近年來資訊科技創新而演變出新型態的商業模式，特別是金融技術的發展，為提供所服務的客戶科技新體驗，勢必對個人身分識別資訊控制者或處理者的既有作業程序及資料保護風險造成影響。傳統金融機構面臨Fintech帶來的挑戰，在組織資訊治理的議題上，資料保護與隱私風險將一併被受到重視。因此，為確保新興科技所使用的資通訊技術系統或服務具有資料與隱私保護的能力，金融機構將持續關注在設計與規劃適當的隱私控制措施。
自從歐盟通過「歐盟資料保護一般規則」以來，隱私風險專注在符合隱私和資料保護法律，包括規範跨境傳輸個人身分識別資訊到隱私法律不完善的國家/地區外，卻較少研究針對個人資料檔案安全維護措施的選擇與策略。在臺灣的金融機構並不是沒有現有準則或指引可以依循：BS 10012在安全議題上，透過安全評鑑確認適當安全措施/控制；ISO/IEC 27701也可以延伸ISO/IEC 27002資訊安全控制措施，提供隱私資訊管理系統特定要求的實作指引及其他資訊。如果組織選擇了不適當的隱私控制措施，並且沒有考慮隱私框架中不同的期望或要求，可能導致其所保有的個人資料檔案被竊取、竄改、毀損、滅失或洩漏，結果造成客戶流失、財務損失、甚至傷害聲譽。
本研究利用多標準決策、層級分析法及逼近理想解排序法，以幫助金融機構確定隱私保護的最佳對策或控制措施優先順序及選擇。此外，我們透過數值案例分析臺灣金融機構逐步利用這方法，對隱私控制措施進行優先排序的情況。

In recent years, information technology innovation has continued to evolve new business models, especially in the development of Financial Technology (Fin-Tech). For the roles of Personally Identifiable Information (PII) controller or processor, providing new technological experience to the customers is bound to have an impact on the existed operating procedures and data protection risks of organization. Therefore, financial institutions will pay attention to design and plan appropriate privacy controls in order to ensure that the Information and Communication Technology (ICT) systems or services used by emerging technologies have the ability to protect data and privacy.
Since the European Union (EU) adopted the General Data Protection Regulation (GDPR), privacy risks have focused on compliance with privacy and data protection laws including, for example, regulating cross-border transfer of PII to countries/regions with imperfect privacy laws. However, less of the research subjects were the selection and strategy of PII security measures or controls. In Taiwan, it is not without existing standards or guidelines to follow for financial institutions: In the section of the BS 10012 on security issues, security assessments establish whether existing security controls are adequate; ISO/IEC 27701 is the extension of ISO 27002 guidelines, which provides Privacy Information Management System (PIMS) specific control objectives, controls and additional information. If the organization choose inappropriate privacy controls and measures and fail to consider different expectations or requirements in the privacy framework, this may lead the personal data held by the organization being stolen, altered, damaged, destroyed or disclosed, resulting in customer churn, property loss and even damage reputation.
This study focuses on utilized the methodologies of the Multi Criteria Decision Making (MCDM), Analytic Hierarchy Process (AHP) and Technique for Order of Preference by Similarity to Ideal Solution (TOPSIS) to help the financial institutions in the prioritization and selection of the best countermeasures or controls. Furthermore, numerical analysis discusses the step by step utilization of the method in Taiwan’s financial institutions for the prioritization of countermeasures or controls in data protection and privacy management.

1.Adler, M. and Ziglio, E., (1996), ”Gazing into the Oracle: The Delphi Method and its Application to Social Policy and Public Health”, Jessica Kingsley Publishers.
2.Almeida, L. and Respı ́cio, A., (2018), “Decision Support for Selecting information Security Controls”, Journal of Decision Systems 27, 173–180.
3.Al-Safwani, N., Hassan, S. and Katuk, N., (2014), “A Multiple Attribute Decision Making for Improving Information Security Control Assessment”, International Journal of Computer Applications 89, 19–24.
4.Anwar, M. and Gill, A., (2020), "Developing an Integrated ISO 27701 and GDPR based Information Privacy Compliance Requirements Model", ACIS 2020 Proceedings 20.
5.Asia-Pacific Economic Cooperation (APEC), (2005), “APEC Information Privacy Principles”, APEC Privacy Framework, 16-40.
