臺灣博碩士論文加值系統

近年來，由於網際網路與資訊系統被企業大量的運用，以提昇工作效率、降低營運成本，並增加企業的競爭力；然而當組織越來越依賴以電子化的方式來完成交易的同時，資訊安全的危害也不斷地增加，為了因應不斷增加的資訊安全問題及維持組織的競爭力，管理者必須面對的課題是組織該採取何種資訊安全活動，才能在資訊快速交流的前提下有個安全的資訊環境，降低資訊安全的威脅。儘管目前管理者對資訊安全意識漸增，且有學者陸續提出資訊安全相關文獻，而企業內懂得資訊安全的高階主管不多，於是投入大量金錢與人力，卻無法有效解決資訊安全漏洞，錯失提昇組織績效的時機，因此，如何評估組織所適用的資訊安全行動，實屬重要。
本研究依據相關文獻探討，提出組織資訊安全活動及資訊安全績效的評估模式與相關假說，並以問卷調查法針對資訊人員對組織內的資訊安全活動與其績效進行調查，來實證其相關性。研究結果發現：1.組織大小對嚇阻、預防、偵測及回復等活動有正向顯著影響；2.高階主管的支持對嚇阻、預防、偵測及回復等活動有正向顯著影響；3.高階主管的安全意識對嚇阻、預防、偵測及回復等活動有正向顯著影響；4.產業型態對嚇阻、預防、偵測及回復等活動有正向顯著影響；5.嚇阻活動對資訊安全績效有正向顯著影響；6.預防活動對資訊安全績效沒有顯著影響；7.偵測活動對資訊安全績效有正向顯著影響；8.回復活動對資訊安全績效有正向顯著影響。
本研究所實證之資訊安全績效評估，希望不僅能提醒高階主管避免資訊安全的威脅，並加強風險評估之外，更希望能運用此研究成果來幫助決策者，在進行資訊安全活動決策時提供適時的參考，以確保組織所推行的資訊安全活動能獲得最大的績效。

Internet and information system go into a mass operation by the enterprises in order to promote the efficient management and to decrease the cost of operation and to increase the competition of the business. Increased organizational dependence on IS has led to a corresponding increase in the impact of IS security abuses. When the E-system is used to support the organizations, there are very important things for managers on the premise that data exchange rapidly to face how to take Information Security Activity to protect the Information System Security, and to have a safety environment of the information, and to decrease the threat of the security information。
So far as the domestic is concerned, the mangers are clearly understanding about the information security awareness gradually. Scholars submit their proposals for information security but the tops of managers in Taiwan don’t realize the information security, as a consequence, they invest a lot of money in buying security products such as: Firewall, Intrusion Detection System, and Anti-virus, but those products still have the security leak and Hacker invades into the systems and menace companies with the security leak. It is not only the waste of money but also of manpower. So that it is very important how to assess a suitable set of Information Security Activities for organizations.
According to Combining literature researches this paper proposes the information security activities, and information assessing model, and constructional related hypothesis; to use the questionnaires about investigation of information security activities and information achievements is to understand that the top managers affect the organizations. As a result, the report found eight key points:
The organizational size has obviously positive affections to the information security that deterrence, prevention, and recovery activities.
The top managers support the information security that deterrence, prevention, and recovery activities will be obviously positive affection, but detection activity will be obscure.
The top managers have the information security awareness the deterrence; prevention, recovery, and deterrence activity will be obviously positive affections.
The industry type has obviously positive affections to the information security that deterrence, prevention, and recovery activities.
The deterrence activities have obviously positive affections to information security awareness.
The prevention activities don’t have obviously affections to information security awareness.
The detection activities have obviously positive affections to information security awareness.
The recovery activities have obviously positive affections to information security awareness.
The report has confirmed that the information security performance not only can remind the top managers of avoiding the information security threats, but also can enhance the estimation of risk. Hopefully, the report can assist the management decision-making in time for the top managers, and makes sure to maximize the organizations information security performance on being carried information security activities out.

摘　要 i
ABSTRACT ii
誌　謝 iv
目　錄 v
表目錄 viii
圖目錄 x
壹、緒論 1
一、研究背景 1
二、研究動機 3
三、研究目的 5
四、研究程序 5
五、研究架構 8
貳、文獻探討 9
一、組織資訊安全活動影響因素 9
(一)組織大小 10
(二)高階主管的支持 10
(三)高階主管的安全意識 12
(四)產業型態 14
(五)高科技產業相關定義 15
二、BS7799介紹 17
三、資訊安全活動 22
(一)嚇阻活動 24
(二)預防活動 27
(三)偵測活動 32
(四)回復活動 35
四、組織資訊安全績效 37
參、研究方法 40
一、研究模式建立 40
二、假說推導 40
三、操作型定義 49
四、問卷設計 51
肆、資料分析 53
一、資料分析工具與方法 53
二、樣本特性及問卷回收 54
三、單因子變異數分析 56
四、信效度分析 59
五、研究模式之檢測 70
伍、結論與建議 78
一、研究結論 78
(一)組織大小對資訊安全活動的影響 78
(二)高階主管的支持對資訊安全活動的影響 78
(三)高階主管的安全意識對資訊安全活動的影響 79
(四)高科技產業對資訊安全活動的影響 79
(五)資訊安全活動對組織資訊安全績效的影響 80
二、研究限制 81
三、研究貢獻 81
四、未來研究方向 82
參考文獻 83
附錄 88

