現今資訊安全的技術已日漸成熟，資訊人員或使用者也都能遵從資訊安全的規範，雖然組織已明文規定相關的資訊安全規範與控制，但問題仍會發生，且常常發生在人(即員工)身上。因此，過去資訊安全的研究也從「資訊安全技術」的層面轉變到更重視「資訊安全管理」層面，本研究希望能了解組織中資訊安全管理措施上，利用正式與非正式這兩種不同的控制機制對組織內員工資訊安全行為的影響，以及何種控制機制能更有效影響員工資訊安全行為。研究針對天下雜誌2011年500大服務業的公司，透過關係聯絡對方公司，請其代發問卷給公司內的員工進行調查。本研究結果除了組織原本的正式控制機制會影響員工資訊安全行為的意圖外，非正式控制機制中的非正式評估也會正向影響員工資訊安全行為的意圖，使員工更注意自身的資訊安全行為。期望公司能以本研究為參考依據，應用員工之間更多控制的機制來強化員工資訊安全的行為，使組織免於資訊安全的問題與威脅。

As current information security technology has become more mature, IT staff or employees are required to comply with security policies. However, related information security problems, especially the inadequate security behaviors from employees, still occur in the organizations though the organizations have expressly devoted resources to information security standards and controls. Focusing on this issue, more academic information security research is shifting from the "security technology" side to "information security management". This study is to understand the effects of information security management measures, formal and informal control mechanisms, on information security behavior intention. We collected 175 samples from the list of largest 500 service companies in Taiwan from CommonWealth 2011. The results shows that formal control mechanisms (i.e. specification, evaluation, rewards) have positive effects on information security behavior intention, in addition, the informal evaluation of informal control mechanism also positively impacts information security behavior intention. We found that better outcomes can be obtained when exercising two control modes simultaneously. Managerial implications, research implications, and future research directions were also provided.

目錄

第1章 緒論	1
1.1 研究背景與動機	1
1.2 研究目的	3
第2章 文獻探討	4
2.1 控制理論(Control theory)	4
2.2 正式控制(Formal control)	7
2.3 非正式控制(Informal control)	12
2.4 資訊安全行為意圖(Information security behavioral intentions)	18
第3章 研究模型與假說	25
3.1 研究架構	25
3.2 正式控制機制與資訊安全行為意圖	26
3.3 非正式控制機制與資訊安全行為意圖	27
第4章 研究方法	29
4.1 資料蒐集	29
4.2 構念衡量	30
第5章 資料分析與結果	34
5.1 基本資料描述	34
5.2 研究變項之敘述性統計分析	38
5.3 共同方法變異	39
5.4 資料分析與結果	39
5.5 假說檢定	45
第6章 討論與建議	49
6.1 研究結果	49
6.2 學術上的貢獻	51
6.3 管理上的意涵	51
6.4 研究限制	52
6.5 未來研究建議	53
中文參考文獻	54
英文參考文獻	55
附錄一 研究問卷	61


表目錄
表2-1：過去文獻中概念化的三種控制機制	17
表2-2：資訊安全行為文獻整理	20
表4-1：正式控制機制衡量題項	31
表4-2：非正式控制機制衡量題項	32
表4-3：資訊安全行為意圖衡量題項	33
表5-1：基本資料統計數據(n=175)	34
表5-2：基本資料統計數據(n=175)	35
表5-3：基本資料統計數據(n=175)	37
表5-4：敘述性統計分析	38
表5-5：信度分析	41
表5-6：效度分析	43
表5-7：平均變異萃取量(AVE)之分析結果	45


圖目錄
圖3-1：研究架構圖	25
圖5-1：研究架構的路徑分析	48

中文參考文獻
1.	編輯部，用創意推動資安認知訓練，資安人雜誌，第55期，2008年。
2.	梁國賢，事件與安全防護總體檢 2011年企業資安威脅全面解析，2011年， http://www.netadmin.com.tw/article_content.aspx?sn=1109090001。
3.	花俊傑，[觀點] 解析資訊安全控制措施(二) - 資產管理與人力資源安全，2011年，http://jackforsec.blogspot.com/2011/04/blog-post.html。
4.	黃世平，從永豐紙業薪酬架構調整構思談起，永豐學院，2011年。
5.	謝宛蓉，小心！讓企業半年虧上億的殺手，e天下，第55期，2006年。
6.	詹俊裕，營造團隊運作模式 迎向六盈的贏局，經營決策論壇，第45期，2006年。


