model of information technology offshore outsourcing. MIS quarterly, 32(2), 281-306.
Chiu, C. M., Hsu, M. H., &; Wang, E. T. (2006). Understanding knowledge sharing in virtual communities: an integration of social capital and social cognitive theories. Decision support systems, 42(3), 1872-1888.
Choi, B., &; Lee, H. (2002). Knowledge management strategy and its link to knowledge creation process. Expert Systems with applications, 3,173-187.
Chow, W., &; Chan, L. (2008). Social network, social trust and shared goals in organizational knowledge sharing. Information &; Management, 45(7), 458-465.
Coase, R. H. (1937). The nature of the firm. economica. 4(16), 386-405.
Cohen, D., &; Prusak, L. (2001). In good company: How social capital makes organizations work. Harvard Business Press.
Cohen, W., &; Levinthal, D. (1990). Absorptive capacity: a new perspective on learning and innovation. Administrative science quarterly, 128-152.
Cowan, R., David, P., &; Foray, D. (2000). The explicit economics of knowledge codification and tacitness. Industrial and corporate change, 9(2), 211-253.
Cronbach, L. J. (1951). Coefficient alpha and the internal structure of tests. Psychometrika, 16(3), 297-334.
Currie, W. L. (2003). A knowledge-based risk assessment framework for evaluating web-enabled application outsourcing projects. International Journal of Project Management, 21(3), 207-217.
Currie, W., &; Willcocks, L. (1998). Analysing four types of IT sourcing decisions in the context of scale, client/supplier interdependency and risk mitigation. Information Systems Journal, 8(2), 119-143.
Cyert, R., &; March, J. (1963). A behavioral theory of the firm. University of Illinois at Urbana-Champaign''s Academy for Entrepreneurial Leadership Historical Research Reference in Entrepreneurship.
Deshpande, D. (2005, September). Managed security services: an emerging solution to security. In Proceedings of the 2nd annual conference on Information security curriculum development (pp. 107-111). ACM.
Dibbern, J., Winkler, J., &; Heinzl, A. (2008). Explaining variations in client extra costs between software projects offshored to India. MIS quarterly, 333-366.
Ding, W., &; Yurcik, W. (2005b). Outsourcing Internet security: the effect of transaction costs on managed service providers. In Prof. of Intl. Conf. on Telecomm. Systems, 947-958.
Ding, W., Yurcik, W., &; Yin, X. (2005). Outsourcing internet security: Economic analysis of incentives for managed security service providers. In Internet and Network Economics. Springer Berlin Heidelberg, 947-958.
Dong, M. (2010, October). Mapping out the global value chains of Chinese outsourced service industries: The case of ITO and BPO. In Industrial Engineering and Engineering Management (IE&;EM), 2010 IEEE 17Th International Conference on (pp. 1184-1188). IEEE.
Earl, M. J. (1996). The risks of outsourcing IT. Sloan management review, 37, 26-32.
Elitzur, R., &; Wensley, A. (1997). Game theory as a tool for understanding information services outsourcing. Journal of Information Technology, 12(1), 45-60.
Ellram, L. M. (2008). Offshore outsourcing of professional services: A transaction cost economics perspective. Journal of Operations Management, 26(2), 148-163.
Ellram, L., Tate, W., &; Billington, C. (2008). Offshore outsourcing of professional services: A transaction cost economics perspective. Journal of Operations Management, 26(2), 148-163.
Espino&;#8208;Rodriguez, T. F.&;#8208;R. (2006). A review of outsourcing from the resource&;#8208;based view of the firm. International Journal of Management Reviews, 8(1), 49-70.
Espino&;#8208;Rodriguez, T., &; Gil&;#8208;Padilla, A. (2005). Determinants of information systems outsourcing in hotels from the resource&;#8208;based view: An empirical study. International Journal of Tourism Research, 7(1), 35-47.
Espino&;#8208;Rodriguez, T., &; Padron&;#8208;Robaina, V. (2006). A review of outsourcing from the resource&;#8208;based view of the firm. International Journal of Management Reviews, 8(1), 49-70.
Fink, D. (1994). A security framework for information systems outsourcing. Information Management &; Computer Security, 2(4), 3-8.
