研究生: |
陳瑋寧 Wei-nin Chen |
---|---|
論文名稱: |
運用層級分析法建立資訊安全績效指標權重研究-以某公家機構為例 A Framework of Aligning Information Security Performance Indicators to Business Objects with AHP- A Case Study on a Major Government Organization industry |
指導教授: |
查士朝
Shi-Cho Cha |
口試委員: |
周子銓
none 黃世禎 none |
學位類別: |
碩士 Master |
系所名稱: |
管理學院 - 管理學院MBA School of Management International (MBA) |
論文出版年: | 2009 |
畢業學年度: | 97 |
語文別: | 中文 |
論文頁數: | 99 |
中文關鍵詞: | 資訊安全 、資安指標 |
外文關鍵詞: | information security, security metrics |
相關次數: | 點閱:191 下載:12 |
分享至: |
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
本研究的目的,在以探討組織如何有效的使用資訊安全度量指標來評估資訊安全的有效性,讓組織能容易理解評估度量所帶來的訊息及意義,並希望透過這些資訊安全評估度量的數據,找到有效且具意義的評估度量,以改善並提高組織的風險管理與有效控制能力,增加組織的防禦功能,全面掌控組織的資訊安全。
截至目前為止,有關資訊安全的度量指標種類繁多,各個國家也訂定了很多不同的標準,然而標準很多,卻很難找到一個統一且有效的方法,可以將各個企業組織的資訊安全政策與資訊安全指標做連結。
在此前提下,本文參考許多文獻、標準及書籍,並運用AHP層級分析法進行資訊安全度量的重要性探討,將所得到之數據做一個有效的排序,希望可以透過AHP的運用,將組織政策與目標和資訊安全績效指標做一個有意義的連結,並且建立具有意義的「資訊安全關鍵績效度量評估考核表」,提供組織做為資訊安全衡量之標的,透過這樣的分析與應用,可以協助組織降低資訊安全的風險,並可彰顯資訊安全的效益,進而促使高階主管對資訊安全管理有所認同。
Several security metrics have been proposed to measure the effectiveness and states of information security in an organization recently. However, people in an organization may have trouble to utilize the metrics because the people may not know how to link the metrics to business objectives.
In this case, the purpose of this article is to propose 「A Framework of Aligning Information Security Performance Indicators to Business Objects with AHP - A Case Study on a Major Government Organization industry」. In this frame work, an organization should develop a hierarchical tree of security metrics. The root of hierarchical tree is business objective. The root has several Childs to represent security objectives.
Each security objective may have future each objective can be measures by several security metrics, which can future be matured by several sub-metrics. The organization can use AHP technology to colcalate might of the metrics. In addition to propose the framework, this study also validates the framework with us survey the literatures and develop a hierarchial tree based on the literature. The questionnaire of this study is designed by AHP, and distribute to the case companies. The case companies can develop a scale based on the result. And build a relationship between the organizational information security index and organizational strategy effectively by the scale. Finally, based on the analysis and application of the scale, the executive management will understand the importance of information security management.
[1] 林宜隆、黃淙澤,資訊安全管理制度風險評估手冊,國家資通安全會報技術服務中心,5,台北(2003)。
[2] 王宇平, BS 7799 簡史, http://www.asmag.com/tw/feature/content.php?id=375&themeid=83&articles_group=13 (1999)。
[3] Alan Calder and Steve Watkins, IT Goverence: a Manager’s Guide to Data Security and BS7799/ISO17799, Kogan Page, June (2005).
[4] BS ISO/IEC 27001 Stand Alone, Lastviewed:Jul/15/2006, http://17799.standardsdirect.org/index.htm,
[5] Information security and ISO27001 – an introduction , http://www.itgovernance.co.uk/files/
[6] BSI, "Information security management- Part 2: Specification for information security management systems", BS 7799-2:1999, BSI (British Standards Institution) (1999).
[7] 李慧蘭,國際資訊安全標準ISO 27001之網路架構設計-以國網中心為例探討風險管理,台灣網際網路研討會(2006)。
[8] ITGI, COBIT (4 revision1), Control and Audit for Information and Related Technology, IT Governance Institute (2007).
[9] James M. Turner, Performance Measurement Guide for Information Security (DRAFT), National Institute of Standards and Technology, http://csrc.nist.gov/publications/PubsSPs.html (2007).
