Abstract This research analyzes the problem of internal security breaches, the most proportion of information security events, with the methodology of crisis management. In this thesis, we gather theories and rules in the way of management and technology that were offered by domestic or foreign specialists and scholars. Besides, we apply the current information security specifications - BS7799 as the standard, and contribute a fundamental for continued research subject - how to prevent the information security events from improper embezzlement of organization internal staffs. In the first step of the experiment is to create information security consciousness among members of the organization with BS7799 standard. Second, in this model of assessment of risk management is then mapped out using confidentiality, integrity, and Availability as its three measures. Finally, according to the result of data analyses, it was enable use to produce a set of priorities concerning information security as well as suggestions of proper responses. In other words, using the model to assess the environments of an organization can indentify potential problems of information security within organization. In the application of information technology booming era, the awareness of information security have raised because enterprises are highly dependant on information systems and networks for continuing serving customers without system failure. After the enterprise implement a concept information security management, can they achieve their expectation to protect our organization’s information system security? When the enterprise faces risks of information assets and requires taking actions, how do they invest properly under the budget in order to gain the best return on investment in information security? An enterprise can use the methodology of information security risk assessment to findout risks from information asset in business process for resource control. The quantitative risk assessment uses quantify method to assess security event occurrence and influence; therefore, the quantitative risk assessment can provide an effective method and assign suitable resources to manage an asset in the enterprise. Nowadays, Taiwan does not have many quantitative risk assessment methodologies; guess and subjective estimation are used mostly. This is not able to obtain an objective assessment result based on experience or knowledge to manage asset risks. With the universal application of information technology (IT) on business, the impact of information security accidents to business operations is also critical with each passing day. Even so, the existent academic researchers and business managers still focus on the technical issues of information security control, and overlook the important issues of managing information security control and integration. Therefore, the existing enterprises often get half the result with twice the effort on the works of information security control. The research’s main results are: (1) the more the high-level managers value the information security, the more the extent of information security control is; (2) the more the extent of cognitive information security is, the more the effectiveness of information security control is; (3) the more the level of information security control is, the more the effectiveness of information security control is; and (4) the more the applications of the enterprise information technology, the more the level of information security control is. Key words : Informaton security, BS7799