Fischer, T., Huber, T., &; Dibbern, J. (2011). Contractual and Relational Governance as Substitutes and Complements–Explaining the Development of Different Relationships. In Theory-Guided Modeling and Empiricism in Information Systems Research, 65-83.
Fornell, C., &; Larcker, D. (1981). Evaluating structural equation models with unobservable variables and measurement error. Journal of Marketing Research (JMR), 18(1).
Gallivan, M., &; Oh, W. (1999). Analyzing IT outsourcing relationships as alliances among multiple clients and vendors. In System Sciences, 1999. HICSS-32. Proceedings of the 32nd Annual Hawaii International Conference on IEEE., 15.
Gal-Or, E., &; Ghose, A. (2004). The economic consequences of sharing security information. In Economics of information security Springer US., 95-104.
Gewald, H., &; Dibbern, J. (2005). The influential role of perceived risks versus perceived benefits in the acceptance of business process outsourcing: empirical evidence from the German Banking Industry. E-Finance Lab Working Paper, 9.
Gilley, K., &; Rasheed, A. (2000). Making more by doing less: an analysis of outsourcing and its effects on firm performance. Journal of management, 26(4), 763-790.
Gilley, K., &; Rasheed, A. (2000). Making more by doing less: an analysis of outsourcing and its effects on firm performance. Journal of management. 26(4), 763-790.
Gonzalez, R. G. (2006). Information systems outsourcing: A literature analysis. Information &; Management, 43(7), 821-834.
Gordon, L., Loeb, M., &; Lucyshyn, W. (2003). Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy, 22(6), 461-485.
Gorzig, B., &; Stephan, A. (2002). Outsourcing and firm-level performance (No. 309). DIW-Diskussionspapiere.
Grandori, A. (1997). An organizational assessment of interfirm coordination modes. Organization Studies, 18(6), 897-925.
Greenberg, P., Greenberg, R., &; Antonucci, Y. (2008). The role of trust in the governance of business process outsourcing relationships: A transaction cost economics approach. Business Process Management Journal, 14(5), 593-608.
Gulati, R. (1995). Social structure and alliance formation patterns: A longitudinal analysis. Administrative science quarterly, 619-652.
Hailen, L., Johanson, J., &; Seyed-Mohamed, N. (1991). Interfirm adaptation in business relationships. Journal of marketing, 55(2).
Hancox, M., &; Hackney, R. (1999). Information technology outsourcing: conceptualizing practice in the public and private sector. In System Sciences, 1999. HICSS-32. Proceedings of the 32nd Annual Hawaii International Conference on (pp. 15-pp). IEEE.
Hoang, H., &; Rothaermel, F. (2005). The effect of general and partner-specific alliance experience on joint R&;D project performance. Academy of Management Journal, 48(2), 332-345.
Huber, G. P. (1991). Organizational learning: The contributing processes and the literatures. Organization science, 2(1), 88-115.
Hulland, J. (1999). Use of partial least squares (PLS) in strategic management research: a review of four recent studies. Strategic management journal, 20(2), 195-204.
Hunt, R., Kleinschmidt, E., &; Killen, C. (2008). Learning investments and organizational capabilities: case studies on the development of project portfolio management capabilities.
Jensen, M. C., &; Meckling, W. H. (1976). Theory of the firm: Managerial behavior, agency costs and ownership structure. Journal of financial economics, 3(4), 305-360.
Jurison, J. (1995). The role of risk and return in information technology outsourcing decisions. Journal of Information Technology, 10(4), 239-247.
Kamoche, K. (1997). Knowledge creation and learning in international HRM. International Journal of Human Resource Management, 8(3), 213–225.
Kamoche, K. (1997). Knowledge creation and learning in international HRM. International Journal of Human Resource Management, 8(2), 213-225.
Kern, T., Kreijger, J., &; Willcocks, L. (2002). Exploring ASP as sourcing strategy: theoretical perspectives, propositions for practice. The Journal of Strategic Information Systems, 11(2), 153-177.
Khalfan, A. M. (2004). Information security considerations in IS/IT outsourcing projects: a descriptive case study of two sectors. International Journal of Information Management, 24(1), 29-42.
Killen, C., Hunt, R., &; Kleinschmidt, E. (2008). Learning investments and organizational capabilities: Case studies on the development of project portfolio management capabilities. International Journal of Managing Projects in Business, 1, 334 - 351.