6.Bagher Javanbarg, M., Scawthorn, C., Kiyono, J. and Shahbodaghkhan, B., (2012), “Fuzzy AHP-based Multicriteria Decision Making Systems Using Particle Swarm Optimization”, Expert Systems with Applications 39, 960-966.
7.Barabanov, A., Markov, A. and Tsirlov, V., (2018), “Information Security Controls Against Cross-Site Request Forgery Attacks on Software Applications of Automated Systems”, IOP Publishing, 042034.
8.Barnard, L. and Von Solms, R., (2000), “A Formalized Approach to the Effective Selection and Evaluation of Information Security Controls”, Computers & Security 19, 185–194.
9.Buckley, J. J., (1985), “Fuzzy Hierarchical Analysis”, Fuzzy Sets and Systems 17(3), 233-247.
10.Chang, D. Y. (1996), “Applications of the extent analysis method on fuzzy AHP”, European Journal of Operational Research 95, 649-55.
11.De Haes, S. and Van Grembergen, W., (2020), “COBIT as a Framework for Enterprise Governance of IT”, Enterprise Governance of Information Technology, 125-162.
12.Dorfleitner, G. and Hornuf, L., (2019), “FinTech and Data Privacy in Germany: An Empirical Analysis with Policy Recommendations”, Springer International Publishing.
13.European Parliament and Council of the European Union, (1995), “European Directive 95/46/EC”, https://europa.eu/.
14.European Parliament and Council of the European Union, (2016), “General Data Protection Regulation (EU) 2016/679”, https://europa.eu/.
15.Financial Supervisory Commission R.O.C. (Taiwan), (2016), “Regulations Governing the Financial Supervisory Commission's Security Measures Plan for Personal Information Files at Private Agencies”, https://law.moj.gov.tw/.
16.Hwang, C. L. and Yoon, K., (1981), “Multiple Attribute Decision Making Methods and Applications”, Springer-Verlag, New York.
17.Imran Tariq, M., Tayyaba, S., Ali Mian, N., Shahzad Sarfraz, M., De-la-Hoz-Franco, E., Shariq Aziz Butt, Santarcangelo, V. and Rad, D. V., (2020), “Combination of AHP and TOPSIS Methods for the Ranking of Information Security Controls to Overcome its Obstructions under Fuzzy Environment”, Journal of Intelligent & Fuzzy Systems 38, 6075–6088.
18.International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), (2011), “ISO/IEC 29100: Information Technology — Security techniques — Privacy Framework”, https://www.iso.org/.
19.International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), (2013), “ISO/IEC 27001: Information Technology — Security techniques — Information Security Management Systems — Requirements”, https://www.iso.org/.
20.International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), (2013), “ISO/IEC 27002: Information Technology — Security Techniques — Code of Practice for Information Security Management”, https://www.iso.org/.
21.International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), (2015), “ISO/IEC 27017: Information Technology — Security Techniques — Code of Practice for Information Security Controls based on ISO/IEC 27002 for Cloud Services”, https://www.iso.org/.
22.International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), (2019), “ISO/IEC 27018: Information Technology — Security Techniques — Code of Practice for Protection of Personally Identifiable Information (PII) in public Clouds Acting as PII Processors”, https://www.iso.org/.
23.International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), (2019), “ISO/IEC 27701: Security Techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for Privacy Information Management — Requirements and Guidelines”, https://www.iso.org/.
24.International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), (2021), “ISO/IEC Directives, Part 1 Procedures for the Technical Work: Consolidated ISO SupplementㅡProcedures Specific to ISO”, https://www.iso.org/.
25.Junior, F. R. L., Osiro, L. and Carpinetti, L.C.R., (2014), “A Comparison between Fuzzy AHP and Fuzzy TOPSIS Methods to Supplier Selection”, Applied Soft Computing 21, 194–209.
26.Khajouei, H., Kazemi, M. and Moosavirad, S. H., (2017), “Ranking Information Security Controls by Using Fuzzy Analytic Hierarchy Process”, Information Systems and E-Business Management 15, 1–19.
27.Khalif, K., Naim, K. M., Gegov, A., Bakar, A. and Syafadhli, A., (2017), “Hybrid Fuzzy MCDM Model for Z-numbers Using Intuitive Vectorial Centroid”, Journal of Intelligent & Fuzzy Systems 33, 791–805.
