簡易檢索 / 詳目顯示

回結果列表
研究生: 蔡思達
SSu-ta Tsai
論文名稱: 以適用性結構化理論探討資訊安全導入之徵用過程與成效
The Appropriation Process and Outcomes of Information Security Management System Implementation – An Adaptive Structuration Theory Perspective
指導教授: 周子銓
Tzu-Chuan Chou
口試委員: 羅乃維
Nai-Wei Lo
白榮吉
Jung-Chi Pai
學位類別: 碩士
Master
系所名稱: 管理學院 - 資訊管理系
Department of Information Management
論文出版年: 2007
畢業學年度: 95
語文別: 中文
論文頁數: 139
中文關鍵詞: 資訊安全資訊安全管理資訊安全管理系統適應性結構化理論
外文關鍵詞: Information Security, Information Security Management, Information Security Management System, Adaptive Structuration Theory
相關次數: 點閱:339下載:15
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 隨著資訊科技以及網際網路的蓬勃發展,資訊資產早已成為企業在獲取競爭優勢上最重要的因素。因此,如何確保資訊的正常使用,以避免資安事件所造成的人力、金錢甚至名譽的損失和破壞,已成為的今日企業營運必須瞭解的重要議題之一。所以當英國標準協會(BSI)所推廣之資訊安全管理系統(Information Security Management System, ISMS)逐漸被證實為資訊安全管理中最佳實例後,世界各地的企業與組織紛紛加入取得認證的行列,藉以證明本身之安全狀況。
    過去在資訊安全議題的討論上,較著重於技術面防護的改善與研究,相對地較忽略組織行為構面的資安管理研究。資安事件除了外在的威脅以外,組織內部亦存有相當程度的風險,所以管理高層也應重視組織是否具有適切的資訊安全管理機制。但是,目前尚缺乏有關組織導入ISMS的相關研究,故本研究希望藉由以往用於探討引進群體決策支援系統的適應性結構化理論(Adaptive Structuration Theory),來探討組織導入ISMS時所產生的徵用過程,與社會相動的影響。
    透過相關文獻蒐集與彙整並利用質性研究之個案研究法,本研究針對四個已通過ISMS認證且業務與組織特性皆有所不同之民營企業與政府機關,透過訪談來蒐集個案資料。本研究發現,由於不同的「組織背景」,造成企業間設定之目標有所不同,進而影響ISMS徵用過程的穩定程度。同時,「專案複雜程度」、「人員投入」以及「組織內部環境」之情形也會影響整體互動的過程,進而產生具優劣差異之徵用結果。雖然有些組織徵用結果不盡理想,但在「制度要求定期檢視」的規範下,對於組織資訊安全能力之提升,仍具有不錯之成效。本研究成果可提供未來企業在導入ISMS之前,進行更完善的規劃與ISMS徵用過程管理,以期在有限的資源下,發揮最大之效益。

    Along with the flourishing development of information technology (IT) and Internet, information assets are now of critical importance to firms’ competitive advantage. To avoid information security incidents which may lead to a serious lost of firm’s time, cost and reputation, more efforts are needed for enterprises to secure their information assets. In particularly, when the Information Security Management System (ISMS) promoted by BSI has been proved to be the “best practice” for information security management, more and more organizations are seeking the ISMS certification, in proofing their secure capabilities.
    However, previous studies mainly focus on the improvement and investigation of technical protection and have neglected the organizational perspectives of information security management. To address this gap, the main purpose of this study is to explore the appropriation process in the development of ISMS in terms of Adaptive Structuration Theory (AST). Drawing on four cases from Taiwan’s public and private sectors, both the appropriation process and social interactions of adopting ISMS are examined. Based on evidence from the cases, this study found that several factors such as organizational context, project complexity, stakeholders’ participation, and institutional context influence on the appropriation process and social interactions. The implications and future research directions are also discussed.

