學術研究上愈來愈重視資安風險管理，相較於其他安全的研究主題來說，資安風險管理主題是近年來才開始蓬勃發展的，許多研究議題仍屬於發散狀態。除此之外，資安風險管理研究領域涉及的研究主題相當廣泛、複雜且具備多種學科領域的特質，使得研究人員不易進入該研究領域。因此，本研究的目的是要幫助對資安風險管理有興趣的研究人員更容易地了解該研究領域的研究結構、相關的研究主題及主題之間的關係，並掌握其走勢及未來可能的發展方向。
本研究利用引文分析中的文獻共被引方法來進行分析，希望藉由分群結果來看出資安風險管理領域的研究結構及研究主題。並利用引文網路分析中的主要路徑方法，來了解資安風險管理研究領域發展的軌跡，藉此看出該研究領域未來可能的發展趨勢。除此之外，我們也將這兩種方法所得到的結果相互搭配解釋，發現其結果相互呼應。
從研究結果分析中我們發現可以將資安風險管理研究領域劃分成三大研究主題，包括釐清資安風險管理基本概念、人為風險的探討與風險值的運用，及四個主要的研究趨勢，分別為資安風險的計量模型、投資效益評估、資安事件對公司損失的影響及資訊風險揭露對策。我們發現資安風險管理研究從1990 年代始著重在「人」的議題上，從人員行為的管理策略及組織內部資安風險認知的訓練來探討資安風險管理，到了近年來的研究則是以風險值的運用為主要的研究議題，例如探討資安風險管理控制措施的投資、以投資效益評估的觀點來決定最佳的資安投資及人員配置問題、探討資安事件的發生對公司市值損失的影響及探討軟體弱點揭露的最佳對策等。

As people pay more and more attention on information security risk management (ISRM), more and more academic researchers engage in the research of ISRM. Compared with other security topics, such as cryptography and access control
models, the research area of ISRM, began to flourish just in recent years so many research issues are still divergent. Moreover, the research area of ISRM is of an interdisciplinary nature so researchers hard to grasp. The purpose of this study is to help researchers who are interesting in ISRM understand the intellectual structure of this research area and the relationships between research topics.
This study uses document co-citation analysis (DCA) as the basis of document
clustering to help us clarify the intellectual structure and research topics of ISRM field. Moreover, this study uses main-path analysis to help us understand the evolutionary trajectories of ISRM field and grasp probable research directions.
Based on the analysis results, we divide the field of ISRM into three major
research themes including fundamental concept clarifications of information security risks, discussions of human-made risk and applications of risk value. Also, we induce four major trends including quantitative models of ISRM, investment benefit evaluation of information security countermeasures, the impact of information security breaches to firms, and the disclosure policy of information security risk. We found that the research of ISRM in 1990s focuses on qualitative approaches which investigated ISRM from the strategies of staff behavior management and internal awareness program of information security risk. However, researchers, in recent years, focus on applications of risk value as major research topic. For instance, to discuss the investment of information security countermeasures from the economic aspects and quantitative models, to determine the optimal information security investment and staffing issues from the view of the investment benefit evaluation, to discuss the impact of information security incident to the market value of firms, the
optimal strategy for software vulnerability disclosure, etc. We hope this study may help researchers clarify evolutionary trajectories and predict probable research directions.

[1] 潘天佑, 資訊安全概論與實務. 台北市: 碁峰資訊股份有限公司, 2008.
[2] D. W. Straub and R. J. Welke, "Coping with systems risks: security planning
models for management decision making," MIS Quarterly, vol. 22, pp.
441-469, 1998.
[3] M. Gerber and R. von Solms, "Management of Risk in the Information Age,"
Computers & Security, vol. 24, p. 2005, 2005.
[4] M. Douglas, "Risk as a forensic resource," Daedalus, vol. 119, pp. 1-16,
1990.
[5] B. Karabacak and I. Sogukpinar, "ISRAM: information security risk analysis
method," Computers & Security, vol. 24, pp. 147-159, 2005.
[6] Z. Yazar, A qualitative risk analysis and management tool - CRAMM: SANS
Institute, 2002.
[7] J. Slay and A. Koronios, Information Technology Security and Risk
Management. Milton: Wiley, 2006.
[8] P. J. Brooke and R. F. Paige, "Fault trees for security system design and
analysis," Computers & Security, vol. 22, pp. 256-264, 2003.
