题名

資訊安全政策實施對資訊安全文化與資訊安全有效性影響之研究

并列篇名

A Study of the Effect of Implementing Information Security Policy on Information Security Culture and Information Security Effectiveness in an Organization

DOI

10.6382/JIM.201010.0061

作者

蘇建源(Chien-Yuan Su);江琬瑂(Wan-Mei Chiang);阮金聲(Jin-Sheng Roan)

关键词

資訊安全政策 ; 資訊安全文化 ; 資訊安全有效性 ; Information Security Policy ; Information Security Culture ; Information Security Effectiveness

期刊名称

資訊管理學報

卷期/出版年月

17卷4期(2010 / 10 / 01)

页次

61 - 87

内容语文

繁體中文
中文摘要

隨著組織對資訊化依賴程度愈深,所面對的資訊安全威脅就愈多。組織除了擁有資訊安全技術外更須要一套資訊安全政策供組織有一致的管理標準來遵循。然而許多組織已建立資訊安全政策,還是難以避免許多資訊安全事件發生,究其原因是輕忽安全管理重要性的組織文化。本研究將探討資訊安全政策實施的管理活動與建立資訊安全文化之關係與影響性。針對國內大型企業的資訊主管進行問卷調查並使用結構方程模型進行資料分析。研究結果顯示: 1. 資訊安全教育與宣導、高階主管支持、違反資訊安全規範懲處對資訊安全文化有正向顯著的影響。 2. 資訊安全文化對知覺資訊安全有效性有正向顯著影響。 3. 資訊安全政策維護對制訂資訊安全政策文件有顯著的影響。
英文摘要