    目 錄 摘 要 I ABSTRACT III 誌 謝 IV 目 錄 V 表目錄 VIII 圖目錄 IX 1、 第一章 前言 1 1.1 研究背景與動機 1 1.2 研究問題與目的 3 1.2.1 研究問題 3 1.2.2 研究目的 4 1.3 研究範圍及流程 4 1.3.1 研究範圍 4 1.3.2 研究流程 4 1.4 論文架構 7 2、 第二章 文獻探討 8 2.1 資訊安全 8 2.1.1 資訊安全之定義 8 2.1.2 資訊安全與資訊安全管理之相關議題 8 2.2 資訊安全管理系統(Information Security Management System, ISMS) 9 2.2.1 資訊安全管理系統之定義 9 2.2.2 ISMS之簡介 10 2.3 適應性結構化理論 (Adaptive Structuration Theory, AST) 16 2.3.1 適應性結構化理論 16 2.3.2 適應性結構化理論模型 19 3、 第三章 研究方法 24 3.1 研究策略 24 3.1.1 質性研究 24 3.1.2 個案研究 25 3.2 個案研究設計 27 3.3 資料蒐集的方法 28 3.3.1 訪談 28 3.3.2 書面文件資料與記錄 29 3.4 資料分析方法與訪談問題規劃 30 3.5 研究對象選擇與訪談 31 3.5.1 研究對象選擇 31 3.5.2 訪談資料來源 32 4、 第四章 研究架構與個案研究分析 33 4.1 研究架構與推導過程 33 4.1.1 ISMS的精神(目標) 33 4.1.2 ISMS的結構特性(能力) 35 4.1.3 其他結構 40 4.1.4 ISMS導入與徵用過程 41 4.1.5 研究架構 45 4.2 個案分析 48 4.2.1 F單位 48 4.2.2 V公司 60 4.2.3 H公司 75 4.2.4 N單位 87 4.3 跨個案的比較與結論 100 5、 第五章 研究探討與結論 112 5.1 與過去ISMS相關之研究結果比較 112 5.1.1 組織背景 112 5.1.2 專案複雜度 113 5.1.3 組織內部環境 113 5.1.4 人員投入程度 114 5.1.5 標準要求定期檢視 114 5.2 研究貢獻與具體建議 114 5.3 研究限制與日後研究方向 117 5.4 結論 117 6、 第六章 參考文獻 119 附錄 個案公司受訪者資料暨訪談問項彙整 127

    1.Longley. D. & Shain. M., Data & Comperter SECURITY- dictionary of standards concept and terms. , New York, N.Y. :Stockton Press (1987).
    2.McDaniel, G, IBM Dictionary of Computing, New York, NY: McGraw-Hill, Inc (1994).
    3.von Solms R., "Information Security management: why standard are important", Information Management & Computer Security, Vol. 7, No. 1, pp.50-58 (1999).
    4.Eloff M. & Eloff J., "Information Security Management –A new Paradigm.", Proceedings of SAICSIT 2003, 130-136 (2003).
    5.Eloff M.M., Vons Solms S.H., "Information Security Management: A Hierarchical Framework for Various Approaches.", Computers & Security, Vol.19, No.3 , pp. 243-256 (2000).
    6.Eloff M.M., Vons Solms S.H., "Information Security Management: An Approach to Combine Process Certification And Product Evaluation.", Computers & Security, Vol.19, No.8, pp.698-709 (2000).
    7.Fung A. RW., Farn KJ., Lin A. C.,"Paper : a study on the certification of the information security management systems.", Computer Standards & Interfaces 25, pp.447-461(2003).
    8.Kritzinger, E; Eloff, JHP.,"Information Security Development Trends""
    , SAICSIT Pretoria, South Africa (2001).
    9.von Solms B., von Solms R.,"Incremental Information Security Certification.", Computer& Security, Vol. 20, No.4, pp.308-310 (2001).
    10.Broderick J.S., "ISMS, security standards and security regulations.", Information Security Technical Report, Vol.11, Iss.1, pp. 26-31 (2006).
