企業資訊安全投資之決策變數探討

Study of Decision Variables for Enterprises Information Security Investment

10.6220/joq.2013.20(4).02

詹前隆(Chien-Lung Chanu)；曾淑芬(Shu-Fen Tseng)；呂志鴻(Chih-Hung Lu)

資訊安全 ； 投資決策 ； 資安風險指標 ； 風險認知 ； information security ； investment decision ； information security risk index ； risk perception

品質學報

20卷4期（2013 / 08 / 01）

379 - 401

繁體中文

層出不窮的資安事件造成企業的龐大損失並嚴重傷害公司聲譽。本研究旨在探討影響企業資訊安全投資之決策變數。資訊安全投資項目，包括資安人力、軟體、硬體、管理、委外與服務等。針對臺灣企業內資訊相關的從業人員，以專家訪談與問卷設計收集資料。從外在環境與內部組織等不同構面出發，以統計複迴歸分析企業資訊安全投資的影響因素與影響程度。研究結果發現外部環境因素對資訊安全投資影響不顯著。而影響資訊安全投資之變數依序為「高階主管對資安控管的態度」、「資訊安全風險認知」、「企業規模」與「組織資訊科技的應用程度」。企業宜提昇高階主管對資安控管之態度與風險認知以強化資訊安全之投資。面對管控資安風險與成本效益的兩難，建議導入決策分析架構以提升決策品質。

The increased in information security issues have caused great amount losses to enterprises and have damaged the reputation of those enterprises. In coping with a variety of information security issues, enterprises are always in a dilemma when they need to make investment decisions for information security infrastructure. Managers need to achieve both goals of risk control and cost effectiveness. The aim of this research is to examine the variables influencing enterprises' information security investment decisions. We collected data from decision makers involved in information technology investment through interviews and questionnaires. Factors affecting enterprises information security investment were classified into internal and external factors such as information security manpower, software, hardware, management, outsourcing, and services. Using regression analysis, variables influencing information security investments were found. External environmental factors have no significant effect on enterprises information security investment. Variables that can predict ”information security investment” by the order of beta coefficients are: ”the senior executives' attitude toward control of information security,” ”information security risk index,” ”the scale of enterprise,” and ”the degree of enterprises' technology application.” Consequently, enterprises need to empower the top management to control information security and risk perception to improve the quality of information security decision making. Decision analysis framework is recommended to tradeoff the information security risk control and cost effectiveness of information security investment.

