题名

台灣公部門與私部門建置資訊安全策略進行變革之重要驅動力

并列篇名

The Major Driving Forces behind Taiwan's Public and Private Sectors' Information Security Strategies

作者

游佳萍(Chia-Ping Yu);趙慕芬(Mu-Fen Chao);林美齡(Mei-Ling Lin)

关键词

資訊安全策略 ; PEST分析 ; 內容分析 ; 公部門 ; 私部門 ; Information security strategy ; PEST analysis ; Content analysis ; Public sector ; Private sector

期刊名称

資訊管理學報

卷期/出版年月

30卷3期(2023 / 07 / 31)

页次

287 - 314

内容语文

繁體中文;英文
中文摘要

組織頻頻發生資訊安全事件,會損害競爭力,因此,對資訊安全策略的重視,已經是基本工作。組織強化資安,建置或推動資安策略,實質上是在進行組織變革,促使組織脫離現狀,進行變革的力量,稱為驅動力(driving forces)。而組織進行資安強化時,有哪些重要的驅動力,為本研究探討重點。本研究採用環境掃描工具PEST中政治法令、經濟成本、社會文化,以及技術科技四個構面,作為分析架構。深度訪談三位資訊安全顧問,取得15個個案的相關資訊,利用內容分析法整理訪談資料,以了解PEST四個構面對資訊安全策略,所扮演的推手角色。本研究有幾個發現:第一,社會文化是影響公部門資安策略的首要構面,對於私部門而言,首要構面則是技術科技;第二,公、私部門都重視員工資訊安全認知、顧問的專業資安技術以及資訊安全投資成本等。第三,在技術科技構面中,對公部門、私部門的金融與高科技產業產生影響的指標,較為分歧。最後,從宏觀環境分析的角度來觀察,公私部門面對資訊安全議題時,較為著重的環境因素。本研究結果可以幫助公部門與私部門制定更有效率的資安策略。
英文摘要