英文參考文獻
Adler, P.S., and Borys, B. 1996. "Two Types of Bureaucracy: Enabling and Coercive," Administrative Science Quarterly (41:1), pp 61-89.
Anderson, C.L., and Agarwal, R. 2010. "Practicing Safe Computing: A Nultimedia Empirical Examination of Home Computer User Security Behavioral Intentions," MIS Quarterly (34:3), pp 613-643.
Ashenden, D. 2008. "Information Security Management: A Human Challenge?," Information Security Technical Report (13:4), pp 195-201.
Birnberg, J.G., and Snodgrass, C. 1988. "Culture and Control: A Field Study," Accounting, Organizations and Society (13:5), pp 447-464.
Boss, S.R., Kirsch, L.J., Angermeier, I., Shingler, R.A., and Boss, R.W. 2009. "If Someone Is Watching, I'll Do What I'm Asked: Mandatoriness, Control, and Information Security," European Journal of Information Systems (18:2), pp 151-164.
Bulgurcu, B., Cavusoglu, H., and Benbasat, I. 2010. "Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness," MIS Quarterly (34:3), pp 523-548.
Cardinal, L.B. 2001. "Technological Innovation in the Pharmaceutical Industry: The Use of Organizational Control in Managing Research and Development," Organization Science (12:1), pp 19-36.
Chan, M., Woon, I., and Kankanhalli, A. 2005. "Perceptions of Information Security in the Workplace: Linking Information Security Climate to Compliant Behavior," Journal of Information Privacy and Security (1:3), pp 18-41.
Chin, and Newsted, P.R. 1999. "Structural Equation Modeling Analysis with Small Samples Using Partial Least Squares," Statistical Strategies for Small Sample Research), pp 307-341.
Chin, W. 1997. Overview of the Pls Method. Houston, MA: University of Houston.
Chin, W.W. 1998. "The Partial Least Squares Approach to Structural Equation Modeling," Modern Methods for Business Research (295:2), pp 295-336.
Choudhury, V., and Sabherwal, R. 2003. "Portfolios of Control in Outsourced Software Development Projects," Information Systems Research (14:3), pp 291-314.
Chow, C.W., Hirst, M., and Shields, M.D. 1995. "The Effects of Pay Schemes and Probabilistic Management Audits on Subordinate Misrepresentation of Private Information: An Experimental Investigation in a Resource Allocation Context," Behavioral Research in Accounting (7), pp 1-16.
CommonWealth. 2011. "2011 Top 500 Services in Taiwan."
Coren, M. 2005. Experts: Cyber-Crime Bigger Threat Than Cyber-Terror. LLLP, Atlanta, GA: 
D'Arcy, J., Hovav, A., and Galletta, D. 2009. "User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach," Information Systems Research (20:1), pp 79-98.
Das, T.K., and Teng, B.S. 1998. "Between Trust and Control: Developing Confidence in Partner Cooperation in Alliances," Academy of Management Review (23:3), pp 491-512.
Deloitte, T.T. 2006. "The Global Security Survey."   Retrieved 12/28, 2011, from https://www.deloitte.com/view/en_ME/me/industries/financialservices/fedf2d3195ffd110VgnVCM100000ba42f00aRCRD.htm
Dinev, T., Goo, J., Hu, Q., and Nam, K. 2006. "User Behavior toward Preventive Technologies-Cultural Differences between the United States and South Korea," ECIS 2006 Proceedings.
Dodge Jr, R.C., Carver, C., and Ferguson, A.J. 2007. "Phishing for User Security Awareness," Computers and Security (26:1), pp 73-80.
Dopuch, N., Birnberg, J.G., and Demski, J.S. 1982. Cost Accounting: Accounting Data for Management's Decisions. New York: 
Durgin, M. 2007. "Understanding the Importance of and Implementing Internal Security Measures," in: SANS Institute Reading Room.
Dutta, A., and McCrohan, K. 2002. "Management's Role in Information Security in a Cyber Economy," California Management Review (45:1), pp 67-87.
Eisenhardt, and Kathleen, M. 1985. "Control: Organizational and Economic Approaches," Management Science (31:2), pp 134-149.
Erez, M., and Kanfer, F.H. 1983. "The Role of Goal Acceptance in Goal Setting and Task Performance," Academy of Management Review (8:3), pp 454-463.
Fornell, C., and Bookstein, F. 1982. "Two Structural Equation Models: Ltsrei, and Pls Applied to Consumer Exit-Voice Theory," Journal of Marketing Research (19:4), pp 28-64.
Fornell, C., and Larcker, D.F. 1981. "Evaluating Structural Equation Models with Unobservable Variables and Measurement Error," Journal of Marketing Research (18:February), pp 39-50.
Furnell, S.M., Bryant, P., and Phippen, A.D. 2007. "Assessing the Security Perceptions of Personal Internet Users," Computers and Security (26:5), pp 410-417.
