With the rapid development in the IT industry, it has contributed to a more complicated environment for organizational information systems and also has made the risk assessment on information technology more difficult. Although there are all kinds of international information security standards available for professionals involved in information assurance to refer to, it is still difficult to analyze and assess the validity of the information security management and the confidence in the information assurance due to the gap between the theoretical information security standards and the software configuration setting in reality. The study investigated how the security configuration management influenced the symbolic and substantive perspectives of the information assurance and whether it facilitates the risk assessment on information. The study employed the deep interview model and qualitative questionnaire to evaluate MIS and auditors of different backgrounds to probe how differently they react to the check-list items of information security. The research questions in the present study were addressed as follows: 1. How do MIS and auditors perceive differently to the gap between theory and reality when it comes to the information assurance? 2. Does the security configuration management influence the information assurance? 3. How does the security configuration management apply to the information risk assessment? The study results showed no significant difference between MIS and auditors in their perceptions toward the information assurance. Furthermore, the information provided by security configuration management helps to bridge the gap between MIS and auditors. Both sides know better analysis of significant trends in the symbolic, substantive perspectives and security configuration and implementation of important points in common and differences through Importance-Performance Analysis. Keyword：Security Configuration management、Information Assurance、Information Technology Risk、Risk Assessment