隨著電腦的發明以及網際網路的興起，資訊科技蓬勃發展，企業組織仰賴資訊科技系統日深，但伴隨而來的是層出不窮的電腦誤用產生之資訊安全問題，以致於組織中的各類資安風險日趨升高。因此，我國於民國90年時成立了「行政院國家資通安全會報」，積極推動各項資安相關規範及建設，在這些資訊安全的作為當中，最關鍵的影響因子還是「人」。而過去對資訊安全相關的研究多是著重資訊技術面，較少對於與「人」關連性高的資安議題之研究；但從過往資訊安全事件的研究中可知，較難防範的事件大多是由「人」所引起的，例如資安事件中的社交工程攻擊就是利用人性的弱點進行詐騙，攻擊者不需要艱深的技術輔助，僅利用人際關係的互動及心理戰術即可進行犯罪行為。由此可知，光從技術層面分析無法真正解決此類資安事件，而是須藉由理解及管理「人員」的行為，來降低造成資安事件的風險。因此，本研究著重在「人」的行為及管理，試著以制度理論來看組織在落實資訊安全時的行為，並瞭解組織在制度環境下資安行為被形塑的過程。
本研究針對國內一家具半官方色彩的金融機構-- T公司，透過個案研究及深度訪談的方式，探討其進行電子郵件社交工程演練的制度化過程，藉由制度理論分析有關資訊安全環境及制度規範如何形塑組織人員的資安行為模式，並分別從個人、組織及外部環境等三個面向，探討影響行為的因素。由本研究結果得知(1)個人資訊素養越高或是對資訊安全抱持的態度越正面，則對資訊安全的認知越高，組織可利用教育訓練提高人員的資安認知；(2)主管關注力越高，獎懲制度越明確，對組織落實資訊安全的成效幫助越大，而資安人員對演練的干擾則影響衡量郵件資訊安全的正確性；(3)整體環境的資安制度越完善，推動資訊安全的成果越佳。

As the information technology thrives these days following the invention of computer and internet, industrial institutes depend more and more on information technology. However, various kinds of information security risk within institutes are getting higher at the same time due to the misunderstanding of computer. Therefore, our government had set the ‘National Information & Communication Security Taskforce‘ to promote regulations and structures related to information security.
Within all these information security setups, the key factor would be human factor. Researches of information security in the past were mostly concerning about technology issues, while human factor was seldom mentioned. But the most information security accidents are frequently resulted from human factor, such as the social engineering attack which is conducted via the weakness of humanity and manipulation of people relationship. Hence, understanding and managing human behavior is vital to lower information security risk in addition to information technology analysis. This study focuses on human behavior and its management. The behaviors to in force information security in an institute were analysed with institutional theory. The composition of information security behaviors of one institute within institutional environment was also observed.
A financial organization - T unit -which is semi-official was used in this research. The Institutionalization process of email social engineering drill was analyzed via case study and interview. The institutional theory is applied to analyze how information security environment and institutions shape the patterns of information security behavior. Factors related to behavior were discussed from personal, organization, and external environment dimensions. This study found that firstly, the understanding of information security is deeper while one person is more familiar with technology information or he possesses a more positive attitude toward technology information. Hence, education is worthwhile for an organization to improve information security awareness.
Secondly, it is helpful for information security in an organization while the manager pays attention on it and the rewarding system is clear. However, the interference from information security department on the drill would deviate the accuracy on measuring the email information security.
Thirdly, the more comprehensive the institutional environment of information security is, the better result would get on promoting information security.

一、中文文獻
1.文崇一、李亦園、楊國樞、吳聰賢，1978，社會及行為科學研究法，台北：東華
2.王文科，2000，教育研究法，台北：五南
3.行政院，2001，建立我國通資訊基礎建設安全機制計畫(90年至93年)
4.行政院，2009，行政院國家資通安全會報設置要點
5.行政院國家資通安全會報，2005，政府機關(構)資訊安全責任等級分級作業施行計畫
6.行政院國家資通安全會報，2009，國家資通訊安全發展方案(98-101年)
7.林金定、嚴嘉楓、陳美花，2005，質性研究方法：訪談模式與實施步驟分析，身心障礙研究 3(2),p.122-136
8.林綺雲，2002，制度規範與組織同型化：台灣技職院校升格轉型的經驗研究，教育社會學學術研討會
9.陳東升，1992，制度學派理論對正式組織的解析，社會科學論叢（40）,p.111-133
10.黃光雄等譯，2001，質性教育研究：理論與方法，Robert C. Bogdan, Sari Knopp Biklen著，嘉義：濤石
11.嚴祥鸞，1996，參與觀察法，質性研究：理論、方法及本土女性究實例，胡幼慧主編，台北：巨流
二、英文文獻
1.Abercrombie, N., Hill, S. & Turner, B. S., 1986, The Penguin Dictionary of Sociology, Third Edition, Penguin Books
2.Babbie, E., 1999, The Basics of Social Research. Thomson Wadsworth
3.DiMaggio, J. P. and W. W. Powell, 1983, The Iron Cage Revisited : Institutional Isomorphism and Collective Rationality in Organizational Fields. ASR（48）p.147-60
4.Fontana, A. and Frey, J. H., 1998, Collecting Interpreting Qualitative Materials, London:Sage Publications
5.Gay, L. R., 1992, Education Research: Competencies for Analysis and Application. New York:Merrill, p.235-236
6.Hinde, S., 2003, The Law,Cybercrime,Risk Assessment and Cyber Protection., Computers and Security, Vol.22, No.2,p.90-95
7.Myers, M. D., 1997, Qualitative Research IN Information Systems. MIS Quarterly 21(2)p.241-242
8.Meyer, J. W. and Rowan, B., 1977, Institutionalized Organizations:Formal Structure as Myth and Ceremony. American Journal of Sociology 83(2), p.340-363
9.Scott, W. R.,1992, Organizations:Rational,Natural, and Open Systems, 4th,London:Prentice-Hall
10.Scott, W. R.,1995, Institutions and Organizations, Thousand Oaks, CA: Sage
11.Strauss, A. and Corbin, J., 1990, Basics of Qualitative Research: Grounded Theory Procedures and Techniques. Sage Publications, Newbury Park, CA
12.Suddaby, R. 2006, From the editor: What grounded theory is not, Academy of Management Journal, 49(4),p.633-642
13.Thompson, C.B. and Walker, B.L., 1998, Basics of Reserch(Part 12): Qualitative Research. Alr Medical Journal 17:2 April-une 1998
14.Wimmer, R. D. and Dominick, J.R., 1995, Mass Media Research:An Introduction. Thomson Wadsworth
15.Yin, R.K., 1994, Case Study Research:Design and Methods. Sage Publication
16.Yin, R.K., 2001, Case Study Research. Sage Publication
三、網站資料
1.「潮」駭客不偷菜改偷個資網路黑市大批發，網路資訊雜誌，http://news.networkmagazine.com.tw/security/2009/12/09/16517/ ，2009年
2.2008年度資安大調查：景氣壞也別讓資安亮紅燈，網路資訊雜誌，http://news.networkmagazine.com.tw/security/2009/01/19/8394/ ，2009年
3.臺灣期貨交易所：http://taifex.com.tw