[9] P.-y. Chen, et al., "Software Diversity for Information Security," presented at
the Fourth Workshop on the Economics of Information Security, Cambridge,
MA, 2005.
[10] C. J. Alberts and A. J. Dorofee, Managing Information Security Risks: The
OCTAVE Approach. Boston: Addison-Wesley, 2002.
[11] M. E. Whitman and H. J. Mattord, Principles of Informtion Security, 2nd ed.
Boston: Thomson, 2005.
[12] J. H. P. Eloff, et al., "A comparative framework for risk analysis methods,"
Computers and Security, vol. 12, pp. 597-603, 1993.
[13] 楊亨利 and 趙逢毅, "建構在全國博、碩士論文資訊網上的視覺化文獻互
動關聯式瀏覽平台架構," presented at the 第六屆管理新思維研討會, 台
灣台北, 2007.
[14] 蔡明月, 資訊計量學與文獻特性. 台北市: 國立編譯館, 民92.
[15] T. Brooks, "Evidence of Complies Citer Motivations," Journal of the
American Society for Information Science, vol. 37, pp. 34-36, 1986.
[16] M. M. Kessler, "An Experimental Study of Bibliographic Coupling between
Technical Papers," IEEE Transactions on Information Theory, vol. 9, p. 49,
1963.
[17] H. G. Small, "Co-Citation in the Scientific Literature: A New Measure of the
77
Relationship between Two Documents," Journal of the American Society for
Information Science, vol. 24, pp. 265-269, 1973.
[18] I. V. Marshakova, "A system of document connection based on references,"
Scientific and Technical Information Serial of VINITI, vol. 6, pp. 3-8, 1973.
[19] H. D. White and B. C. Griffith, "Author Co-citation: A Literature Measure of
Intellectual Structure," Journal of the American Society for Information
Science, vol. 32, pp. 163-171, 1981.
[20] T. T. Chen and M. Lee, "Revealing Themes and Trends in the Knowledge
Domain's Intellectual Structure," in Lecture Notes in Computer Science. vol.
4303, ed: Springer, 2006, pp. 99-107.
[21] J. T. Sharabchiev, "Cluster analysis of bibliographic references as a
scientometrics method," Scientometrics, vol. 15, pp. 127-137, 1989.
[22] 黃惠美, 臺灣地區圖書資訊學文獻高生產作者的引用圖像—以作者雙被
引分析為例. 台北市: 中華民國圖書館學會, 民98.
[23] 吳顯東, 洞見脈絡-技術預測輕鬆上手: 財團法人資訊工業策進會, 2006.
[24] A. L. Porter, Forecasting and Management of Technology. New York: Wiley,
1991.
[25] J. P. Martino, 產業分析之技術預測方法與實例 (袁建中、謝志宏與彭弼聲
譯). 台北市: 麥格羅〃希爾國際, 民94.
[26] J. Lawson, et al., "A Bibliometric Study on a New Subject Field-Energy
Analysis," Scientometrics, vol. 2, pp. 227-237, 1980.
[27] W. Goffman, "A Mathematical Model for Analyzing the Growth of a
Scientific Discipline," Jorunal of the ACM, vol. 18, pp. 173-185, 1971.
[28] E. Garfield, et al., The Use of Citation Data in Writing the History of Science.
Philadelphia: Institute for Scientific Information, 1964.
[29] N. P. Hummon and P. Doreian, "Connectivity in a Citation Network: the
Development of DNA Theory," Social Networks, vol. 11, pp. 39-63, 1989.
[30] R. Fontana, et al., "Mapping Technological Trajectories as Patent Citation
Networks. An application to Data Communication Standards," Economics of
Innovations and New Technology, vol. 18, pp. 311-336, 2009.
[31] A. Mina, et al., "Mapping Evolutionary Trajectories: Applications to the
Growth and Transformation of Medical Knowledge," Research Policy, vol.
36, pp. 789-806, 2007.
[32] 金珊資訊. ( 民98, Web of Science 中文使用手冊. Available:
http://www.stpi.org.tw/fdb/wos/WOS090505.pdf
[33] V. Batagelj and A. Mrvar. (2010, Pajek - Program for Analysis and
Visualization of Large Networks - Reference Manual. Available:
http://pajek.imfm.si/lib/exe/fetch.php?id=download&cache=cache&media=dl
:pajekman127.pdf
78
[34] W. d. Nooy, et al., Exploratory Network Analysis with Pajek: Cambridge
University Press, 2005.
