Exploring ISMS Implementations from the Organizational Learning Perspective: A Multi-Case Study in Taiwan

廖耕億(Gen-Yih Liao)；陳昱仁(Yu-Jen Chen)；蕭光妤(Kuang-Yu Hsiao)

資訊安全管理制度 ； 組織學習 ； 安全意識 ； 個案研究 ； Information Security Management System (ISMS) ； Organizational Learning ； Security Awareness ； Case Study

電腦稽核

30期（2014 / 07 / 01）

90 - 103

英文

資訊安全管理制度的建置，是一個牽涉安全、技術、法律、組織、管理等多層面複雜知識的過程。為了瞭解組織於其過程中可能遭遇的阻礙，並且從組織學習觀點找出可能影響導入過程的影響因子，本研究執行質性研究方法，深入探索四個公務單位的資訊安全管理制度導入過程。研究結果發現，組織氣氛、個人與團隊實務、個人與團隊發展、報酬等四因素，與資安管理制度知識的缺乏現象有關。此外，本研究亦發現，資安意識與資安管理制度的文件化、資安管理制度知識與重要性評價、報酬／認同與流程標準化程度四組變數之間，也可能存在相關。本研究從組織學習觀點提出具體建議，希冀輔助相關組織於導入時增強知識體質，提升導入成功的可能性。

Implementing an ISMS is a challenging task, as most workers cannot well deal with information security issues. To realize what obstacles organizations may encounter and to find out whether the organizational learning factors affect the implementation process, this investigation conducted qualitative methodology and interviewed four public organizations in Taiwan. The research findings offer a research model of reduced complexity, which can be validated and tested quantitatively. The results indicate that four factors may lead to insufficient ISMS-related knowledge. Besides, we also find potential relationships may exist between security awareness and ISMS documentation, between ISMS-related knowledge and valuation towards the importance of security management, and between rewards/recognition and standardization. A few conceptual explanations are offered to benefit those organizations which remain in the early phase of ISMS implementation.

1. International Organization for Standardization: Information Technology -Security Techniques -Information Security Management Systems - Requirements, ISO/IEC 27001:2005 (2005).
2. British Standards Institution: Information Security Management Systems -Specification With Guidance for Use, BS7799-2:2002 (2002).
3. International Register of ISMS Certificates: http://www.iso 27001certificates.com/Register%20Search.htm [accessed on 2007/4/13]
4. Ajzen, I.(1991).The Theory of Planned Behavior.Organizational Behavior and Human Decision Processes,50,179-211.
5. Bennett, J.K.,O'Brine, M.J.(1994).Measuring and Building a Learning Organization: A Systems Approach.Eighth IEEE-USA Careers Conference
6. Bennett, J.K.,O'Brine, M.J.(1994).The Building Blocks of the Learning Organization.Training,31,41-49.
7. Chou, Y.(2000).Designing an Assessment Scale for Learning Organizations.Tao-Yuan:National Central University.
8. Cummings, T.G.,Worley, C.G.(2004).Organization Development and Change.South-Western College.
9. Friedlander, F.,Brown, L.D.(1974).Organization development.Annual Review of Psychology,25,313-341.
10. Jan, Z.(2005)。Discovering the Value Behind the BS 7799 Certificate: Experience Sharing After One-year Certification。Information Security，19，28-33。
11. March, J.G.(ed.)(1965).Handbook of Organizations.Chicago, IlL:Rand McNaily.
12. Marquardt, M.J.(1996).Building the Learning Organization: A System Approach to Quantum Improvement and Global Success.New York:McGraw-Hill.
13. Miles, M.B.,Huberman, A.M.(1994).Qualitative Data Analysis: An Expanded Sourcebook.Sage Publications.
14. Nevis, E.C.,DiBella, A.J.,Gould, J.M.(1995).Understanding Organizations as Learning Systems.Sloan Management Review,36,73-85.
15. Peltier, T.R.(2001).Information Security Risk Analysis.New York:Auerbach.
16. Peltier, T.R.(2002).Information Security Policies, Procedures, and Standards.New York:Auerbach.
17. Redding, J.(1997).Hard wiring the Learning Organization.Training & Development,51,61-67.
18. Reynolds, A.,Marquardt, M.J.(1994).The Global Learning Organization.New York:McGraw-Hill.
19. Robbins, S.P.(2001).Organizational Behavior.New Jersey:Prentice-Hall.
20. Rockart, J.F.,Morton, Scott(1984).M.S. Implications of Changes in Information Technology for Corporate Strategy.Interfaces,14,84-95.
21. Shockley-Zalabak, P.(2005).Fundamentals of Organizational Communication.Allyn & Bacon.
22. Wick, C.W.,Leon, L.S.(1995).From Ideas to Action: Creating a Learning Organization.Human Resource Management,34,299-311.