[10] Win Van Grembergen, “The balanced scorecard and IT governance, Idea Group Publishing,, 2 (2000).
[11] 周齊武、Kamal Haddad、吳安妮,企業推行平衡計分卡之可行結構-台灣經理人員之觀點(一),會計研究月刊,137 - 174 ,台北 (2000)。
[12] 吳安妮,淺談平衡計分卡成功實施之經髓概念,會計研究月刊, 26 - 198 (2002)。
[13] Robert S. Kaplan and David P. Norton著,朱道凱譯,平衡計分卡,臉譜出版 (2002)。
[14] 方鴻春,企業建置ISMS之平衡績效指標研究,台灣科技大學工業管理所碩士論文,27 (2004)。
[15] 陳正平等譯,Robert S. Kaplan,David P. Norton著,策略地圖:串連組織策略從形成到徹底實施的動態管理工具,臉譜出版,城邦文化發行,台北市 (2004)。
[16] Wim Van Grembergen, Ronald Saull and Steven De Haes, Linking the IT Balanced Scorecard to the Business Objectives at a Major Canadian Financial group, Journal of Information Technology, Vol.5, Iss.1, pp.23 (2003).
[17] Wim Van Grembergen, Rik Van Bruggen, Measuring and improving corporate information technology through the balanced scorecard, Proceedings of the Fourth European Conference on the Evaluation of Information technology, Deflt, October, pp.163 (1997).
[18] Maris Martinsons, Robert Davison and Dennis Tse c.,The balanced scorecard: a foundation for the strategic management of information systems, Decision Support Systems, PP.71 (1997).
[19] Wim Van Grembergen and Ronald Saull, Aligning Business and Information Technology through the Balanced Scorecard at a Major Canadian Financial Group, Proceedings of the 34th Hawaii International Conference on System Sciences (2001).
[20] Ronald Saull, The IT Balanced Scorecard -- A Roadmap to Effective Governance of a Shared Services IT Organization, Information Systems Control Journal, Volume 2 (2000).
[21] Wim Van Grembergen, Steven De Haes and Isabelle Amelinckx, Using COBIT and the Balanced Scorecard as Instruments for Service Level Management, Information Systems Control Journal and the Journal of Information Technology Cases and Applications, Volume 4 (2003).
[22] Shi-Ming Huang, Chia-Ling Lee and Ai-Chin Kao, Balancing performance measures for information security management - A balanced scorecard framework, Industrial Management & Data Systems(SCI/EI Journal), Volume 106 Issue 2 (2006).
[23] 鍾玉科、戴軒廷、馬恆、張紹勳, 公部門組織績效衡量指標之建構_平衡記分卡之應用, 中華管理評論國際學報, volume 1, PP.7 (2004).
[24] 梁鐿徽、陳正義、王秋燕建, 構高中職資訊部門平衡計分卡績效衡量指標之研究, 義守大學資訊管理研究所碩士論文 (2005).
[25] 黃鐵豪, 層級分析法(Analytic Hierarchy Process,AHP)的介紹與應用, http://www.im.usc.edu.tw/chianson/3a/%BCh%AF%C5%A4%C0%AAR%AAk.doc (1997).
[26] 邱稜育,探究全國品牌製造商代工零售商司有品牌的策略動機因素, 高雄第一科技大學行銷與流通管理系碩士論文 (2007).
[27] Saaty T. L., The Analytic Hierarchy Process, McGraw Hil , New Yor. (1980).
[28] 盧彥旭 , 資訊系統委外選商評選準則及權重之建立, 世新大學資訊管理研究所碩士論文 (2000).
[29] 莊明政, 測量與測量的淨化, 世新大學資訊管理研究所碩士論文 (2000).
[30] 羅福枝, 台灣資訊系統整合業工程人員績效評估之研究, 世新大學資訊管理研究所碩士論文 (2005).
[31] 鄧振源、曾國雄, 分析層級法的內涵特性與應用,中國統計學報,Volume 27-6,PP. (1989).
[32] 刀根薰, 競賽式決策制定法-AHP入門,建宏出版社 (1993).
[33] Andrew Jaquith, Security Metrics-Replacing Fear, Uncertainty, and Doubt, Inc, Publishing as Addison Wesley Professional (2007).