Organizations nowadays rely highly on the information technology to achieve its daily operation demand. Due to the continual occurrence of many information security incidents, the protection of information systems is a major problem faced by organization. For an organization's information security, it is not only a technical issue but also a management issue. The application of an IS security policy is one of the major mechanisms employed by IS security management. The purpose of this study is to explore the effect of implementing an information security policy on information security culture and information security effectiveness in promoting the activities about information security policy. According to the large business ranking of top 1000 by China Credit Information Service, Ltd., we conducted a questionnaire survey of the MIS department manager. Structural Equations Modeling (SEM) was applied to analyze the data and the main findings of the study are as follows. 1. The implementation of an information security policy has positive impacts on information security culture. 2. Information security culture has positive impacts on perceived information security effectiveness. 3. The maintenance of an information security policy has positive impacts on making the documents of information security policy.
主题分类 基礎與應用科學 > 資訊科學
社會科學 > 管理學
参考文献
  1. 林妙雀(2005)。企業之智慧資本與分享組織文化對組織管理績效影響之實證研究。管理評論,24(1),55-81。
    連結:
  2. ISO ISO/IEC 27001:2005, International Organization for Standardization, Switzerland, 2005..
  3. Adams, J. S.,Tashchian, A.,Shore, T. H.(2001).Codes of Ethics as Signals for Ethical Behavior.Journal of Business Ethics,29(3),199-211.
  4. Allen, B.(1968).Danger Ahead! Safeguard Your Computer.Harvard Business Review,46(6),97-101.
  5. Andress, M.,Fonseca, B.(2000).Manage People to Protect Data.InfoWorld,22(46),48.
  6. Bagozzi, R. P.,Yi, Y.(1988).On the Evaluation of Structural Equation Models.Journal of the Academy of Marketing Science,16(1),74-94.
  7. Baskerville, R.,Siponen, M.(2002).An Information Security Meta-Policy for Emergent Organizations.Logistics Information Management,15(5),337-346.
  8. Beachboard, J. C.(2004).Conceptualizing IT Management: Testing a Competing Values Model of Policy Compliance.Proceedings of the Tenth Americas Conference on Information Systems,New York:
  9. Borck, J. R.(2000).Advice for a Secure Enterprise: Implement the Basics and See that Everyone Uses Them.InfoWorld,22(46),90.
  10. Breidenbach, S.(2000).How Secure Are You?.InformationWeek,800,71-78.
  11. Chau, J.(2005).Skimming the Technical and Legal Aspects of BS7799 Can Give a False Sense of Security.Computer Fraud & Security,September,8-10.
  12. Chaula, A. J.(2006).Department of Computer and Systems Sciences, Stockholm University.
  13. Chia, P. A.,Maynard, S. B.,Ruighaver, A. B.(2003).Information Systems: The Challenges of Theory and Practice.Information Institute, United States of America.
  14. Claver, E.,Llopis, J.,Gonzalez, M. R.,Gasco, J. L.(2001).The Performance of Information Systems through Organizational Culture.Information Technology & People,14(3),247-260.
  15. Conolly, P. J.(2000).Security Starts from Within.InfoWorld,22(28),39-40.
  16. Detert, J. R.,Schroeder, R. G.,Mauriel, J. J.(2000).A Framework for Linking Culture and Improvement Initiatives in Organizations.The Academy of Management Review,25(4),850-863.
  17. Dhillon, G.,Backhouse, J.(2000).Information System Security Management in the New Millennium.Communication of the ACM,43(7),125-128.
  18. Fang, D. P.,Chen, Y.,Louisa, W.(2006).Safety Climate in Construction Industry: A Case Study in Hong Kong.Journal of Construction Engineering and Management,132(6),573-584.
  19. Farrell, H.,Farrell, B. J.(1998).The Language of Business Codes of Ethics- Implications of Knowledge and Power.Journal of Business Ethics,17(6),587-601.
  20. Flynn, N. L.(2001).The E-Policy Handbook: Designing and Implementing Effective E-Mail, Internet, and Software Policies.New York:American Management Association.
  21. Ford, R. C.,Richardson, W. D.(1994).Ethical Decision Making: A Review of the Empirical Literature.Journal of business ethics,13(3),205-221.
  22. Fornell, C.,Larcker, D. F.(1981).Structural Equation Models with Unobservable Variables and Measurement Error.Journal of Marketing Research,18(3),382-388.
  23. Gaunt, N.(1998).Installing an Appropriate Information Security Policy.International Journal of Medical Informatics,49(1),131-134.
  24. Glendon, A. I.,Litherland, D. K.(2001).Safety Climate Factors, Group Differences and Safety Behavior in Road Construction.Safety Science,39(3),157-188.
  25. Glendon, A. I.,Stanton, N. A.(2000).Perspectives on Safety Culture.Safety Science,34(1),193-214.
  26. Goodhue, D. L.,Straub, D. W.(1991).Security Concerns of System Users: A Study of Perceptions of the Adequacy of Security.Information & Management,20(1),13-27.
  27. Guilford, J. P.(1973).Fundamental Statistics in Psychology and Education.New York:McGraw-Hill.
  28. Gupta, Y. P.(1991).The Chief Executive Officer and the Chief Information Officer: The Strategic Partnership.Journal of Information Technology,6(3-4),128-139.
  29. Hair, J. F.,Anderson, R. E.,Tatham, R. L.,Black, W. C.(1998).Multivariate Data Analysis.Englewood Cliffs,:Prentice Hall.