This study investigates the need for an information security strategy due to the harm frequent information security incidents cause to a company's competitiveness and the impetus for its transformation. Based on the PEST framework, three information security consultants were interviewed for 15 cases, and content analysis was used to analyze the data. This study found: First, the public and private sectors value information security awareness, consultant skills, and investment costs equally. Second, technology dominates information security strategy in the private sector, while social culture dominates in the public sector. Thirdly, public and private financial and high-tech industry indicators differ among technology components. Finally, the environmental factors are most significant to the public and private sectors when addressing information security issues from a macro perspective. This study provides valuable insights for the public and private sectors to develop effective information security strategies.
主题分类 基礎與應用科學 > 資訊科學
社會科學 > 管理學
参考文献
  1. 陳志誠,林淑瓊,劉用貴,趙乃青(2018)。BYOD 導入企業之關鍵管理因素:組織資訊安全管理觀點。資訊管理學報,25(1),76-102。
    連結:
  2. 黃士銘,張碩毅,蘇耿弘(2006)。企業導入 BS7799 資訊安全管理系統之關鍵成功因素-以石化產業為例。資訊管理學報,13(2),171-192。
    連結:
  3. 葉桂珍,張榮庭(2006)。企業之資訊安全策略與其產業別及資訊化程度關係探討。資訊管理學報,13(2),113-143。
    連結:
  4. (2019)。行政院國家資通安全會報 (2019) , 國家資通安全發展方案 (106 年至 109)。
  5. (2021)。行政院國家資通安全會報 (2021) , 國家資通安全發展方案 (110 年至 113), https://cloudschool.chc.edu.tw/open-message/074738/getfile/6041e464285d5d58af198572.pdf。https://cloudschool.chc.edu.tw/open-message/074738/getfile/6041e464285d5d58af198572.pdf
  6. https://www.tcrc.edu.tw/files/0news/106-109%E5%B9%B4%E5%9C%8B%E5%AE%B6%E8%B3%87%E9%80%9A%E5%AE%89%E5%85%A8%E7%99%BC%E5%B1%95%E6%96%B9%E6%A1%88.pdf
  7. Aguilar, F. J.(1967).Scanning the Business Environment.New York:Macmillan.
  8. Babatunde, B. O.,Adebisi, A. O.(2012).Strategic Environmental Scanning and Organization Performance in a Competitive Business Environment.Economic Insights-Trends & Challenges,64(1),24-34.
  9. Balozian, P.,Leidner, D.(2017).Review of IS security policy compliance: Toward the building blocks of an IS security theory.The DATA BASE for Advances in Information Systems,48(3),11-43.
  10. Bourgeois, L. J., III(1980).Strategy and Environment: A Conceptual Integration.The Academy of Management Review,5(1),25-39.
  11. Bulgurcu, B.,Cavusoglu, H.,Benbasat, I.(2010).Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness.MIS Quarterly,34(3),523-548.
  12. Chebo, A. K.,Kute, I. M.(2019).Strategic process and small venture growth: The moderating role of environmental scanning and owner-CEO.Journal of Small Business Strategy,29(3),60-77.
  13. Chen, H.,Li, Y.,Yin, J.(2021).Understanding employees’ adoption of the Bring-Your-Own-Device (BYOD): the roles of information security-related conflict and fatigue.Journal of Enterprise Information Management,34(3),770-792.
  14. Da Veiga, A.(2016).Comparing the information security culture of employees who had read the information security policy and those who had not.Information & Computer Security,24(2),139-151.
  15. Deane, J.K.,Goldberg, D.M.,Rakes, T.R.,Rees, L.P.(2019).The effect of information security certification announcements on the market value of the firm.Information Technology and Management,20,107-121.
  16. Diamantopoulou, V.,Tsohou, A.,Karyda, M.(2020).From ISO/IEC 27001:2013 and ISO/IEC 27002:2013 to GDPR compliance controls.Information & Computer Security,28(4),645-662.
  17. Drozd, O.(2016).Privacy pattern catalogue: a tool for integrating privacy principles of ISO/IEC 29100 into the software development process.IFIP Advances in Information and Communication Technology book series (Tutorials, volume 476),Springer, Cham:
  18. Ermicioi, N.,Liu, X.M.(2021).An Interdisciplinary Study of Cybersecurity Investment in the Nonprofit Sector.American Journal of Management,21(5),39-50.
  19. Fahey, L.,Christensen, H. K.(1986).Evaluating the research on strategy content.Journal of Management,12(2),167-183.
  20. Fahey, L.,King, W. R.,Narayanan, V. K.(1981).Environmental scanning and forecasting in strategic planning—the state of the art.Long range planning,14(1),32-39.
  21. Fleisher, C.S.,Bensoussan, B.E.(2003).Strategic and Competitive Analysis: Methods and Techniques for Analyzing Business Competition.New Jersey:Prentice Hall.
  22. Gluckman, R.(2014).Gluckman, R. (2014). Buzzing around China, Forbes Asia. April: 18-21..
  23. Gupta, A.(2013).Environment & PEST analysis: an approach to the external business environment.International Journal of Modern Social Sciences,2(1),34-43.
  24. Hartman, B.,Flinn, D. J.,Beznosov, K.(2002).Enterprise Security with EJB and CORBA.New Jersey:John Wiley & Sons.
  25. Hausken, K.(2006).Income, interdependence, and substitution effects affecting incentives for security investment.Journal of Accounting and Public Policy,25(6),629-665.