    11.Kenning M.J., "Security management standard- ISO17799/BS7799", BT Technol Journal, Vol.19, No.3, pp.132-136 (2001).
    12.Saint-Germain R., "Information Security Management Best Practice Based on ISO/IEC 17799.", The Information Management Journal, Vol.39, No.4, pp.60-66(2005).
    13.ISO/IEC 27001- Information technology - Information security management systems - Requirements, First edition, ISO, 2000.
    14.Siponen M., "Information Security Standards Focus on the Existence of Process Not Its Content.", Communications of the ACM, Vol.49, No.8, pp.97-100 (2006).
    15.丁源鴻,「應用適應性結構化理論於ERP 導入的個案研究--以SAP為例」,國立中央大學資訊管理研究所碩士論文,民 87。
    16.林志銘,協同產品商務系統導入之研究,國立中山大學資訊管理研究所碩士論文,民 91。
    17.Kim, K. and Surendran, K., "Information security management curriculum design : A joint industry and academic effort", Journal of Information Systems Education, Vol. 13, Iss. 3, pp.227-235 (2002).
    18.Smith, S., Bunker D. and Pang, V., "Does agency size affect IS security compliance for e-Government", The 10th Pacific Asia Conference on Information Systems (PACIS 2006), pp.658-572 (2006).
    19.Hinde S., "The law, cybercrime, risk assessment and cyber protection.", Computers & Security, Vol. 22, No.2, pp. 90-95 (2003).
    20.Björck, F., "Insititutional theory: a new perspective for research into IS/IT security in organizations.", Proc. of the 37th Hawaii Conference on System Sciences, pp.1-5 (2004).
    21.Goodhue D.L. & Straub D.W., "Security concerns of system users- A study of perceptions of the adequacy of security.", Information & Management, Vol. 20, Iss.1, pp.13-27(1991).
    22.Dhillon, G. and Backhouse, J., "Information system security management in new millennium.", Communication of the ACM, Vol.43, No. 7, pp.125-128 (2000).
    23.Dhillon, G. and Backhouse, J., "Current Directions in IS Security Research: Toward Socio-Organisational Perspectives.", Information Systems Journal, Vo.11, No.2, pp.127-153 (2001).
    24.Vroom C. and von Solms R., "Towards information security behavioral compliance.", Computers and Security, Vol. 23, No.3 , pp.191-198 (2004).
    25.Gupta A. and Hammon R., "Information systems security issues and decisions for small business.", Information Management & Computer Security, Vo.13, Iss.4, pp.297-310(2005).
    26.Siponen M., Pahnila S. and Mahmood A.M., "A new model of understanding users' IS security compliance.", The 10th Pacific Asia Conference on Information Systems (PACIS 2006), pp.644-567 (2006).
    27.Tong C.K.C., Fung K.H., Huang H.Y.H. and Chan K.K., International Congress Series, 1256, pp.311-318 (2003).
    28.ISO/IEC 17799 – Information technology – Code of Practice for Information Security Management, First edition, ISO, 2000.
    29.ISO/IEC 17799 – Information technology – Code of Practice for Information Security Management, Second edition, ISO, 2005.
    30.樊國楨、林樹國,「資訊安全管理系統之訓練與教育課程初探: 以外部稽核員為例」,資通安全分析專論 T94004,T2:人才培育 ,第1∼39頁 (2005)。
    31.DeSanctis, G. & M.S. Poole, "Capturing the Complexity in Advanced Technology Use: Adaptive Structuration Theory", Organization Science, Vol.5, No.2, pp.121-147 (1994).
    32.Huber, G. P., "Issue in the Design of Group Decision Support Systems", MIS Quarterly, Vol. 8, No. 3, pp.195-204 (1984).
    33.Chin, W. W., Gopal, A. and Salisbury, W. D. , "Advancing the Theory of Adaptive Structuration Theory:The Development of a Scale to Measure Faithfulness of Appropriation.", Information System Research, Vol. 8, No. 4, pp.342-367(1997).
