隨著資訊安全管理觀念的逐漸受到重視，資訊安全風險評鑑已成為推動資安管理的初步重要工作。如何最有效益的利用資源來進行資安控制措施的建置以達到企業組織存在於一個可承受的資安風險損失水準環境，在策略決策上是一個重要的議題，但相關研究卻較為缺乏，因此本研究藉由探討風險分析管理等相關文獻，將量化風險分析的觀念導入資訊安全策略決策中，提出一套資安控制措施規畫決策模式，利用Uryasev(2000)提出的條件風險概念，應用於資安策略決策模式的建構上，使用此方法使企業在做損失評估時，能有更明確的決策選擇，以減少企業的損失，協助各企業在資訊安全管理中做適當的管理決策。在未來希望可以把此模式應用在現實的企業資安控制措施規畫決策過程中，增加該模式的可行性。

Information security management has become an important issue in many various organizations. The fundamental work for information security management is how to assess the security risk and implement the information security controls to reach an acceptable information security level. However, only few related researches have been done so far. In this thesis, we apply the concept of conditional value of risk proposed by Uryasev (2000) to create a quantitative decision model for the selection of information security controls. In the decision process, the acceptable risk and security cost are considered. Using the model, the decision makers can make a more appropriate decision to minimize their information security cost according to the risk or loss they can bear. Our case study demonstrates the proposed model with the potential of becoming very useful in practice and of leading to further generalization of information security decision analysis.

第一章 緒論 1
1.1 研究背景與動機 1
1.2 研究目的 4
1.3 研究方法與假設 5
1.4 論文架構 6
第二章 文獻探討 7
2.1 資訊安全風險管理 7
2.2 風險的評估與衡量 9
2.3 資訊安全控制措施的決策 12
第三章 條件風險值 15
第四章 決策程序與方法 19
4.1 資訊資產的識別與價值評估 20
4.2 威脅與弱點識別 23
4.3 風險評估 24
4.4 可承受的風險估計 26
4.5 控制措施選擇 27
第五章 模式求解與分析 30
5.1 環境假設 30
5.2 模式建構與求解 31
5.3 敏感度分析 35
5.3.1 可承受的風險損失對模式求解結果的影響 35
5.3.2 損失函數門檻風險值對模式求解結果的影響 37
第六章 結論與未來研究方向 40
6.1 結論 40
6.2 未來研究 41
參考文獻 42

圖目錄
圖2.1 威脅、弱點及風險的相互關係------------------------------------8
圖3.1 條件風險值---------------------------------------------------------- 16
圖4.1 資安控制措施規畫決策過程-------------------------------------- 19
圖4.2 CALIBRATION-ENTROPY 方法-------------------------------------- 25
圖5.1 可承受的風險損失對條件風險值及企業資訊資產平均損失值
的影響---------------------------------------------------------------------- 36
圖5.2 可承受的風險損失對總成本及企業資訊資產平均損失值的影
響---------------------------------------------------------------------------- 36
圖5.3 損失函數門檻風險值a 對條件風險值及企業資訊資產平均損
失值的影響---------------------------------------------------------------- 38
圖5.4 損失函數門檻風險值a 對總成本及企業資訊資產平均損失值
的影響---------------------------------------------------------------------- 38
風險限制與成本考量下之資安控制措施決策方法

表目錄
表2.1 風險評估步驟-------------------------------------------------------- 10
表5.1 資訊資產之可使用的控制措施對應表....................................31
表5.2 資訊資產相關變數...................................................................34

[1]邱師璇，“BS7799加溫LA人員漸增”，資安人科技網，http://www.isecutech.com.tw/feature/view.asp?fid=142，2003。
[2]洪肇蔚、賴溪松，“資訊安全建制選擇與評估”，資安人科技網， http://www.isecutech.com.tw/feature/view.asp?fid=278，2004。
[3]徐廣寅，“資訊安全管理導論”，金禾資訊公司，2003。
[4]郭志賢，“以BS 7799為基礎評估大學資訊中心之資訊安全管理以淡江大學為例”，私立淡江大學資訊管理學系碩士班碩士論文，2003。
[5]樊國楨，“資訊安全風險管理”，行政院國家科學委員會科學技術資料中心，2002。
[6]瞿鴻斌，“資訊安全風險評估驗證系統”，私立世新大學管理學院資訊管理學系碩士學位論文，2005。
[7]Basak, S., and Shapiro, A., “Value-at-Risk Based Risk Management: Optimal Policies and Asset Prices,” Review of Financial Studies, pp371-405, 2001.
[8]BS7799/ISO27001 Auditor/Lead Auditor Training Course
[9]Simon, H. A., “Administrative Behavior-A Study of Decision-Making Processes in Administrative Organization,” 1997.
[10]IEC, Dependability Management－Part 3: Application Guide-Section 9: Risk Analysis of Technological Systems, IEC 300-3-9: 1995,IEC, 1995.
[11]Jorion, P., “Philippe Jorion’s Orange County Case: Using Value at Risk to Control Financial Risk,” http://www.gsm.uci.edu/~jorion/oc/part1, 2001.
[12]Hong, K. S., Chi, Y. P., Chao, L. R., and Tang, J. H., “An Integrated System Theory of Information Security Management,” Information Management & Computer Security, pp243-248, 2003.
[13]Lemieux, V. L., “Two Approaches to Managing Information Risks,” Information Management Journal, pp56-62, Sep/Oct 2004.
[14]Palmquist, J., Uryasev, S., and Krokhmal, P., “Portfolio Optimization with Conditional Value-at-Risk Objective and Constraints,” University of Florida, Dept. of Industrial and System Engineering, pp1-36, 2001.
[15]Pavri, Z., “Valuation of Intellectual Property Assets: The Foundation for Risk Management and Financing,” PricewaterhouseCoopers, 1999.
[16]Preyssl, C., “Safety risk assessment and management－the ESA approach,” Reliability Engineering and System Safety 49, pp303-309, 1995.
[17]Rockafellar, R.T., and Urysaev, S., “Optimization of Conditional Value-at-Risk,” The Journal of Risk, Vol2, No.3, pp21-41, 2000.
[18]Schnitkey, G. D., Sherrick, B. J., and Irwin, S. H., “The Performance of Conditional Value-at-Risk Versus Value-at-Risk in Ranking Crop Insurance Alternative,” Department of Agricultural and Consumer Economics 415 Mumford Hall, 1301 W. Gregory Drive University of Illinois at Urbana-Champaign Urbana, Illinois 61801, pp1-30, 2004.
[19]Tan, D., “Quantitative Risk Analysis Step-By-Step,” GSEC Practical Version 1.4b-Option 1, pp1-21, SANS Institute 2003.
[20]Uryasev, S., “Condition Value-at-Risk:Optimization Algorithms and Applications,” Financial Engineering News, Issue 4, February 2000.