- 學位論文
風險限制與成本考量下之資安控制措施決策方法
A Decision Method to Select Information Security Controls ─ Considering Risk Condition and Cost
摘要
隨著資訊安全管理觀念的逐漸受到重視,資訊安全風險評鑑已成為推動資安管理的初步重要工作。如何最有效益的利用資源來進行資安控制措施的建置以達到企業組織存在於一個可承受的資安風險損失水準環境,在策略決策上是一個重要的議題,但相關研究卻較為缺乏,因此本研究藉由探討風險分析管理等相關文獻,將量化風險分析的觀念導入資訊安全策略決策中,提出一套資安控制措施規畫決策模式,利用Uryasev(2000)提出的條件風險概念,應用於資安策略決策模式的建構上,使用此方法使企業在做損失評估時,能有更明確的決策選擇,以減少企業的損失,協助各企業在資訊安全管理中做適當的管理決策。在未來希望可以把此模式應用在現實的企業資安控制措施規畫決策過程中,增加該模式的可行性。
並列摘要
Information security management has become an important issue in many various organizations. The fundamental work for information security management is how to assess the security risk and implement the information security controls to reach an acceptable information security level. However, only few related researches have been done so far. In this thesis, we apply the concept of conditional value of risk proposed by Uryasev (2000) to create a quantitative decision model for the selection of information security controls. In the decision process, the acceptable risk and security cost are considered. Using the model, the decision makers can make a more appropriate decision to minimize their information security cost according to the risk or loss they can bear. Our case study demonstrates the proposed model with the potential of becoming very useful in practice and of leading to further generalization of information security decision analysis.
參考文獻
延伸閱讀
- Lin, S. L. (2012). 監理機制、市場紀律力、銀行資本與風險承擔之調整. 台灣金融財務季刊, 13(2), 1-47. https://doi.org/10.6985/TBFQ.201206.0001
- 陳佳滎(2006)。考量風險控制下最佳化資金分配之研究〔碩士論文,國立臺灣大學〕。華藝線上圖書館。https://doi.org/10.6342/NTU.2006.02654
- 楊哲良(2011)。考慮風險管理因素之內部控制架構研究〔碩士論文,國立臺北科技大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0006-0408201110592100
- 樊國楨、黃健誠、林樹國(2013)。A Study on the Completeness of Information Security Management Regulations。前瞻科技與管理,3(1),97-147。https://doi.org/10.6193/JATM.2013.0301.06
- 李東峰、林子銘(2002)。CIO's Risk Control Decision-making for Business Information Security。資訊管理研究,4(2),1-42。https://doi.org/10.6188/JEB.2002.4(2).01