Klepper, R., &; Jones, W. (1998). Outsourcing Information Technology Systems and Services. Prentice Hall, New.
Klotz, D., &; Chatterjee, K. (1995). Dual sourcing in repeated procurement competitions. Management Science, 41(8), 1317-1327.
Lacity, M. C., Solomon, S., Yan, A., &; Willcocks, L. P. (2011). Business process outsourcing studies: a critical review and research directions. Journal of information technology, 26(4), 221-258.
Lacity, M., Khan, S., &; Willcocks, L. (2009). A review of the IT outsourcing literature: Insights for practice. The Journal of Strategic Information Systems, 18(3), 130-146.
Lacity, M., Willcocks, L., &; Rottman, J. (2008). Global outsourcing of back office services: lessons, trends, and enduring challenges. Strategic Outsourcing: An International Journal, 1(1), 13-34.
Lant, T., &; Mezias, S. (1992). An organizational learning model of convergence and reorientation. Organization science, 3(1), 47-71.
Lee, C., Geng, X., &; Raghunathan, S. (2013). Contracting Information Security in the Presence of Double Moral Hazard. Information Systems Research, 24(2), 295-311.
Lee, J. N. (2001). The impact of knowledge sharing, organizational capability and partnership quality on IS outsourcing success. Information &; Management, 38(5), 323-335.
Lee, J. N. (2003). IT outsourcing evolution---: past, present, and future. Communications of the ACM, 46(5), 84-89.
Lee, J., &; Kim, Y. (1999). Effect of partnership quality on IS outsourcing success: Conceptual framework and empirical validation. Journal of Management Information Systems, 15(4), 29–61.
Lee, J., Miranda, S., &; Kim, Y. (2004). IT outsourcing strategies: Universalistic, contingency, and configurational explanations of success. Information Systems Research, 15(2), 110-131.
Levina, N., &; Ross, J. (2003). From the vendor''s perspective: exploring the value proposition in information technology outsourcing. MIS quarterly, 331-364.
Levitt, B., &; March, J. (1988). Organizational learning. Annual review of sociology. 319-340.
Li, L. (2005). The effects of trust and shared vision on inward knowledge transfer in subsidiaries’ intra-and inter-organizational relationships. International Business Review, 14(1), 77-95.
Li, Y., Liu, Y., Li, M., &; Wu, H. (2008). Transformational offshore outsourcing: empirical evidence from alliances in China. Journal of Operations Management, 26(2), 257-274.
Liu, A., Leach, M., &; Bernhardt, K. (2005). Examining customer value perceptions of organizational buyers when sourcing from multiple vendors. Journal of Business Research, 58(5), 559-568.
Liu, D., Ji, Y., &; Mookerjee, V. (2011). Knowledge sharing and investment decisions in information security. Decision Support Systems, 52(1), 95-107.
Loh, L. (1994). An organizational-economic blueprint for information technology outsourcing: concepts and evidence.
Malik, A., &; Nilakant, V. (2011). Extending the “size matters” debate: Drivers of training in three business process outsourcing SMEs in India. Management Research Review, 34(1), 111-132.
McIvor, R. (2009). How the transaction cost and resource-based theories of the firm inform outsourcing evaluation. Journal of Operations Management, 27(1), 45-63.
Mikhail, M., Walther, B., &; Willis, R. (1997). Do security analysts improve their performance with experience? Journal of Accounting Research, 131-157.
Moore, A., Ellison, R., &; Linger, R. (2001). Attack modeling for information security and survivability (No. CMU-SEI-2001-TN-001). CARNEGIE-MELLON UNIV PITTSBURGH PA SOFTWARE ENGINEERING INST.
Mowery, D., Oxley, J., &; Silverman, B. (1998). Technological overlap and interfirm cooperation: implications for the resource-based view of the firm. Research policy, 5, 507-523.
Myerson, R. (1991). Game theory: analysis of conflict. Cambridge: Mass, Harvard University.
Nguyen, T., &; Barrett, N. (2006). The knowledge-creating role of the internet in international business: evidence from Vietnam. Journal of International Marketing, 116-147.
Osei-Bryson, K., &; Ngwenyama, O. (2006). Managing risks in information systems outsourcing: An approach to analyzing outsourcing risks and structuring incentive contracts. European Journal of Operational Research, 174(1), 245-264.
