我國積極推動資通訊安全基礎建設工作，並訂定與資訊安全、隱私權保護相關法規與國家標準，顯示我國對於資通訊安全的重視。隨著資訊科技的引進，企業每日面對因資訊科技而衍伸的資訊安全挑戰，透過稽核活動以確保資訊安全，顯現資訊安全稽核已成為企業中不可或缺的活動。
本研究旨在探討資訊安全管理稽核員的能力、稽核的客觀性、受稽企業對於資訊安全的重視度及受稽者的態度如何影響企業之資訊安全管理系統效能，以做為企業資訊安全規劃之參考。
本研究採用社會科學研究方法之定量研究方法。問卷填答對象為對同一間企業或組織做過2次以上資訊安全稽核之稽核員，本研究共蒐集98份有效問卷，並以Smart PLS作為統計分析工具。期能就問卷結果比對前後兩次資訊安全稽核的因果關係，探討探討稽核員、稽核的客觀性、受稽企業特質及受稽者的態度對於企業之資訊安全管理系統效能的影響對於企業資訊安全管理系統之影響因子。
研究結果發現，稽核員的能力、稽核的客觀性以及受稽者的態度對於資訊安全管理系統效能有顯著正向相關。本研究建議企業應選用能力高的資訊安全稽核員，提高資訊安全稽核之客觀性，並使企業內部受稽者瞭解資訊安全之於企業本身的價值，用以提升企業之資訊安全管理系統效能。

Taiwan government has been actively promoting ICT security infrastructure work, setting regulations and national standards about information security, information technology applications and privacy protection in recent years. With the introduction of information technology, enterprises and organizations face the challenge of information security every day. Enterprises ensure the safety and security of assets through audit activities, which have become an integral part of enterprise operations.
This study aims to investigate the relationship between several factors, namely, the competence of information security management auditor, the attitude of the audited enterprises about information security and attitude of auditees, and their influences on audited enterprise’s information security management system performance. Ninety-eight questionnaires were collected from information security auditors who have the same enterprise or organization at least twice. Smart PLS was used to analyze the data.
The results show that the auditor’s competence, the objectivity of the information security audit and attitude of auditees’ has a positive significant impact on the effectiveness of information security management system. The study recommends that enterprises should hire information security auditors with high competence, increase the objectivity of the information security audit, and ensure employee understand the value of information security to the enterprise itself, in order to enhance the information security management system efficacy.

中文部分
1.朱道凱(譯) (1999)。平衡計分卡：資訊時代的策略管理工具(原作者：Kaplan, R. S., & Norton, D. P.)。出版商：臉譜出版社。
2.丁志達(2014)。績效管理(第二版)。出版商：揚智出版社。
3.王煥文(2014)。企業內部稽核服務品質與稽核績效研究—以C公司為例。國立中山大學高階經營碩士班碩士論文。
4.方仁威(2004)。資訊安全管理系統驗證作業之研究。國立交通大學資訊管理學系研究所博士論文。
5.方鴻春(2004)。企業建置資訊安全管理系統（ISMS）之平衡績效指標研究-以個案單位為例。國立臺灣科技大學工業管理學系研究所碩士論文。
6.行政院國家資通安全會報(2013)。國家資通訊安全發展方案（102年至105年）。行政院。
7.金融監督管理委員會(2014)。證券暨期貨市場各服務事業建立內部控制制度處理準則。金融監督管理委員會。
8.柯雅娟(2007)。我國政府機關導入資訊安全管理系統之績效評估指標研究。國立臺灣科技大學資訊管理學系研究所碩士論文。
9.南常義(2006)。資通安全之發展與資訊安全監控中心建置概況。證券暨期貨月刊第二十四卷第六期。
10.陳振楠、林永修、王瑞祥(2013)。資訊安全與法律特訓教材。出版商：碁峰資訊出版社。
11.陳澤義、陳啟斌(2014)。企業診斷與績效評估：策略管理觀點(第四版)。出版商：華泰文化事業股份有限公司。
12.財團法人中華民國會計研究發展基金會(1993)。審計準則公報第二十五號。
13.孫本初、張甫任(2009)。策略性人力資源管理與實務。出版商：鼎茂圖書出版股份有限公司。
14.張火燦(2000)。策略性人力資源管理。出版商：楊智文化事業股份有限公司。
15.張宗銘(1987)。醫院績效評估模式與實證分析。國立中山大學企管研究所碩士論文。
16.黃士銘、嚴紀中、阮金聲(2013)。電腦稽核-理論與實務應用(第二版) 。出版商：全華圖書。
17.劉旭濤(2003)。政府績效管理︰制度、戰略與方法。出版商：機械工業出版社。
18.劉致偉(2010)。會計專業核心職能對工作不確定性與工作績效關係之調節效果。私立高苑科技大學經營管理研究所碩士論文。
19.賴溪松(2006)。TANet與資訊安全。台灣網際網路研討會。台北。
20.謝清佳、吳琮璠(2009)。資訊管理-理論與實務。出版商：智勝文化事業有限公司。

英文部分
21.Abdolmohammadi, M. J., & Boss, S. R. (2010). Factors associated with IT audits by the internal audit function. International Journal of Accounting Information Systems, 11(3), 140-151. Balkaran, L. (1995). Corporate culture. Internal Auditor, 52(4), 56-60.