1. Chien, C.-F.,Chen, C.-P.,Chen, C.-H.(2009).Designing performance indices and a novel mechanism for evaluating government R & D projects.Journal of Quality,16(2),119-135.
   連結：
2. Chien, C.-F.,Yu, C.-M.,Hsu, S.-C.(2009).UNISON decision analysis framework for constructing the workforce planning decision model for semiconductor manufacturing fab.Journal of Management & Systems,16(2),157-180.
   連結：
3. 李東峰、林子銘(2002)。資訊主管對企業資訊安全之風險控管決策。資訊管理研究，4(2)，1-42。
   連結：
4. Bancon, C. J.(1992).The use of decision criteria in selecting information system/technology investment.MIS Quarterly,16(3),335-353.
5. Bharadwaj, A. S.(2000).A resource-based perspective on information technology capability and firm performance: an empirical investigation.MIS Quarterly,24(1),169-196.
6. Bodin, L.,Gordon, L. A.,Loeb, M. P.(2008).Information security and risk management.Communications of the ACM,51(4),64-68.
7. Bojanc, R.,Jerman-Blazic, B.(2008).An economic modeling approach to information security management.International Journal of Information Management,28(5),413-422.
8. Briney, A.,Prince, F.(2002).2002 ISM Survey.Information Security Magazine,2002(September),36-54.
9. Cavusoglu, H.,Mishra, B.,Raghunathan, R.(2004).A model for evaluating IT security investments.Communications of the ACM,47(7),87-92.
10. Chai, S.,Kim, M.,Rao, H. R.(2011).Firms 'information security investment decisions: stock market evidence of investors' behavior.Decision Support System,50(4),651-661.
11. Chan, C. L.(2011).Information security risk modeling using bayesian index.The Computer Journal,54(4),628-638.
12. Chang, S. E.,Ho, C. B.(2006).Organizational factors to the effectiveness of implementing information security management.Industrial Management and Data Systems,106(3),345-361.
13. Chien, C.-F.,Wang, H.-J.,Wang, M.(2007).A UNISON framework for analyzing alternative strategies of IC final testing for enhancing overall operational effectiveness.International Journal of Production Economics,107(1),20-30.
14. Clemen, R. T.(1996).Making Hard Decisions: An Introduction to Decision Analysis.Belmont, CA.:Duxbury Press.
15. Fung, A. R.-W.,Farn, K.-J.,Lin, A. C.(2003).A study on the certification of the information security management systems.Computer Standards & Interfaces,25(5),447-461.
16. Gatignon, H.,Robertson, S. T.(1989).Technology diffusion: an Empirical test of cometitive effects.Journal of Marketing,53(1),35-49.
17. Gordon, L. A.,Loeb, M. P.(2006).Budgeting process for information security expenditures.Communications of the ACM,49(1),121-125.
18. IBM X-Force(2010).,未出版
19. Janz, B.,Dibrell, C.(1998).The implementation of strategy in an innovative information service organization: an empirical comparison of theoretical frameworks.Journal of Information Technology Management,9(3),1-20.
20. Jarvenpaa, S. L.,Ives, B.(1991).Executive involvement and participation in the management of information technology.MIS Quarterly,15(2),205-227.
21. Keeney, R. L.,Raiffa, H.(1993).Decisions with Multiple Objectives: Preferences and Value Tradeoffs.New York:Cambridge University Press.
22. Kelly, D.,Amburgey, T. L.(1991).Organizational inertia and momentum: a dynamic model of strategic change.Academy of Management Journal,34(3),591-612.
23. Klapper, L. F.,Love, I.(2004).Corporate governance, investor protection, and performance in emerging markets.Journal of Corporate Finance,10(5),703-728.
24. Kotulic, A. G.,Clark, J. G.(2004).Why there aren't more information security research studies.Information & Management,41(5),597-607.
25. Kuhl, J.(ed.),Bechmann, J.(ed.)(1985).Action Control from Cognition to Behavior.Berlin:Springer.
26. Mata, F. J.,Fuerst, W. L.,Barney, J. B.(1995).Information technology and sustained competitive advantage: a resource-based analysis.MIS Quarterly,19(4),487-505.
27. Mclvor, R.,McHugh, M.(2000).Partnership Sourcing: an organization chang management perspective.The Journal of Supply Chain Management,36(3),12-20.
28. Mercuri, R. T.(2003).Analyzing security costs.Communications of the ACM,46(6),15-18.
29. Miller, J.,Doyle, B. A.(1987).Measuring effectiveness of computer-based information systems in the financial service sector.MIS Quarterly,11(1),107-125.
30. Mohan-Neill, S.(2006).Online market information and environmental scanning activity by small business: the correlation between firms characteristics and online market information acquisition.Academy of Entrepreneurship Journal,12(2),85.
31. Pemberton, J. D.,Stonehouse, G. H.,Barber, C. E.(2001).Competing with CRS-generated information in the airline industry.Journal of Strategic Information Systems,10(1),59-76.
32. Porter, M. E.(1998).Clusters and the new economics of competition.Harvard Business Review,76(6),77-90.
33. Premkumar, G.,King, W. R.(1994).Organizational characteristics and information systems planning: an empirical study.Information Systems Research,5(2),75-104.
34. Purser, S. A.(2004).Improving the ROI of the security management Process.Computer and Security,23(7),542-546.
35. Ravichandran, T.,Lertwongsatien, C.(2005).Effect of Information systems resources and capabilities on firm performance: a resource-based perspective.Journal of Management Information Systems,21(4),237-276.
36. Saaty, T. L.(1980).The Analytic Hierarchy Process.New York:McGraw-Hill.
37. Shelly, G. S.,Stewart, W. H.,Swet, R. R.,Luker, W. A.(2000).Convergence versus strategic reorientation: the antecedents of fast-paced organizational change.Journal of Management,26(5),911-945.
38. Sonnenreich, W.,Albanese, J.,Stout, B.(2006).Return on security investment (ROSI)-aractical quantitative model.Journal of Research and Practice in Information Technology,38(1),45-56.
39. Straub, D. W.,Welke, R. J.(1998).Coping with systems risk: security planning models for management decision making.MIS Quarterly,22(4),441-469.
40. Tallon, P. P.,Kraemer, K. L.,Grbaxani, V.(2000).Executives' perceptions of the business value on information technology: a process-oriented approach.Journal of Management Information Systems,16(4),145-173.
41. Teo, T. S. H.,Ang, J. S. K.(1999).Critical success factors in the alignment of IS Plans with business plans.International Journal of Information Management,19(2),173-185.
42. Thong, J. Y. L.(1999).An integrated model of information systems adoption in small business.Journal of Management Information Systems,15(4),187-214.
43. Thong, J. Y. L.,Yap, C. S.(1995).CEO characteristics, organizational characteristics and information technology adoption in small business.Omega,23(4),429-442.
44. Vermeulen, C.,Von Solms, R.(2002).The information security management toolbox-taking the pain out of security management.Information Management & Computer Security,10(3),119-125.
45. Von Solms, B.,Von Solms, R.(2004).The 10 deadly sins of information security management.Computers & Security,23(5),371-376.
46. Von Winterfeld, D.,Edwards, W.(1986).Decision Analysis and Behavioral Research.Cambridge:Cambridge University Press.
47. Weill, P.,Olson, M. H.(1989).Managing investment in information technology: mini case examples and implications.MIS Quarterly,13(1),3-17.
48. Wu, J.-Z.,Chien, C.-F.(2008).Modeling strategic semiconductor assembly outsourcing decisions based on empirical settings.OR Spectrum,30(3),401-430.
49. 行政院主計處電子處理資料中心(2010)。資通安全外部稽核。作者。
50. 吳明隆(2006)。SPSS統計應用學習實務：問卷分析與應用統計。臺北:易習圖書。
51. 吳明隆(2009)。SPSS操作與應用：問卷統計分析實務。臺北市:五南圖書出版股份有限公司。
52. 李東峰(2003)。博士論文(博士論文)。桃園，臺灣，國立中央大學資訊管理研究所。
53. 李順仁(2007)。資訊安全。臺北:文魁資訊。
54. 洪國興、季延平、趙榮耀(2003)。資訊安全評估準則層級結構之研究。圖書館學與資訊科學，29(2)，22-44。
55. 財團法人資訊工業策進會MIC(2010)。資訊服務產業年鑑。作者。
56. 樊國楨(2005)。資訊安全風險管理。臺北:行政院國家科學委員會科學技術資料中心。
57. 鄧家駒(1998)。風險管理。臺北:華泰文化事業公司。
58. 賴志明(2009)。博士論文(博士論文)。臺北，臺灣，國立臺灣科技大學資訊管理研究所。
59. 簡禎富(2005)。決策分析與管理。臺北市:雙葉書廊。
60. 羅英嘉(2008)。CISSP與資訊安全基礎技術。臺北:財團法人資訊工業策進會。