[35] D. Lucio-Arias and L. Leydesdorff, "Main-path analysis and path-dependent
transitions in HistCite-based historiograms," Journal of the American Society
for Information Science and Technology, vol. 59, pp. 1948-1962, 2008.
[36] R. Baskerville, "Information systems security design methods: implications
for information systems development," ACM Computing Surveys, vol. 25, pp.
375-414, 1993.
[37] M. T. Siponen, "Analysis of modern IS security development approaches:
towards the next generation of social and adaptable ISS methods,"
Information and Organization, vol. 15, pp. 339-375, 2005.
[38] M. T. Siponen, "An analysis of the traditional IS security approaches:
implications for research and practice," European Journal of Information
Systems, vol. 14, pp. 303-315, 2005.
[39] G. Dhillon and J. Backhouse, "Current Directions in IS Security Research:
Toward Socio-Organisational Perspectives," Information Systems Journal,
vol. 11, pp. 127-153, 2001.
[40] K. D. Loch, et al., "Threats to information systems: today's reality,
yesterday's understanding," vol. 16, pp. 173-186, 1992.
[41] D. W. Straub, "Effective IS security: An empirical study," Information System
Research, vol. 1, pp. 225-276, 1990.
[42] S. J. Harrington, "The Effect of Codes of Ethics and Personal Denial of
Responsibility on Computer Abuse Judgments and Intentions," MIS Quarterly,
vol. 20, pp. 257-278, 1996.
[43] J. A. Hoffer and D. W. Straub, "The 9 to 5 underground: are you policing
computer crimes?," Sloan Management Review, vol. 30, pp. 35-43, 1989.
[44] S. L. Javenpaa and B. Ives, "Executive involvement and participation in the
management of information technology," MIS Quarterly, vol. 15, pp. 205-227,
1991.
[45] R. Anderson, "Why Information Security is Hard: An Economic Perspective,"
presented at the Proceedings of 17th Annual Computer Security Applications
Conference, 2001.
[46] H. Cavusoglu, et al., "A Model for Evaluating IT Security Investments,"
Communications of the ACM, vol. 47, pp. 87-92, 2004.
[47] K. J. S. Hoo, "How much is enough: a risk management approach to
computer security," 2000.
[48] S. A. Purser, "Improving the ROI of the security management process,"
Computers & Security, vol. 23, pp. 542-546, 2004.
[49] L. A. Gordon, "The Economics of Information Security Investment," ACM
79
Transactions on Information and System Security, vol. 5, pp. 438-457, 2002.
[50] A. Arora, et al., "Optimal Policy for Software Vulnerability Disclosure,"
presented at the Annual Workshop on Economics and Information Security,
2004.
[51] K. Kannan and R. Telang, "Market for vulnerabilities? Think again.,"
Management Science, vol. 51, pp. 726-740, 2005.
[52] K. Campbell, et al., "The economic cost of publicly announced information
security breaches: Empirical evidence from the stock market," Journal of
Computer Security, vol. 11, pp. 431-448, 2003.
[53] H. Cavusoglu, et al., "The effect of internet security breach announcements
on market value: Capital market reactions for breached firms and internet
security developers," International Journal of Electronic Commerce, vol. 9,
pp. 69-104, 2004.
[54] A. Dutta and R. Roy, "Dynamics of organizational information security,"
System Dynamics Review, vol. 24, pp. 349-375, 2008.
[55] R. Bojanca and B. Jerman-Blažič, "An economic modelling approach to
information security risk management " International Journal of Information
Management, vol. 28, pp. 413-422, 2008.
[56] S. C. Patel, "Quantitatively assessing the vulnerability of critical information
systems: A new method for evaluating security enhancements " International
Journal of Information Management, vol. 28, pp. 483-491, 2008.
[57] J. Rees and J. Allen, "The State of Risk Assessment Practices in Information
Security: An Exploratory Investigation," Journal of Organizational
Computing and Electronic Commerce, vol. 18, pp. 255-277, 2008.
[58] S. Goel and H. A. Shawky, "Estimating the market impact of security breach
announcements on firm values," Information and Management, vol. 46, pp.
404-410, 2009.
[59] R. Telang and S. Wattal, "An Empirical Analysis of the Impact of Software
Vulnerability Announcements on Firm Stock Price," IEEE Transactions on
Software Engineering, vol. 33, pp. 544-557, 2007.