    34.George, J.F., G. K. Easton, J. F. Nunamaker, Jr and G. B. Nortcraft, "A Study of Collaborative Group Work with and without Computer- Based Support for Group Problem Finding : An Experimental Investigation", Information Systems Research, Vol. 1, No.4, pp.394-415 (1990).
    35.Gopal, A., Bostrom, R. P. and Chin, W. W., “Applying Adaptive Structuration Theory to Investigate the Process of Group Decision Support Systems use.” Journal of Management Information System, Vol. 9, No. 3, pp.45-69 (1993).
    36.Huub J. M. Ruël, The non-technical side of office technology: managing the clarity of the spirit and the appropriation of office technology, Managing the human side of information technology: challenges and solutions, Idea Group Publishing, Hershey, PA, 2002
    37.曾愛文,「應用調適性結構行動理論探討ERP╱MES系統導入、轉移和整合之個案研究」,國立中央大學資訊管理研究所碩士論文 ,民 92。
    38.陳冠華,「台灣製造業導入協同產品商務之探索性研究」,國立中山大學資訊管理學系研究所碩士論文,民 93。
    39.蔡育珍,「伺服器運算架構徵用過程與資訊科技治理之研究」,高雄第一科技大學資訊管理研究所碩士論文,民 94。
    40.Salisbury, W. D., Chin, W. W., Gopal, A. and Newsted, P. R., "Research Report:Better Theory Through Measurement-Developing a Scale to Capture Consensus on Appropriation.", Information System Research, Vol. 13, No. 1, pp.91-103 (2002).
    41.Fishbein, M., & Ajzen, I. . Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research. Reading, MA: Addison-Wesley (1975).
    42.Piore M.J., "Qualitqative research: does it fit in economics?", European Management Review 3, pp.17-23 (2006).
    43.Thompson C.B. & Walker, B.L., "Basics of Research (Part 12): Qualitative Research", Air medical journal, Vol.17, Iss.2 , pp.65-70 (1998).
    44.Strauss, A. and Corbin, J. Basics of Qualitative Research: Grounded Theory Procedures and Techniques. Sage Publications, Newbury Park, CA, 1990.
    45.程文郁,「以質性研究方法探討消費者選擇行動電話服務業者之行為」,國立中山大學企業管理學系碩士論文,民 91。
    46.Myers, M. D. "Qualitative Research in Information Systems," MIS Quarterly, Vol.21, Iss.2, pp. 241-242 (1997).
    47.Myers, M. D. MISQ Discovery, archival version, June 1997, http://www.misq.org/discovery/MISQD_isworld/.
    48.Gay, L. R., Education research:Competencies for analysis and application. , 4th Ed., New York:Merrill, pp.235-236 (1992).
    49.Orlikowski, W.J. & Baroudi, J.J. "Studying Information Technology in Organizations: Research Approaches and Assumptions", Information Systems Research (2), pp. 1-28(1991).
    50.Alavi, M. and Carlson, P. "A review of MIS research and disciplinary development," Journal of Management Information Systems, Vol. 8, Issue 4, pp. 45-62 (1992).
    51.Yin, R. K., Case Study Research:Design and Methods. , Sage Publication (1994).
    52.林金定、嚴嘉楓、陳美花,「質性研究方法:訪談模式與實施步驟分析」,身心障礙研究 , Vol.3, No.2, pp. 122-136 (2005).
    53.Minichiello V., Aroni R., Timewell E. & Alexander L. In-depth Interviewing, Second Edition. South Melbourne: Longman (1995).
    54.Williams M. (1997) Social Surveys: Design to Analysis. In: T. May( Ed. ) Social Research Issues, Methods and Process. Buckingham: Open University Press.
    55.Pan S., Pan G., Hsieh Ming H., "A Dual-Level Analysis of the Capability Development Process: A Case Study of TT&T.", Journal of the American Society for Information Science and Technology, Vol. 57, No.13, pp.1814-1829 (2006).
