A Multi-case Study on the Introduction of Information Security Management Systems to Public Organizations: an Organizational Learning Perspective

• Main Authors: Kuang-Yu Hsiao, 蕭光妤
• Other Authors: Gen-Yi Liao
• Format: Others
• Language: zh-TW
• Published: 2006
• Online Access: http://ndltd.ncl.edu.tw/handle/77516235905634519414

碩士 === 長庚大學 === 資訊管理研究所 === 94 === Modern organizations increasingly rely on information technology in daily operations. To maintain the correctness and availability of information systems, the importance of information security has also been recognized. In order to evaluate if information security is well managed in enterprises, standardization organizations have established the security management standards, including BS7799, which was established by the British Standard Institution (BSI) and had formally been approved as ISO27001 in 2005. In Taiwan, the government mandated the adoption of BS7799, indicating the special emphasis on information security management. The organizations implementing BS7799 have encountered difficulties such as employee resistance, work overloaded, and dealing with perfunctorily. These difficulties prevented the introduction of BS7799 from producing as much effects as expected. However, it remains unclear that what factors lead to those difficulties. Therefore, this thesis attempts to find out the phenomena, causes and solutions of the difficulties in implementing BS7799. For accommodating the fast-changing environment, organizations need to upgrade the learning ability in facing various kinds of challenge and difficulty. So, this thesis explores the introduction and implementation of BS7799 from an organizational learning perspective, which seems to be missing in our survey in the related literatures. To find out all the potential factors that influence BS7799 implementation, interviews are conducted with four public organizations which have passed the BS7799 certifications. After those interviews, data collected is encoded before being displayed in figures. To explain the possible associations between factors, this study analyzes the relationships of all the encoded data and obtains the following conclusions. It is found that there are nine difficulties which may occur in organizations implementing BS7799, including that “employees don’t have ample time, labor power and they have large workload”, “employees don’t have sufficient knowledge of information security and BS7799”, “it’s time-consuming to communicate with consumers”, “the staffs don’t cooperate adequately”, ”the staffs don’t have sufficient information security awareness”, “it’s difficult in communication with people in other departments” , “the leaders don’t take the implementation processes seriously enough”, “the budgets are not enough”, and “the staffs who are in charge of introducing BS7799 don’t have sufficient power”. To introduce BS7799 may cause the organization change in “individuals and roles” part. In addition, we proposed some research topics based on association analysis to establish the correlations between organizational learning and implemention difficulties, and the correlations between organizational learning and the organizational changes. We propose some suggestions to help the organizations which will introduce the BS7799 standard, for example: “to increase leaders’ support”, “to increase the staffs’ communication ability”, and “to conduct some interesting contests to encourage staffs to learn information security knowledge”.