中文部份：
1.李東峰、林子銘，(2002)。“資訊主管對企業資訊安全之風險控管決策”，資訊管理研究，7 月號第四卷，第二期。
2.林清山，(1995)。心理與教育統計學。台北：東華書局。
3.孫思源，(2001)。 由社會交換理論探討資訊系統委外夥伴關係之影響因素，國立中山大學資訊管理研究所博士論文。
4.許婉倫，(2000)。“中小企業e 化面面觀”，資訊與電腦，(6 月)，67-122。
5.陳偉智 (2000)。 高科技產業補貼競爭之研究，政治大學經濟學研究所碩士論文。
6.曾淑惠，(2002)。以BS 7799 為基礎評估銀行業的資訊安全環境，淡江大學資訊管理學系碩士論文。
7.葉嘉綺，(2003)。高階主管安全意識及環境不確定性對企業資訊安全活動成效之影響，國立高雄第一科技大學資訊管理研究所碩士論文。
8.劉永禮，(2001)。以BS7799資訊安全管理規範建構組織資訊安全風險管理模式之研究，元智大學工業工程與管理學系碩士論文
9.iThome 2004 電腦週刊, 170, pp.54-61
10.iThome 2005 電腦週刊, 171, pp.64-68
11.http://www.symantec.com/region/tw/avcenter/threat_report.html