28.Lin, H. F., (2013), “Determining the Relative Importance of Mobile Banking Quality Factors”, Computer Standards & Interfaces 35(2), 195-204.
29.Llanso ́, T., (2012), “CIAM: A Data-driven Approach for Selecting and Prioritizing Security Controls”, IEEE, 1–8.
30.Lv, J. J., Zhou, Y. S. and Wang, Y.Z., (2011), “A Multi-criteria Evaluation Method of Information Security Controls”, 2011 Fourth International Joint Conference on Computational Sciences and Optimization, 190–194.
31.McCandless, D. and Evans, T., (March 2021), “World’s Biggest Data Breaches & Hacks”, https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/.
32.Natarajan, T., Balasubramanian, S. A. and Manickavasagam, S., (2010), “Customer’s Choice amongst Self Service Technology (SST) Channels in Retail Banking: A Study Using Analytical Hierarchy Process (AHP)”, Journal of Internet Banking and Commerce 15(2), 1-16.
33.National Development Council of the Executive Yuan, R.O.C., (2016), “Personal Data Protection Act”, https://law.moj.gov.tw/.
34.National Development Council of the Executive Yuan, R.O.C., (2016), “Enforcement Rules of the Personal Data Protection Act”, https://law.moj.gov.tw/.
35.Organization for Economic Cooperation and Development (OECD), (2013), “Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data”, The OECD Privacy Framework, 11-17.
36.Otero, A.R., Tejay, G., Otero, L. D. and Ruiz-Torres, A. J., (2012), “A Fuzzy Logic-based Information Security Control Assessment for Organizations”, IEEE, 1–6.
37.Phan, K. and Daim, T., (2011), “Exploring Technology Acceptance for Mobile Services”, Journal of Industrial Engineering and Management 4(2), 339-360.
38.Rees Safari, M. and Jiang, Q., (2018), “The Theory and Practice of IT Governance Maturity and Strategies Alignment: Evidence from Banking Industry”, Journal of Global Information Management 26(2), 127-146.
39.Ribeiro, J. and Gomes, R., (2009), “IT Governance Using COBIT Implemented in A High Public Educational Institution: a Case Study”, Computing and Computational Intelligence, 41-52.
40.Saaty, T. L., (1980), “The Analytic Hierarchy Process”, McGraw-Hill, New York.
41.Saaty T. L. and Kearns, K. P., (1985), “Analytic Planning: The Organization of Systems”, Pergamon Press, UK.
42.Saaty, T. L., (1988), “What is the Analytic Hierarchy Process?”, Mathematical Models for Decision Support, Springer, 109–121.
43.Saaty, T. L., (1990), “Decision Making For Leaders-the Analytic Hierarchy Process for Decisions in a Complex World”, RWS Publications.
44.The British Standards Institution (BSI), (2017), “BS 10012: Data Protection. Specification for A Personal Information Management System”, https://www.bsigroup.com/.
45.Van Laarhoven, P. J. M. and Pedrycz, W., (1983), “A Fuzzy Extension of Saaty's Priority Theory”, Fuzzy Sets and Systems 11(1–3), 229-241
46.Wang, T. C. and Lee, H. D., (2009), “Developing a Fuzzy TOPSIS Approach Based on Subjective Weights and Objective Weights”, Expert Systems with Applications 36(5), 8980-8985.
47.Wind, Y. and Saaty, T. L., (1980), “Marketing Applications of the Analytic Hierarchy Process”, Management Science 26(7), 641-658.
48.Yong, D., (2006), “Plant Location Selection Based on Fuzzy TOPSIS”, The International Journal of Advanced Manufacturing Technology 28, 839–844.
49.Yoon, K. P. and Hwang, C. L., (1985), “Manufacturing plant location analysis by multiple attribute decision making: Part I single-plant strategy”, International Journal of Production Research 23(2), 345-359.
50.Yoon, K. P. and Hwang, C. L., (1995), “Multiple Attribute Decision Making: An Introduction”, Quantitative Applications in the Social Sciences 104.
51.Zadeh, L. A., (1965), “Fuzzy sets”, Information and Control 8, 338-353.
52.Zadeh, L. A., (1975), “Fuzzy Logic and Approximate Reasoning”, Synthese 30, 407-428.
53.Zimmermann, H. J., (1991), “Fuzzy Set Theory and Its Applications”, Springer, Dordrecht.