    56.Curtise K.C. and White P., "Qualitative research design and approaches in radiography.", Radiography, Vol. 11, Issue 3, pp.217-225 (2005).
    57.Lee, J., and Lee, Y., "A Holistic Model of Computer Abuse Within Organizations.", Information Management & Computer Security, Vol.10, Iss.2, pp.57-63 (2002).
    58.Straub D.W and Welke R. J.," Coping with systems risk:Security planning models for management decision making", MIS Quarterly, Vol.22, No.4, pp.441-469(1998).
    59.Backhouse J. & Dhillon G., "Managing computer crime: a research outlook.", Computers & Security, Vol.14, No. 7, pp. 645-651 (1995).
    60.Trompeter, C.M. & Eloff, J., "A Framework for the Implementation of Socio-ethical Controls in Information Security.", Computers & Security, Vol.20, No.5, pp.384 - 391 (2001).
    61.Garigue, R. and Stefaniu, M., ""Information Security Governance Reporting."", Information Systems Security, Vol.12, Part 4, pp.36-40(2003).
    62.Fulford, H. and Doherty, N., ""The Application of Information Security Policies in large UK-based Organizations: An Exploratory Investigation."", Information Management & Computer Security, Vol.11, No.3, pp.106-114 (2003).
    63.Schultz, E. E., Proctor, R. W., Lien, M. C. and Salvendy, G., "Usability and Security An Appraisal of Usability Issues in Information Security Methods.", Computer & Security, Vol. 20, No.7, pp. 620-634(2001).
    64.Barnard L., Von Solms R.,"The evaluation and certification of information security against BS 7799", Information Management & Computer, Vol. 6, Issue 4, pp.72-77 (1998).
    65.Gordon L. A. & Loeb M. P., "A Framework for Using Information Security as a Response to Competitor Analysis Systems.", Communications of the ACM, Vol.44, No.9, pp.70-75 (2001).
    66.von Solms B., "Information Security - A Multidimensional Discipline.", Computers & Security, Vol. 20, No.6, 504-508 (2001).
    67.Li, H., G. Hing, M. Ross and G. Staples "BS 7799: A Suitable Model for Information Security Management". in AMCIS, Long Beach, California (2000).
    68.Iachello G., ""Protecting Personal Data: Can IT Security Management Standards Help?"", Computer Security Applications Conference, 2003. Proceedings. 19th Annual, pp.266- 275 (2003).
    69.Lobree, A. (2002), "Impact of Legislation on Information Security Management.",Information Systems Security, Vol.11, No.5, pp.41-48 (2002).
    70.Moulton R. & Coles R.S., "Applying information security governance.", Computers & Security, Vol.22, No.7, pp.580-584(2003).
    71.von Solms S.H., "InformationSecurity Governance- Compliance management v.s. operational management.", Computers & Security, Vol. 24, Iss.6, pp.443-447 (2005).
    72.Ølnes, J., ""Development of Security Policies."", Computers & Security, Vol.14, Iss.8, pp. 628-636 (1994).
    73.David, J., "Policy enforcement in the workplace." Computers &. Security, Vol. 21, Iss.6 , pp. 506-513 (2002).
    74.Ward P., Smith C.L.,"The Development of Access Control Policies for Information Technology Systems.", Computer& Security, Vol. 21, Iss.4, pp.356-371(2002).
    75.Höne K. & Eloff J.H.P.,"Information security policy - what do international information security standards say?", Computers and Security, Vol. 21, Iss.5, pp. 402-409(2002).
    76.Karyda M., Kiountouzis E., Kokolakis S., "Information systems security policies: a contextual perspective.", Computers & Security, Vol.25, Iss. 3, pp.246-260 (2005).
    77.Doughty K, "Implementing enterprise security: a case study.", Computers and Security, Vol.22, Iss.2, pp. 99-114(2003).
