論 文 提 要 隨著資訊科技應用的日益普及,資訊安全控管,已成為企業維持營運的必要手段。過去的文獻,大多假設企業資訊安全控管決策是理性的風險管理決策,忽略了不確定性決策情境下,決策者認知因素和組織因素的可能影響。 為了釐清決策者認知因素及組織因素對企業資訊安全控管程度的可能影響,本研究以我國大型企業為對象,進行二階段的實徵研究。第一階段研究的目的,是為了深入瞭解企業資訊安全控管決策的複雜過程。經由對於二家金融業及三家高科技造業,共十位資訊主管的訪談結果發現:(1)企業的資訊安全控管決策過程,與理性決策模式建議的結構化風險分析、量化風險估計過程,有很大的差異;(2)由於不確定性因素的影響,企業資訊安全控管決策的基礎,並非理性的風險估計,而是決策者的主觀風險認知。因此,會因個人認知因素的影響,而出現損失逃避的決策偏誤現象;(3)企業資訊科技重要程度及關鍵決策者的互動關係,是影響企業資訊安全控管決策的主要組織因素。 依據第一階段研究的發現及文獻探討的結果,本研究進行第二階段研究的設計。以230家大型企業資訊主管為對象,所得到的116份問卷之統計分析發現:(1)資訊主管認知的資訊安全風險會對企業資訊安全控管程度,產生正向顯著影響,但是資訊主管認知的資訊安全風險與企業資訊科技重要程度,卻未發現顯著關係。因此,理性決策模式僅得到部份的支持。(2)資訊科技重要程度及高階主管資安控管決策涉入程度,均會對企業的資訊安全控管程度,產生顯著的正向影響,支持組織決策模式的假說。 本研究的學術貢獻為:(1)重新檢視企業的資訊安全控管決策行為,並由行為決策模式及組織決策模式的觀點,對傳統的理性決策模式提出質疑。(2)以組織決策模式為基礎,探討企業資訊科技重要程度與高階主管資安控管決策涉入程度,對企業資訊安全控管決策的影響效果。研究結果指出,企業的資訊主管除了必需具備資訊安全風險的覺察能力之外,更需善用決策影響力,積極爭取高階主管對資安控管決策的涉入。另一方面,決策者也需注意決策捷徑行為,所可能造成的決策偏誤。 本研究對於資源及方法限制的討論,認為高階主管資訊安全風險認知的形成因素及使用者部門參與,對企業資訊安全控管決策的可能影響,是未來研究的可能方向。 With the trend of ever increasing utilization of information technology (IT) on business operations, the impacts of information security risk were raised as one of the critical issues for information managers of modern enterprises. This empirical study was implemented on a two-stage design. For deep understanding of the process of enterprise information security control decisions, a qualitative interview of two financial service companies and three high-technology manufacturing corporations with ten senior information managers was taken. The findings are following: (1) The decision making processes do not as comprehensive, structured and quantitative as the suggestion of completely rational risk management decision making model, (2) The decision makers were depend on subjective perceptions on the process o f risk assessment of the enterprise information security for reach an effective decision under highly uncertainly environment, so some of decision biases were found, (3)Both the importance of IT applications and the organizational political influences among key decision makers are critical factors on the degree of enterprise information security control. According to the results of first stage study and literature review, the second stage study was designed. One hundred and sixteen questionnaires were returned form a self administrative survey of two hundred and thirty information managers of large companies in Taiwan. The findings of statistical analysis are following: (1)There are positive significant relationship between the degree of information security control and information managers’ perceived risk of information security, but the expected influence between the importance of IT applications and perceived risk of information security was tend to not support by empirical data, (2)The empirical data tend to support of the positive significant relationships among the importance of IT applications, the CEO involvement degree of the information security control decisions, on the degree of enterprise information security control. The theoretical contributions of this study are: (1)The investigation of enterprise information security control decision-making process form the perspectives of behavioral decision-making and organizational decision-making models, in contrasted with the traditional main stream perspective of rational decision model. (2)Theoretical arguments and empirical investigations from the perspective of organizational decision model for the influence of organizational factors such as the importance of IT applications and the CEO involvement degree on the decisions of enterprise information security control. One of the managerial implications of this study was pointed out the influence of organizational interaction between information managers and CEO on enterprise information security control decisions under the situation of highly uncertainty of risk assessment. And the caution of fire-back of decision biases for the dependency of subjective perception and decision short-cuts for effective information security control decision was the other managerial implications of the study. The limitations of results generalization and the further directions of research were also discussed in this paper.