Paraskevas, A., &; Buhalis, D. (2002). Outsourcing IT for small hotels: the opportunities and challenges of using application service providers. The Cornell Hotel and Restaurant Administration Quarterly, 43(2), 27-39.
Park, J., Sierra, T., Gordon, S., &; Spyware, F. (2006). Managing the Risks of Managed Security Services.
Penrose, E. (1959). The Theory of Growth of the Firm. New York: John Wiley and Sons.
Powell, W., Koput, K., &; Smith-Doerr, L. (1996). Interorganizational collaboration and the locus of innovation: Networks of learning in biotechnology. Administrative science quarterly, 116-145.
Prencipe, A., &; Tell, F. (2001). Inter-project learning: processes and outcomes of knowledge codification in project-based firms. Research policy, 30(9), 1373-1394.
Pugh, D., Hickson, D., Hinings, C., &; Turner, C. (1969). The context of organization structures. Administrative Science Quarterly, 91-114.
Quinn, J., &; Strategy, E. (2013). Strategic outsourcing: leveraging knowledge capabilities. Sloan Management Review.
Rabinovich, E., Windle, R., Dresner, M., &; Corsi, T. (1999). Outsourcing of integrated logistics functions: an examination of industry practices. International Journal of Physical Distribution &; Logistics Management, 29(6), 353-374.
Rowe, B. R. (2008). Will outsourcing IT security lead to a higher social level of security?.
Roy, V., &; Aubert, B. (2002). A resource-based analysis of IT sourcing. ACM SIGMIS Database, 33(2), 29-40.
Schlosser, F., Templer, A., &; Ghanam, D. (2006). How human resource outsourcing affects organizational learning in the knowledge economy. Journal of Labor Research, 27(3), 291-303.
Sen, F., &; Shiel, M. (2006). From business process outsourcing (BPO) to knowledge process outsourcing (KPO): Some issues. Human Systems Management, 25(2), 145-155.
Sethuraman, R. A. (1988). Partnership advantage and its determinants in distributor and manufacturer working relationships. Journal of Business Research, 4, 327-347.
Singh, H., &; Zollo, M. (1998). The impact of knowledge codification, experience trajectories and integration strategies on the performance of corporate acquisitions.
Tanriverdi, H., Konana, P., &; Ge, L. (2007). The choice of sourcing mechanisms for business processes. Information Systems Research, 18(3), 280-299.
Terborg, J., &; Burton, R. (2002). MAKING BUSINESS A GAME. Marketing Management, 11(5), 40-44.
Tsai, W., &; Ghoshal, S. (1998). Social capital and value creation: The role of intrafirm networks. Academy of management Journal, 41(4), 464-476.
Uhlenbruck, K., Meyer, K., &; Hitt, M. (2003). Organizational Transformation in Transition Economies: Resource&;#8208;based and Organizational Learning Perspectives. Journal of Management Studies, 2, 257-282.
Vassiliadis, B. S. (2006). From application service provision to service-oriented computing:. A study of the IT outsourcing evolution. Telematics and Informatics, 23(4), 271-293.
Von Solms, B., &; Von Solms, R. (2004). The 10 deadly sins of information security management. Computers &; Security, 23(5), 371-376.
Vroom, C., &; Von Solms, R. (2004). Towards information security behavioural compliance. Computers &; Security, 23(3), 191-198.
Weick, K. E. (1979). The social psychology of organizing.
Whitaker, J., Mithas, S., &; Krishnan, M. (2010). Organizational learning and capabilities for onshore and offshore business process outsourcing. Journal of Management Information Systems, 27(3), 11-42.
Willcocks, L., &; Kern, T. (1998). IT outsourcing as strategic partnering: The case of the UK Inland Revenue. European Journal of Information Systems 7, 29–45.
Willcocks, L., Lacity, M., &; Kern, T. (1999). Risk mitigation in IT outsourcing strategy revisited: longitudinal case research at LISA. The Journal of Strategic Information Systems, 8(3), 285-314.
Yakhlef, A. (2009). Outsourcing as a mode of organizational learning. Strategic Outsourcing: An International Journa, 2(1), 37-53.
Zhao, X., Xue, L., &; Whinston, A. (2009, January). Managing Interdependent Information Security Risks: A Study of Cyberinsurance, Managed Security Service and Risk Pooling. In ICIS, 49.