資訊安全評估準則層級結構之研究 | A Study of Hierarchical Structure of Information Security Valuation Criteria

• Main Author: 洪國興、季延平、趙榮耀 Kwo-Shing Hong、Yen-Ping Chi、 Louis R. Chao
• Format: Article
• Language: English
• Published: National Taiwan Normal University 2003-10-01
• Series: Tushuguanxue yu Zixun Kexue
• Online Access: http://jlis.glis.ntnu.edu.tw/ojs/index.php/jlis/article/view/418

<p>頁次：22-44</p><p class="MsoNormal" style="margin: 0cm 0cm 0pt; mso-layout-grid-align: none;"><span style="font-size: small;"><span style="font-family: "新細明體","serif"; mso-ascii-font-family: 'Times New Roman'; mso-font-kerning: 0pt; mso-fareast-theme-font: minor-fareast; mso-hansi-theme-font: minor-fareast;">各種調查或研究均顯示，資訊安全事故的發生比例與其所造成的財務損失均不斷上升。美國</span><span style="mso-fareast-font-family: 新細明體; mso-font-kerning: 0pt; mso-fareast-theme-font: minor-fareast;" lang="EN-US"><span style="font-family: Times New Roman;">911</span></span><span style="font-family: "新細明體","serif"; mso-ascii-font-family: 'Times New Roman'; mso-font-kerning: 0pt; mso-fareast-theme-font: minor-fareast; mso-hansi-theme-font: minor-fareast;">事件、台灣納莉颱風的水災、財金公司的舞弊案等，均顯示隨著資訊科技的快速發展，資訊系統使用者的範圍不斷擴大，組織對資訊系統依賴程度的提高，資訊安全因而日愈重要。但組織資訊安全如何評估？應考慮那些評估準則？尚乏實証研究。本研究以資訊安全管理「整合系統理論」（</span><span style="mso-fareast-font-family: 新細明體; mso-font-kerning: 0pt; mso-fareast-theme-font: minor-fareast;" lang="EN-US"><span style="font-family: Times New Roman;">Integrated System Theory</span></span><span style="font-family: "新細明體","serif"; mso-ascii-font-family: 'Times New Roman'; mso-font-kerning: 0pt; mso-fareast-theme-font: minor-fareast; mso-hansi-theme-font: minor-fareast;">）為基礎，經由因素分</span></span><span style="font-size: small;"><span style="font-family: "新細明體","serif"; mso-ascii-font-family: 'Times New Roman'; mso-font-kerning: 0pt; mso-fareast-theme-font: minor-fareast; mso-hansi-theme-font: minor-fareast;">析、名目群組技術（</span><span style="mso-fareast-font-family: 新細明體; mso-font-kerning: 0pt; mso-fareast-theme-font: minor-fareast;" lang="EN-US"><span style="font-family: Times New Roman;">Nominal Group Technique</span></span><span style="font-family: "新細明體","serif"; mso-ascii-font-family: 'Times New Roman'; mso-font-kerning: 0pt; mso-fareast-theme-font: minor-fareast; mso-hansi-theme-font: minor-fareast;">）的程序，匯集專家意見，建構「資訊安全評估準則層級結構」，共有</span><span style="mso-fareast-font-family: 新細明體; mso-font-kerning: 0pt; mso-fareast-theme-font: minor-fareast;" lang="EN-US"><span style="font-family: Times New Roman;">9</span></span><span style="font-family: "新細明體","serif"; mso-ascii-font-family: 'Times New Roman'; mso-font-kerning: 0pt; mso-fareast-theme-font: minor-fareast; mso-hansi-theme-font: minor-fareast;">個評估構面，</span><span style="mso-fareast-font-family: 新細明體; mso-font-kerning: 0pt; mso-fareast-theme-font: minor-fareast;" lang="EN-US"><span style="font-family: Times New Roman;">37</span></span><span style="font-family: "新細明體","serif"; mso-ascii-font-family: 'Times New Roman'; mso-font-kerning: 0pt; mso-fareast-theme-font: minor-fareast; mso-hansi-theme-font: minor-fareast;">項評估準則，可作為組織規劃資訊安全策略之參考，亦可作為繼續發展「資訊安全多準則評估模式」（</span><span style="mso-fareast-font-family: 新細明體; mso-font-kerning: 0pt; mso-fareast-theme-font: minor-fareast;" lang="EN-US"><span style="font-family: Times New Roman;">Information Security Multiple Criteria Valuation Model</span></span><span style="font-family: "新細明體","serif"; mso-ascii-font-family: 'Times New Roman'; mso-font-kerning: 0pt; mso-fareast-theme-font: minor-fareast; mso-hansi-theme-font: minor-fareast;">）的基礎，實為資訊安全管理實証研究的重要里程碑。</span><span style="mso-fareast-font-family: 新細明體; mso-font-kerning: 0pt; mso-fareast-theme-font: minor-fareast;" lang="EN-US"></span></span></p><p class="MsoNormal" style="margin: 0cm 0cm 0pt; mso-layout-grid-align: none;"><span style="mso-fareast-font-family: 新細明體; mso-font-kerning: 0pt; mso-fareast-theme-font: minor-fareast;" lang="EN-US"><span style="font-size: small;"><span style="font-family: Times New Roman;">Most results of various investigations and studies have shown that the percentage of information security accidents occurred and the financial losses caused are increasing continuously. September 11 attacks in the U.S.A., floods of Nari typhoon and malfeasant cases of Financial Information Service Co., Ltd. in Taiwan all indicate that information security has being more important day by day as a result of fast development of information technology, increasing range of users and dependence of an organization on information system. How to evaluate information security of an organization and what valuation criteria should be considered still lack of empirical studies. On the basis of “Integrated System Theory” of information security management, the study applies factor analysis and nominal group technique and collects opinions from experts to construct “Hierarchical Structure of Information Security Valuation Criteria”, which totally includes 9 valuation dimensions and 37 valuation criteria. The result may not only be a reference for the organization to make information security policies but also the foundation to further develop “Information Security Multiple Criteria Valuation Model”. It is obviously a key milestone of empirical studies of information security management.</span></span></span></p>