Gordon, Loeb, L.M., Lucyshyn, W., and Richardson, R. 2006. "Csi/Fbi Computer Crime and Security Survey," in: Computer Security Institute.
Hairs, J.F., Anderson, R.E., Tatham, R.L., and Black, W.C. 1998. Multivariate Data Analysis. New York: 
Henderson, J.C., and Lee, S. 1992. "Managing I/S Design Teams: A Control Theories Perspective," Management Science (38:6), pp 757-777.
Herath, T., and Rao, H.R. 2009a. "Encouraging Information Security Behaviors in Organizations: Role of Penalties, Pressures and Perceived Effectiveness," Decision Support Systems (47:2), pp 154-165.
Herath, T., and Rao, H.R. 2009b. "Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations," European Journal of Information Systems (18:2), pp 106-125.
Hopwood, and Anthony. 1974. Accounting and Human Behavior. London: Haymarket Publishing Limited.
Jaworski, B.J. 1988. "Toward a Theory of Marketing Control: Environmental Context, Control Types, and Consequences," Journal of Marketing (52:3), pp 23-39.
Johnston, A.C., and Warkentin, M. 2010. "Fear Appeals and Information Security Behaviors: An Empirical Study," MIS Quarterly (34:3), pp 548-566.
Katz, D. 1964. "The Motivational Basis of Organizational Behavior," Behavioral Science (9:2), pp 131-146.
Kern, T., and Willcocks, L. 2000. "Contracts, Control, and 'Presentation' in It Outsourcing: Research in Thirteen Uk Organizations," Journal of Global Information Management (8:4), pp 1-25.
Kirsch, L.J. 1996. "The Management of Complex Tasks in Organizations: Controlling the Systems Development Process," Organization Science (7:1), pp 1-21.
Kirsch, L.J. 1997. "Portfolios of Control Modes and Is Project Management," Information Systems Research (8:3), pp 215-239.
Kirsch, L.J. 2004. "Deploying Common Systems Globally: The Dynamics of Control," Information Systems Research (15:4), pp 374-395.
Lacity, M., and Willcocks, L. 2001. Global Information Technology Outsourcing. Chichester, UK: 
LaRose, R., Rifon, N.J., and Enbody, R. 2008. "Promoting Personal Responsibility for Internet Safety," Communications of the ACM (51:3), pp 71-76.
Leach, J. 2003. "Improving User Security Behaviour," Computers and Security (22:8), pp 685-692.
Lee, J., and Lee, Y. 2002. "A Holistic Model of Computer Abuse within Organizations," Information Management and Computer Security (10:2/3), pp 57-63.
Lee, S.M., Lee, S.G., and Yoo, S. 2003. "An Integrative Model of Computer Abuse Based on Social Control and General Deterrence Theories," Information and Management (41:6), pp 707-718.
Lee, Y., and Kozar, K.A. 2005. "Investigating Factors Affecting the Adoption of Anti-Spyware Systems," Communications of the ACM (48:8), pp 72-77.
Lee, Y., and Larsen, K.R. 2009. "Threat or Coping Appraisal: Determinants of Smb Executives′ Decision to Adopt Anti-Malware Software," European Journal of Information Systems (18:2), pp 177-187.
Lorange, P., and Scott-Morton, M.S. 1974. "A Framework for Management Control Systems," Sloan Management Review (16:1), pp 47-56.
Manz, C.C., Mossholder, K.W., and Luthans, F. 1987. "An Integrated Perspective of Self-Control in Organizations," Administration & Society (19:1), pp 3-24.
Marschan, R., Welch, D., and Welch, L. 1996. "Control in Less-Hierarchical Multinationals: The Role of Personal Networks and Informal Communication," International Business Review (5:2), pp 137-150.
Mishra, S., and Dhillon, G. 2006. "Information Systems Security Governance Research: A Behavioral Perspective," The 1st Annual Symposium on Information Assurance, Academic Track of 9th Annual NYS Cyber Security Conference.
Mobley, W.H., Hand, H.H., Baker, R.L., and Meglino, B.M. 1979. "Conceptual and Empirical Analysis of Military Recruit Training Attrition," Journal of Applied Psychology (64:1), pp 10-18.
Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T., and Vance, A. 2009. "What Levels of Moral Reasoning and Values Explain Adherence to Information Security Rules? An Empirical Study," European Journal of Information Systems (18:2), pp 126-139.
Neumann, P.G. 1999. "Risks of Insiders," Comunications of the ACM (42:12), p 160.
Nidumolu, S.R., and Subramani, M.R. 2003. "The Matrix of Control: Combining Process and Structure Approaches to Managing Software Development," Journal of Management Information Systems (20:3), pp 159-196.