22.Avolio, B. J., Yammarino, F. J., & Bass, B. M. (1991). Identifying common methods variance with data collected from a single source: An unresolved sticky issue. Journal of Management, 17(3), 571-587.
23.Baron, R. M., & Kenny, D. A. (1986). The moderator–mediator variable distinction in social psychological research: Conceptual, strategic, and statistical considerations. Journal of personality and social psychology, 51(6), 1173.
24.Beer, M., Dawson, J. E., Ruh, R., McCaa, B. B., & Kavanagh, M. J. (1979). A Performance Management System: Research, Design, Introduction, and Evaluation. Compensation & Benefits Review, 11(3), 56-70.
25.Carey, P., & Simnett, R. (2006). Audit partner tenure and audit quality. The Accounting Review, 81(3), 653-676.
26.Courtemanche, G. W. (1986). The new internal auditing. Wiley.
27.Cronbach, L. J. (1951). Coefficient alpha and the internal structure of tests.psychometrika, 16(3), 297-334.
28.Cronin, M. J. (1985). Performance measurement for public services in academic and research libraries. Washington, DC: Office of Management Studies, Association of Research Libraries.
29.Dale, R. (2004). Evaluating development programmes and projects. Sage.
30.David Burningham. (1992). An overview of the use of performance indicators in local government. Handbook of Public Service Management, Oxford.
31.Didis, S. K. (1997). Communicating audit results. Internal Auditor, 54(5), 36-39.
32.Evans, H., Ashworth, G., Gooch, J., & Davies, R. (1996). Who needs performance management?. MANAGEMENT ACCOUNTING-LONDON-, 74, 20-25.
33.Francis, J. R. (2004). What do we know about audit quality?. The British accounting review, 36(4), 345-368.
34.Felber, H. (2001). Chemical measurement laboratories caught in a battle between different forces: Accreditation requirements versus economic pressure–Is there a way out?. Accreditation and quality assurance, 6(9-10), 439-441.
35.Getie Mihret, D., & Wondim Yismaw, A. (2007). Internal audit effectiveness: an Ethiopian public sector case study. Managerial Auditing Journal, 22(5), 470-484.
36.Ghosh, A., & Moon, D. (2005). Auditor tenure and perceptions of audit quality.The Accounting Review, 80(2), 585-612.
37.Gibbs, T. E., & Schroeder, R. G. (1980). External auditor criteria for evaluating internal audit departments. The Internal Auditor, 37(6), 34-42.
38.Gimbert, X., Bisbe, J., & Mendoza, X. (2010). The role of performance measurement systems in strategy formulation processes. Long Range Planning, 43(4), 477-497.
39.Holmbeck, G. N. (1997). Toward terminological, conceptual, and statistical clarity in the study of mediators and moderators: examples from the child-clinical and pediatric psychology literatures. Journal of consulting and clinical psychology, 65(4), 599.
40.Iacobucci, D., Saldanha, N., & Deng, X. (2007). A meditation on mediation: Evidence that structural equations models perform better than regressions.Journal of Consumer Psychology, 17(2), 139-153.
41.ISO 13335-1:2004. Information technology -- Security techniques -- Management of information and communications technology security -- Part 1: Concepts and models for information and communications technology security management.
42.ISO 19011:2011. Guidelines for auditing management systems.
43.ISO/IEC 27001:2013. Information technology -- Security techniques -- Information security management systems – Requirements.
44.ISO/IEC 27002:2013. Information technology -- Security techniques -- Code of practice for information security controls.
45.Julien, F. W., & Lampe, J. C. (1993). Performance measures in internal auditing. INTERNAL AUDITING-BOSTON-WARREN GORHAM AND LAMONT INCORPORATED-, 9, 66-66.