  26. Ho, J. K. K.(2014).Formulation of a systemic PEST analysis for strategic analysis.European Academic Research,2(5),6478-6492.
  27. Ilvonen, I.(2013).Information security assessment of SMEs as coursework–learning information security management by doing.Journal of Information Systems Education,24(1),53-62.
  28. ISO/IEC(2013).Information technology‒Security techniques‒Code of practice for information security controls (ISO/IEC 27002).Geneva, Switzerland:ISO.
  29. Jerman-Blažič, B.,Tekavčič, M.(2012).Managing the investment in information security technology by use of a quantitative modeling.Information Processing & Management,48(6),1031-1052.
  30. Jobber, D.,Ellis-Chadwick, F.(2016).Principles and Practice of Marketing.London:McGraw-Hill Education.
  31. Jogaratnam, G.,Law, R.(2006).Environmental scanning and information source utilization: exploring the behavior of Hong Kong hotel and tourism executives.Journal of Hospitality & Tourism Research,30(2),170-190.
  32. Johnson, G.,Whittington R.,Scholes K.(2011).Exploring corporate strategy: text & cases.London:Pearson education.
  33. Jouini, M.,Rabai, L.B.A.,Khedri, R.(2021).A quantitative assessment of security risks based on amultifaceted classification approach.International Journal of Information Security,20,493-510.
  34. Kang, M.,Hovav, A.(2020).Benchmarking Methodology for Information Security Policy (BMISP): Artifact Development and Evaluation.Information Systems Frontiers,22,221-242.
  35. Kemp, M.,Kemp, M.(2005).Beyond trust: security policies and defence-in-depth.Network Security,2005(8),14-16.
  36. Kinnunen, H.,Siponen, M.(2018).Developing organization-specific information security policies by using critical thinking.Proceedings of the 22nd Pacific Asia Conference on Information Systems,Yokohama, Japan:
  37. Kissoon, T.(2020).Optimum spending on cybersecurity measures.Transforming Government: People, Process and Policy,14(3),417-431.
  38. Kong, H.K.,Kim,Kim, J.(2012).An analysis on effects of information security investments: a BSC perspective.Journal of Intelligent Manufacturing,23(4),941-953.
  39. Krippendorff, K.(2018).Content analysis: An introduction to its methodology.Thousand Oaks:Sage publications, CA..
  40. Lin, I. C.,Lin, Y. W.,Wu, Y. S.(2016).Corresponding Security Level with the Risk Factors of Personally Identifiable Information through the Analytic Hierarchy Process.Journal of Computers,11(2),124-131.
  41. Neuendorf, K. A.(2017).Content analysis guidebook.Thousand Oaks:Sage, CA..
  42. Niemimaa, E.,Niemimaa, M.(2017).Information systems security policy implementation in practice: From best practices to situated practices.European Journal of Information Systems,26(1),1-20.
  43. Orehek, S.,Petric, G.(2021).A systematic review of scales for measuring information security culture.Information & Computer Security,29(1),133-158.
  44. Peng, G. C. A.,Nunes, M. B.(2007).Using PEST analysis as a tool for refining and focusing contexts for information systems research.6th European Conference on Research Methodology for Business and Management Studies,Lisbon, Portugal:
  45. Puhakainen, P.,Siponen, M.(2010).Improving employees' compliance through information systems security training: an action research study.MIS Quarterly,34(4),757-778.
  46. Rastogi, N.,Trivedi, M.(2016).PESTLE technique–a tool to identify external risks in construction projects.International Research Journal of Engineering and Technology,3(1),384-388.
  47. Robbins, S. P.,Judge, T.(2022).Organizational Behavior.NY:Pearson New York.
  48. Ryan, J. J.,Ryan, D. J.(2006).Expected benefits of information security investments.Computers & Security,25(8),579-588.
  49. Shadbad, F.N.,Biros, D.(2022).Technostress and its influence on employee information security policy compliance.Information Technology & People,35(1),119-141.
  50. Sherif, E.,Furnell, S.,Clarke, N.(2015).A Conceptual Model for Cultivating an Information Security Culture.International Journal for Information Security Research,5(2),565-573.
  51. Stewart, H.,Jürjens, J.(2017).Information security management and the human aspect in organizations.Information and Computer Security,25(5),494-534.
  52. Talib, M. S. B.,Hamid, A. B. A.,Zulfakar, M. H.,Jeeva, A. S.(2014).Halal logistics PEST analysis: the Malaysia perspectives.Asian Social Science,10(14),119-131.
  53. Tsai, C.H.,Su, P.C.(2021).The application of multi-server authentication scheme in internet banking transaction environments.Information Systems and eBusiness Management,19(1),77-105.
  54. Vintilă, G.,Gherghina, S. C.,Toader, D. A.(2019).Exploring the Determinants of Financial Structure in the Technology Industry: Panel Data Evidence from the New York Stock Exchange Listed Companies.Journal of Risk Financial Management,12(4),163-180.
  55. Yu, C.P.,Chu, C.P.,Lu, P.H.(2018).Applying a Security Management Mechanism to a System Development Lifecycle.International Journal of E-Adoption,10(1),1-17.
print cancel