Ouchi, W.G. 1977. "The Relationship between Organizational Structure and Organizational Control," Administrative Science Quarterly (22:1), pp 95-113.
Ouchi, W.G. 1978. "The Transmission of Control through Organizational Hierarchy," Academy of Management Journal (21:2), pp 173-192.
Ouchi, W.G. 1979. "A Conceptual Framework for the Design of Organizational Control Mechanisms," Management Science (25:9), pp 833-848.
Ouchi, W.G. 1980. "Markets, Bureaucracies, and Clans," Administrative Science Quarterly (25:1), pp 129-141.
Ouchi, W.G., and Jaeger, A.M. 1978. "Type Z Organization: Stability in the Midst of Mobility," Academy of Management Review (3:2), pp 305-314.
Ouchi, W.G., and Maguire, M.A. 1975. "Organizational Control: Two Functions," Administrative Science Quarterly (20:4), pp 559-569.
Pahnila, S., Siponen, M., and Mahmood, A. 2007. "Employees' Behavior Towards Is Security Policy Compliance," Hawaii International Conference on System Sciences.
Podsakoff, P.M., and Organ, D.W. 1986. "Self-Reports in Organizational Research: Problems and Prospects," Journal of Management (12:4), pp 531-544.
Ravishankar, M.N., Pan, S.L., and Leidner, D.E. 2011. "Examining the Strategic Alignment and Implementation Success of a Kms: A Subculture-Based Multilevel Analysis," Information Systems Research (22:1), pp 39-59.
Rhee, H., Rhu, Y., and Kim, C. 2005. "I Am Fine but You Are Not: Optimistic Bias and Illusion of Control on Information Security," The 26th International Conference on Information Systems, pp. 381-394.
Rustagi, S., King, W.R., and Kirsch, L.J. 2008. "Predictors of Formal Control Usage in It Outsourcing Partnerships," Information Systems Research (19:2), pp 126-143.
Sasse, M.A., Brostoff, S., and Weirich, D. 2001. "Transforming The "Weakest Link" - a Human/Computer Interaction Approach to Usable and Effective Security," BT Technology Journal (19:3), pp 122-131.
Simha, A., and Kishore, R. 2011. "Social Capital and It as Predicates of Collective Mindfulness and Business Risk Mitigation: A Grounded Theory Development," ICIS 2011 Proceedings, p. 32.
Siponen, M., and Vance, A. 2010. "Neutralization: New Insights into the Problem of Employee Information Systems Security Policy Violations," MIS Quarterly (34:3), pp 487-502.
Snell, S.A. 1992. "Control Theory in Strategic Human Resource Management: The Mediating Effect of Administrative Information," Academy of Management Journal (35:2), pp 292-327.
Stanton, J.M., Stam, K.R., Mastrangelo, P., and Jolton, J. 2005. "Analysis of End User Security Behaviors," Computers and Security (24:2), pp 124-133.
Straub, D.W., and Welke, R.J. 1998. "Coping with Systems Risk: Security Planning Models for Management Decision Making," MIS Quarterly (22:4), pp 441-464.
Straub Jr, D.W. 1990. "Effective Is Security: An Empirical Study," Information Systems Research (1:3), pp 255-276.
SymantecCorporation. 2007. "Symantec Reports Rise in Data Theft, Data Leakage, and Targeted Attacks Leading to Hackers' Financial Gain."   Retrieved 12/28, 2011, from http://www.symantec.com/about/news/release/article.jsp?prid=20070319_01
Thompson, R.L., Higgins, C.A., and Howell, J.M. 1994. "Influence of Experience on Personal Computer Utilization: Testing a Conceptual Model," Journal of Management Information Systems (11:1), pp 167-187.
Tiwana, A. 2010. "Systems Development Ambidexterity: Explaining the Complementary and Substitutive Roles of Formal and Informal Controls," Journal of Management Information Systems (27:2), pp 87-126.
Venkatesh, V., Morris, M.G., Davis, G.B., and Davis, F.D. 2003. "User Acceptance of Information Technology: Toward a Unified View," MIS Quarterly (27:3), pp 425-478.
Vroom, C., and Von Solms, R. 2004. "Towards Information Security Behavioural Compliance," Computers and Security (23:3), pp 191-198.
Vroom, V.H. 1964. Work and Motivation. New York: Wiley.
Weirich, D., and Sasse, M.A. 2001. "Pretty Good Persuasion: A First Step Towards Effective Password Security in the Real World," pp. 137-143.
Woon, I.M.Y., Tan, G.W., and Low, R.T. 2005. "A Protection Motivation Theory Approach to Home Wireless Security," The Twenty-Sixth International Conference on Information Systems, pp. 367-380.
Workman, M., Bommer, W., and Straub, D. 2008. "Security Lapses and the Omission of Information Security Measures: An Empirical Test of the Threat Control Model," Journal of Computers in Human Behavior (24:6), pp 2799-2816.