- 學位論文
資安政策違反因素之探討
A Study on the Factors Effecting Information Security Policy Violations
摘要
現今資訊安全事件層出不窮。對於企業及組織來說,這些資安事件會對組織造成重大影響。除了組織外部的攻擊,其中一部分的資安事件,是來自企業內部員工不遵守資訊安全政策所造成的結果。過去文獻採用許多社會學、犯罪學及心理學等不同領域的理論,來探討是什麼原因讓員工不遵守資安政策。部份研究採用中立化理論,中立化理論是屬犯罪學領域的一環,被學者用來解釋員工如何使用中立化技術將自己的違反行為合理化,結果證實中立化技術對於員工的違反行為有直接地影響。但鮮少有研究說明是什麼因素驅使員工使用中立化技術。因此本研究從個人的內在與外在動機出發,探討個人自身評估違反資安政策的利益和察覺他人的不遵從,以及資安訓練是否會降低個人採用中立化技術。本研究利用情境方式描述,以實驗法蒐集樣本資料,總共蒐集342份有效樣本,利用 SmartPLS 的結構方程模式(SEM)分析。結果顯示,感知不遵從的利益與察覺他人的不遵從和資安訓練確實都會影響個人使用中立化技術,中立化也會影響個人的違反意圖。本研究的主要貢獻為,在中立化理論的應用上,以個人內在與外在動機的角度出發,提出兩項前置因子,探討是否會影響個人使用中立化,同時驗證資安訓練的調節效果;研究結果也可以為企業管理階層做為參考,應制定資訊安全政策以及建立良好組織資安政策遵從文化,以及實施完整的資安訓練,促使多數的人都遵守資安政策,以減少違反情形的發生。
並列摘要
There are an endless number of information security incidents today. For enterprises and organizations, these security incidents have had a major impact on the organization. In addition to the attacks from outside of the organization, some of the security incidents are the result of non-compliance with information security policies by internal employees. In the past, studies have used many theories from different perspectives such as sociology, criminology, and psychology to explore what causes employees to fail to comply with information security policies. Some of these studies used neutralization theory to explain how employees use neutralization techniques to rationalize their violation behaviors. However, few studies have shown what factors drive employees to use neutralization technology. Therefore, this study proposes a research model and speculates that leading factors including perceived benefits of non-compliance, perceived non-compliance by others, and security training will affect individuals' adoption of neutralization technology. We collected data by using the experimental situational approach. A total of 342 valid samples were collected and were further analyzed using Smart PLS and Structural Equation Model (SEM). The results show that the two driving factors and information security training do affect the individual's use of neutralization techniques. Neutralization also positively affects the individual's violation intention. The main contribution of this study is to apply the neutralization theory and propose two leading factors to explore their effects on the use of neutralization by individuals, as well as to verify the moderating effect of information security training. The results of the study can be helpful for the corporate managers. We conclude that formulating information security policies, establishing good information security compliance culture and implementing complete information security training will enable employees to comply with the information security policies and to reduce the occurrence of violation behaviors.
參考文獻
延伸閱讀
- 林暐純(2011)。在資本管制下,部分國營化對銀行權益報酬違約風險之探討〔碩士論文,淡江大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0002-0106201115153200
- 楊忠雄(2014)。企業戶授信戶貸款違約預警因子之探討〔碩士論文,國立暨南國際大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0020-0509201414364600
- 張嘉祐(2013)。影響遵守資訊安全規範意圖之因素研究〔碩士論文,國立中正大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0033-2110201613553342
- 吳振昀(2007)。The Influence of Applying Information System Security for the Financial〔碩士論文,國立臺北科技大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0006-0908200716454100
- 樊國楨、陳永佳、張江藝、盧公瑜、鄭東昇(2004)。A Study on the Protection Profile of The Information Security Audit and Alarm。電腦與通訊,(107),116-129。https://doi.org/10.29917/CCLTJ.200403.0013