    78.Purser, S., "Why access control is difficult.", Computers and Security, Vol.21, Iss.4, pp.303-309(2002).
    79.Pounder, C., "Security with unfortunate side effect.", Computers & Security, Vol. 22, Iss.2, pp.115-118(2003).
    80.Furnell S. , "Why Users Cannot Use Security.", Computers & Security, Vol.24, Iss.4, 274-279(2005).
    81.Magklaras, G.B. & Furnell, S.M., "Insider Threat Prediction Tool: Evaluating the probability of IT misuse.", Computers and Security, Vol.21, Iss.1, pp.62-73(2001).
    82.Leach, J., "Improving User Security Behaviour.", Computers & Security, Vol.22, Iss.1, pp.685-692(2003).
    83.Morwood, G., ""Business Continuity: Awareness and Training Programmes."" Information Management & Computer Security, Vol.6, Iss.1, pp.28-32(1998).
    84.Siponen M., "A conceptual foundation for organizational information security awareness.", Information Management & Computer Security, Vol.8, Iss.1, pp.31- 41(2000).
    85.Helokunnas, T. & Kuusisto, R., "Information security culture in a value net", Engineering Management Conference, 2003. IEMC '03. Managing Technologically Driven Organizations: The Human Side of Innovation and Change, pp.190-194(2003).
    86.Blakley B., McDermott E., Geer D., "Information Security is Information Risk Management.", Proc. of the 2001 workshop on New security paradigms(5), 97-104 (2001).
    87.Gerber M. & von Solms R., "From Risk Analysis to Security Requirements.", Computers and Security, Vol.20, No.7, pp.577-584(2001).
    88.Stanton J.M., Stam K., Mastrangelo P. and Jolton J., "Analysis of end user security behaviors.", Computers and Security, Vol.24, No.2, pp.124-133(2005).
    89.Eloff J.H.P. & M.M. Eloff, "Information Security Architecture", Computer Fraud & Security, Vol. 2005, Iss.11, pp.10-16(2005).
    90.Chow, W.S. , ""Success Factors for IS Disaster Recovery Planning in Hong Kong."", Information Management & Computer Security, Vol. 8, Iss. 2, pp. 80-87 (2000).
    91.Coles, R. and Moulton, R., "Operationalizing IT Risk Management.", Computers and Security, Vol. 22, Iss. 6, pp. 487- 493 (2003)
    92.Wilson J.L., Turban E., Zviran M., "Information System Security: A Managerial Perspective.", International Journal of Information Management, Vol.12, Iss.2, pp.105-119 (1992).
    93.Jordan, E., ""IT Contingency Planning: Management Roles."", Information Management & Computer Security, Vol.7, Iss.5, pp. 232-238 (1999).
    94.Hong K.S. et al., "An integrated system theory of information security management.", Information Management & Computer Security, Vol.11, Iss.5, pp. 243-248(2003).
    95.von Solms B. , "Corporate Governance and Information Security.", Computers and Security, Vol.20, Iss.3, pp. 215-218(2001).
    96.von Solms B., "Information Security - The Third Wave?", Computers and Security, Vol.19, Iss.7, pp. 615- 620(2000).
    97.Dhillon, G., "Violation of Safeguards by Trusted Personnel and Understanding Related Information Security Concerns.", Computer & Security, Vol.20, Iss. 2, pp.165-172 (2001).
    98.Pettigrew A.(1987), "Context and action in the transformation of the firm.", Journal of Management Studies, 24(6), 649-670.
    99.陳鑫如,「BS7799基礎下資訊安全架構之探討-以人壽保險業為例- 」, 中原大學資訊管理研究所碩士論文,民 94。
    100.陳信章,「服務業推動BS7799認證關鍵因素之研究」,國立中正大學資訊管理系研究所碩士論文,民 93。
    101.葉嘉綺,「高層主管安全意識及環境不確定性對企業資訊安全活動成效之影響」,高雄第一科技大學資訊管理研究所碩士論文,民 92。

    QR CODE