英文部份：
1.Atreyi KanKanhalli, Teo Hock-Hai, Tan Bernard C.Y., Wei Kwok-Kee, 2003, “An integrative Study of information Systems security effectiveness,” International Journal of Information Mnagement, 23, pp.139-154.
2.Barsanti, C. 1999, Modern network complexity needs comprehensive security. Security, 36(7), 65–68.
3.Blumstein, A., 1978, “Introduction in Deterrence and Incapacitation：Estimating the Effects of Criminal Sanctions on Crime Rates,” A.Blumstein, J. Cogen and D. Nagin (eds.), National Academy of Sciences, Washington, DC.
4.Brancheau, J. C., Janz, B. D., & Wetherbe, J. C. 1996, Key issues in information systems management: 1994–95 SIM Delphi results. MIS Quarterly, 20(2), 225–242.
5.Bruce Murphy, Rik Buren and Steve Schlarman, 2000, “Enterprise Security Architecture,” Information Systems Security, May-June, pp.18-31.
6.BS 7799-1 1999, “Information Security Management- Part 1: Code of Practice for Information Security Management,” British Standards Institution, London.
7.BS 7799-2 1999, “Information Security Management- Part 2: Specification for Information Security Management Systems,” British Standards Institution, London.
8.Burger, K., 1993, “The new age of anxiety,” Insurance and Technology, 18(10), pp.48-54.
9.Carnoy, M. (1985), “High Technology and International Labor Markets,” International Labor Review, Vol. 124, pp. 643-659.
10.Cerveny, R. P. and G. L. Sanders, 1986, “Implementation and Structural Variables,” Information & Management, 11, pp.191-198.
11.Damanpour, F. 1991, “Organizational innovation: A meta-analysis of effects of determinants and moderators,” Academy of Management Journal, 34(3), 555–590.
12.DeLone, W. H., 1988, “Determinants of Success for Computer Usage in small business,”MIS Quarterly (12: 1), March 1988, pp.51-61.
13.Dixon, R., Marston, C., and Collier, P., 1992, “Report on the Joint CIMA and IIA Computer Fraud Survey,”Computers & Security (11: 4), July, pp.307-313.
14.Dunn, Thurman Stanley, 1982, “Methodology for the Optimization of Resources in the Detection of Computer Fraud,”doctoral disseration, University of Arizona.
15.Ein-Dor, P., & Segev, E. 1978, “Organizational context and the success of management information systems,” Management Science, 24(10), 1064–1077.
16.Eloff, J. H. P. 1988, “Computer security policy: Important issues,”Computers and Security, 7(6), 559–562.
17.Forcht, K., 1994, “Computer Security Management,” Boyd & Fraser, Danvers, MA.
18.Gable, G.G., “Consultant Engagement for First Time Computerization: a Pro-Action Client Role in Small Business,” Information& Management, Vol. 20, No. 2, 1991, pp. 83-93.
19.Ginzberg, M. J., 1981, “Key Recurrent Issues in the MIS Implementation Process,”MIS Quarterly (5: 2), June, pp.47-59.
20.Gopal, R. D., & Sander, G. L., 1997, “Preventive and deterrent controls for software piracy,” Journal of Management Information Systems, 13(4), pp.29-47.
21.Goodhue, D. L., & Straub, D. W., 1991, “Security concerns of system users：A study of perceptions of the adequacy of security,”Iinformation and Management, 20(1), pp.13-27.
22.Grupp, H. 1996, “Knowledge-Intensive and Resource-Concerned Growth in Germany,” Research Evaluation, Vol. 2.
23.Hoffer, J. A., & Straub, D. W., 1989, “The 9 to 5 Underground : Are you Policing Computer Crimes?” Sloan Management Review, (30:4), Summer, pp.35-44.
24.Hoffer, J. A., & Straub, D. W. (1994). “The 9 to 5 underground: Are you policing computer crimes?” In P. Gray,W. R. King, E. R. Mclean, & H. Watson (Eds.), Management of information systems (pp. 388–401). Fort Worth, TX: Harcourt Brace.
25.Hsaio, David K, Kerr, Douglas S., and Madnick, Stuart E., 1979, “Computer Security,” Academic Press, New York.
26.Thong James Y.L., Yap Chee-Sing, Raman K.S., 1996, “Top Management Support, External Expertise and Information Systems Implementation in small Business,”Information Systems Research, Vol7(2), June, pp.248-267.
27.Jarvenpaa, S. L., & Ives, B., 1991,“Information technology and corporate strategy：A view from the top,”Iinformation Systems Research, 1(4), pp.351-375.
28.Kaiser, H. F., 1974, “Little Jiffy, Mark IV,” Educational and Psychology Measurement, Vol. 34, pp.100-117.
29.Keen, P. G. W. and M. S. Scott- Morton, 1978, “Decision Support Systems: An Organizational Perspective,”Addison-Wesley, Reading, MA.
30.Kwon , T. H. and R. W. Zmud ,1987,“Unifying the Fragmented Models of Information Systems Implementation,” in R. J. Boland, Jr. and R.A. Hirscheim(Eds.), Critical Issues in Information Systems Research,Wiley,New York.
31.Lucas, H. C., Jr., “Implementation: The Key to Successful Information Systems,” McGraw-Hill, New York.
32.Martin, J., 1973, “Security, Accuracy, and Privacy in Computer Systems,” Prentice-Hall, Englewood Cliffs, NJ.
33.Nance, W.D., & Straub, D. W., 1988, “An investigation into the use and usefulness of security software in detecting computer abuse,” Proceedings of the ninth annual international conference on information systems, pp.283-294.
34.Olnes, J. 1994, “Development of security policies,”Computers and Security, 13(8), 628–636.
35.Panettieri, J. C., 1995, “Informationweek/Ernst and Young security survey,” Informationweek, 555. pp.32-37.
36.Parker, D. B., 1981, “Computer Security Management,”Reston Publishing, Reston, VA.
37.Parker, D. B. (1983). “Fighting computer crime,” New York, NY: Scribner.
38.Pearson, F. S., & Weiner, N. A., 1985, “Toward an intergration of criminological theories,” Journal of Crime and Criminology, 76(1) ,pp.116-150.
39.Power, E., 2001,“2001 CSI/FBI Computer Crime and Security Survey,” Computers Security Journal, 8(2), pp.29-51.
40.Reich, B. H., & Benbasat, I. (1990). An empirical investigation of factors influencing the success of customer oriented strategic systems. Information Systems Research, 1(3), 325–347.
41.Straub, Detmar W., 1986,“Computer Abuse and Computer Security:Update on an Empirical,” Security Audit, and Control Review, ACM Special Interest Group Journal, 4, pp.21-31.
42.Straub D. W. Jr., Welke, R. J. , 1998, “Coping with Systems Risk：Security for Management Decision Making,”MIS Quarterly, December, pp.441-469.
43.Thong, J. Y. L., Yap, C. S., & Raman, K. S. (1996). “Top management support, external expertise and information systems implementation in small businesses,” Information Systems Research, 7(2), 248–267.
44.Title, C.R. “Sanctions and Social Deviance: The Question of Deterrence,” Praeger Publishers, New York, 1980.
45.White, G. B., Fisch, E. A., & Pooch, U. W. (1996). Computer system and network security. Boca Raton, FL: CRC Press.
46.Yap, C. S., Soh, C. P. P., & Raman, K. S., 1992,“Information system success factors in small business,” Omega, 20(5), pp.597-609.
47.Yehuda, Baruch, 1997, High Technology Organization-what it is, what it isn’t. International Journal of Technology Management. 13(2): 179-195
48.Zviran, M., & Haga, W., 1999, “Password Security：An empirical study,” Journal of Management Information Systems, 15(4), pp.161-185.