  30. Hancock, B.(2001).The Chief Security Officer's Top Ten List for 2001.Computers & Security,20(1),10-14.
  31. Hartley, B.(1998).Ensure the Security of Your Corporate Systems (Developing a Security Policy).E-Business Advisor,16(6),30-32.
  32. Hegarty, W. H.,Sims, H. P.(1979).Organizational Philosophy, Policies, and Objectives Related to Unethical Decision Behavior: A Laboratory Experiment.Journal of Applied Psychology,64(3),331-338.
  33. Höne, K.,Eloff, J. H. P.(2002).Information Security Policy-What Do International Information Security Standards Say?.Computers & Security,21(5),402-409.
  34. Hong, K. S.,Chi, Y. P.,Chao, L. R.,Tang, J. H.(2006).An Empirical Study of Information Security Policy on Information Security Elevation in Taiwan.Information Management & Computer Security,14(2),104-115.
  35. Horrocks, I.(2001).Security Training: Education for an Emerging Profession?.Computers & Security,20(3),219-226.
  36. Karyda, M.,Kiountouzis, E.,Kokolakis, S.(2005).Information Systems Security Policies: A Contextual Perspective.Computers & Security,24(3),246-260.
  37. Kemp, M.(2005).Beyond Trust: Security Policies and Defence-in-Depth.Network Security,8,14-16.
  38. Knapp, K. J.(2005).Auburn University.
  39. Knapp, K. J.,Marshall, T. E.,Rainer, R. K.,Ford, F. N.(2006).Information Security: Management's Effect on Culture and Policy.Information Management & Computer Security,14(1),24-36.
  40. Kotulic, A. G.,Clark, J. G.(2004).Why There Aren't More Information Security Research Studies.Information & Management,41(5),597-607.
  41. Kuusisto, R.,Nyberg, K.,Virtanen, T.(2004).Unite Security Culture: May a Unified Security Culture be Plausible?.Proceedings of the Third European Conference on Information Warfare and Security,United Kingdom:
  42. Leach, J.(2003).Improving User Security Behaviour.Computers & Security,22(8),685-692.
  43. Loe, T. W.,Ferrell, L.,Mansfield, P.(2000).A Review of Empirical Studies Assessing Ethical Decision Making in Business.Journal of business ethics,25(3),185-204.
  44. Martin, J.(1992).Cultures in Organizations: Three Perspectives.New York:Oxford University Press.
  45. Martins, A.,Eloff, J.(2002).Promoting Information Security Culture through an Information Security Culture Model.Proceedings of South Africa: Information Security South Africa
  46. Nunnally, J. C.(1978).Psychometric Theory.New York:McGraw-Hill.
  47. Ouchi, W. G.(1981).Theory Z: How American Business Can Meet the Japanese Challenge.Addison-Wesley.
  48. Pettigrew, A. M.(1979).On Studying Organizational Culture.Administrative Science Quarterly,24(4),570-586.
  49. Pfleeger, C. P.(1996).Security in Computing.New Jersey:Prentice Hall.
  50. Rees, J.,Bandyopadhyay, S.,Spafford, E. H.(2003).PFIRES: A Policy Framework for Information Security.Communications of the ACM,46(7),101-106.
  51. Richard, O. C.,McMillan-Capehart, A.,Bhuian, S. N.,Taylor, E. C.(2009).Antecedents and Consequences of Psychological Contracts: Does Organizational Culture Really Matter?.Journal of Business Research,62(8),818-825.
  52. Richardson, R.(2003).Eighth Annual Computer Security Institute (CSI) and Federal Bureau of Investigation (FBI) Computer Crime and Security Survey.San Francisco:Computer Security Institute.
  53. Richter, A.,Koch, C.(2004).Integration, Differentiation and Ambiguity in Safety Cultures.Safety Science,42(8),703-722.
  54. Robbins, S. P.(2001).Organizational Behavior: Concepts, Controversies, Applications.New Jersey:Prentice Hall.
  55. Schein, E. H.(1992).Organizational Culture and Leadership.San Francisco:Jossey-Bass.
  56. Simon, H. A.(1957).Amounts of Fixation and Discovery in Maze Learning Behavior.Psychometrika,22(3),261-268.
  57. Sims, R. L.,Keon, T. L.(1999).Determinants of Ethical Decision Making: The Relationship of the Perceived Organizational Environment.Journal of Business Ethics,19(4),393-401.
  58. Siponen, M. T.(2000).A Conceptual Foundation for Organizational Information Security Awareness.Information Management & Computer Security,8(1),31-41.
  59. Straub, D. W.(1990).Effective IS Security: An Empirical Study.Information Systems Research,1(3),255-276.
  60. Straub, D. W.,Welke, R. J.(1998).Coping with Systems Risk: Security Planning Models for Management Decision Making.MIS Quarterly,22(4),441-469.
  61. Thomson, K. L.,Von Solms, R.(2005).Information Security Obedience: A Definition.Computer & Security,24(1),69-75.
  62. Tolsby, J.(1998).Effects of Organizational Culture on a Large Scale IT Introduction Effort: A Case Study of the Norwegian Army's EDBLF Project.European Journal of Information Systems,7(2),108-114.
  63. Tudor, J. K.(2001).Information Security Architecture: An Integrated Approach to Security in the Organization.Boca Raton:CRC Press.
  64. Vroom, C.,Von Solms, R.(2004).Towards Information Security Behavioral Compliance.Computers & Security,23(3),191-198.
  65. Wood, C. C.(1995).Writing InfoSec Policies.Computers & Security,14(8),667-674.
  66. Wood, C. C.(2000).An Unappreciated Reason Why Information Security Policies Fail.Computer Fraud & Security,2000(10),13-14.
  67. 黃清賢(2002)。職業安全管理。台北:新文京開發出版社公司。
  68. 蔡永銘(2003)。現代安全管理。台北:揚智文化事業公司。
被引用次数
  1. 陳加屏、宋佩貞、古政元(2012)。以系統動力學探討電腦病毒防治政策。資訊管理學報,19(3),621-652。
  2. 謝佳容、陳良駒、范俊平(2016)。網路作戰安全與管理主題實證探索之研究-使用GHSOM 技術。資訊管理學報,23(1),99-128。
  3. 詹前隆、黃慶裕、黃依賢(2012)。組織導入資訊安全管理制度之效益探討。資訊傳播研究,3(1),73-92。
print cancel