46.Jackson, M. D., Kusel, J., & Pumphrey, L. D. (1987). Moving up in Banking-Characteristics of Effective internal Auditors. The Internal Auditor, 42(2), 31-34.
47.Janvrin, D., Bierstaker, J., & Lowe, D. J. (2008). An examination of audit information technology use and perceived importance. Accounting Horizons,22(1), 1-21.
48.Johnson, V. E., Khurana, I. K., & Reynolds, J. K. (2002). Audit‐Firm Tenure and the Quality of Financial Reports*. Contemporary accounting research,19(4), 637-660.
49.Kantor, P. B. (1984). Objective performance measures for academic and research libraries. Association of Research Libraries.
50.Kaplan, R. S., & Norton, D. P. (1996). The balanced scorecard: translating strategy into action. Harvard Business Press.
51.Lebas, M. J. (1995). Performance measurement and performance management. International journal of production economics, 41(1), 23-35.
52.Morris, N. (1978). How Does Your Audit Department Rate?. The Internal Auditor, 34(5), 69-77.
53.Langelier C, Ingram J. (2001). National State Auditors Association and the US General Accounting Office: Management Planning Guide Information System Security Auditing.[online].
54.Morin, D. (2001). Influence of value for money audit on public administrations: looking beyond appearances. Financial Accountability & Management, 17(2), 99-117.
55.National Institute of Standards and Technology (NIST), & United States of America. (2014). Framework for Improving Critical Infrastructure Cybersecurity.
56.Nelson, M., & Tan, H. T. (2005). Judgment and decision making research in auditing: A task, person, and interpersonal interaction perspective. Auditing: A Journal of Practice & Theory, 24(s-1), 41-71.
57.Nunnally, J. C., & Bernstein, I. H. (1978). Psychometric theory.
58.Pirouz, D. M. (2006). An overview of partial least squares. Available at SSRN 1631359.
59.Podsakoff, P. M., MacKenzie, S. B., Lee, J. Y., & Podsakoff, N. P. (2003). Common method biases in behavioral research: a critical review of the literature and recommended remedies. Journal of applied psychology, 88(5), 879.
60.Podsakoff, P. M., & Organ, D. W. (1986). Self-reports in organizational research: Problems and prospects. Journal of management, 12(4), 531-544.
61.Posavac, E. J., & Carey, R. G. (1997). Program evaluation: Methods and case studies . Prentice-Hall, Inc.
62.Preacher, K. J., & Hayes, A. F. (2004). SPSS and SAS procedures for estimating indirect effects in simple mediation models. Behavior research methods, instruments, & computers, 36(4), 717-731.
63.Qiu, L., Zhang, Y., Wang, F., Kyung, M., & Mahajan, H. R. (1985). Trusted computer system evaluation criteria. In National Computer Security Center.
64.Rasmussen, C. W., Irvine, C. E., Dinolt, G. W., Levin, T. E., & Burke, K. L. (2003). A program for education in certification and accreditation (pp. 131-149). Springer US.
65.Rosário, T., Pereira, R., & da Silva, M. M. (2013, January). IT Audit Management Architecture and Process Model. In Business Information Systems (pp. 187-198). Springer Berlin Heidelberg.
66.Schroeder, M. S., Solomon, I., & Vickrey, D. (1986). AUDIT QUALITY-THE PERCEPTIONS OF AUDIT-COMMITTEE CHAIRPERSONS AND AUDIT PARTNERS. AUDITING-A JOURNAL OF PRACTICE & THEORY, 5(2), 86-94.
67.Sobel, M. E. (1982). Asymptotic confidence intervals for indirect effects in structural equation models. Sociological methodology, 13(1982), 290-312.
68.Stoel, D., Havelka, D., & Merhout, J. W. (2012). An analysis of attributes that impact information technology audit quality: A study of IT and financial audit practitioners. International Journal of Accounting Information Systems, 13(1), 60-79.
69.Tatikonda, L. U., & Tatikonda, R. J. (1998). We need dynamic performance measures. Strategic Finance, 80(3), 49.
70.Vroom, C., & Von Solms, R. (2004). Towards information security behavioural compliance. Computers & Security, 23(3), 191-198.
71.Weidenmier, M. L., & Ramamoorti, S. (2006). Research opportunities in information technology and internal auditing. Journal of Information Systems,20(1), 205-219.

網路資訊
72.許士軍(2007)。走向創新時代的組織績效評估。
取自：http://www.ireading.cc/review/review.aspx?rid=12576
73.數位時代(2015)。安全攻擊再進化 資安大廠ESET推新解決方案。
取自：http://www.bnext.com.tw/marketinfo/view/id/48089