本研究的目的是探討資訊安全政策內容注重哪些政策內容與資訊安全活動，並使用言語行為理論探討公部門、私部門，以何種語言敘述資訊安全政策內容與資訊安全活動。本研究以政府機關、銀行業、保險業的資訊安全政策作為研究樣本，包含26個政府機關、9間銀行、十間保險公司，並且使用內容分析，將資安政策依據言語行為理論、資安政策內容、資安活動進行編碼。

研究結果顯示，第一、公部門與私部門在政策內容中，使用大多都以指令類敘述直接給予人員有關資訊安全的建議與規範。第二、公部門與私部門在資安內容中著重人員與流程的規範，資安活動公部門主要注重規劃與檢查，私部門主要注重規劃類目。第三、在資安內容與活動中，公部門主要以指令類敘述訂定資安規範，私部門則以斷言類敘述為主。指令類的方式有助於相關人員，清楚了解關於資訊安全的執行方式，而斷言類敘述引導相關人員從資安政策中，了解組織的人員、流程與程序的規範內容。

本研究建議未來在訂定資訊安全政策時，可以根據組織想要傳遞的資訊安全政策方向，選擇適合的言語行為來引導參與者。其次，亦可透過內容分析，了解資安政策所包含的要素，檢視組織資安政策的完整性，以持續性修正加強員工的資訊安全意識。

The purpose of this study was to explore information security policy contents focus on the elements of information security policy and activities of information security. This study used speech act theory to explore public sector and private sector how to describe their information security policy contents and information security activities. The study was conducted governments, banks, insurance companies of information security policy, including 26 government agencies, 9 banks, 10 insurance companies. This study used content analysis method to analyze information security policy, and  information security policy conducted speech act theory, information security policy contents, and information security activities to coding.
The results showed that: first, both public sector and private sector were mainly used Directives to direct employee’s suggestion and rules about information security. Second, both public sector and private sector were foused on people and process of information security content. In the information security activities, public sector was mainly focused on Plan and Check section, and private was focused on Plan section. Third, public sector was mainly used Directives to describe information security rules, but private sector was mainly used assertive. Directives can assist information security personnel to understand implementation about information security, Assertive can direct information security personnel understand people, process and procedure of the organization through information security policy.
In the practices, as organizations want to transmit direction about information security, they could choose appropriate speech act to direct participants. Moreover, organizations could apply the content analysis technique to understand the element of information security policy and that would be helpful to maintain the information security policy continually, and to enhance information security awareness of employees.

目錄
第一章	緒論 1
1.1研究背景與動機	1
1.2研究目的 4
第二章	文獻探討	6
2.1資訊安全政策(information security policy) 6
2.1.1 資訊安全政策內容 10
2.1.2 資訊安全活動 14
2.2言語行為理論(speech act theory) 17
第三章	研究方法	23
3.1 蒐集樣本 23
3.2 內容分析 24
3.2.1 編碼 25
3.2.2 信度 31
3.2.3 語意效度 32
第四章	研究結果	34
4.1政策內容與言語行為類目分析 34
4.2 資安活動的言語行為類目分析 41
第五章	結論 49
5.1研究發現 49
5.2研究限制 51
中文文獻	53
英文文獻	54

表目錄
表格1：文獻的言語行為分類 20
表格2：公部門樣本 24
表格3：私部門樣本 24
表格4：言語行為類目的定義與關鍵字 26
表格5：資訊安全政策內容類目的定義及關鍵字 28
表格6：資訊安全活動類目的定義與關鍵字	30
表格7：公部門的政策內容與言語行為類目分析 34
表格8：公部門的人員細項分析	35
表格9：公部門的流程細項分析	37
表格10：私部門的政策內容與言語行為類目分析 38
表格11：私部門的人員細項分析	39
表格12：私部門的流程細項分析	40
表格13：公部門的資安活動與言語行為類目分析 42
表格14：公部門的規劃細項分析	43
表格15：公部門的檢查細項分析	45
表格16：私部門的資安活動與言語行為類目分析 46
表格17：私部門的規劃細項分析	47

1.中華民國國家標準，2013，CNS 27000「資訊技術－安全技術－資訊安全管理系統－概觀及詞彙」，經濟部標準檢驗局，台北。
2.中華民國國家標準，2016，CNS 27000「資訊技術－安全技術－資訊安全管理系統－概觀及詞彙」，經濟部標準檢驗局，台北。
3.中華民國國家標準，2007，CNS 27001「資訊技術－安全技術－資訊安全管理系統－要求事項」，經濟部標準檢驗局，台北。
4.中華民國國家標準，2015，CNS 27002「資訊技術－安全技術－資訊安全控制措施之作業規範」，經濟部標準檢驗局，台北。
5.王文科、王智弘（2010）。質的研究的信度和效度。彰化師大教育學報，(17)，29-50。
6.徐偉民、徐于婷(2009)。臺灣和香港國小數學教科書代書教材之內容分析。教育實踐與研究，22(2)，67-94。

1. Abushihab, I. M. (2015). Contrastive Analysis of Politeness in Jordanian
Arabic and Turkish. Theory and Practice in Language Studies, 5(10), 2017-2022.
2. Akan, O. H. (2005). The role of concrescent conversation in the performing stage of work groups. Team Performance Management, 11(1/2), 51-62.
3. Allassani, W. (2014). DETERMINING FACTORS OF BANK EMPLOYEE READING HABITS OF INFORMATION SECURITY POLICIES. Journal of Information Systems and Technology Management : JISTEM, 11(3), 533-548.
4. Alotaibi, M. J., Furnell, S., & Clarke, N. (2019). A framework for reporting and dealing with end-user security policy compliance. Information and Computer Security, 27(1), 2-25.
5. Alper, Y., & Yu, L. (2018). Information security policies and value conflict in multinational companies. Information and Computer Security, 26(2), 230-245.
6. Amankwa, E., Loock, M., & Kritzinger, E. (2018). Establishing information security policy compliance culture in organizations. Information and Computer Security, 26(4), 420-436.
7. Andress, A. (2003). Surviving Security: How to Integrate People, Process, and Technology, Second Edition.
8. Andress, J. (2014). Chapter 1 - What is Information Security?. In J. Andress (Eds.), The Basics of Information Security (Second Edition) (pp. 1-22), Syngress. 
9. Arisetiyani, Y., & Yuliasry, I. (2018). Observance of Cialdini’s Principles of Speech Act of Persuasion in 2016 us Presidential Debates. English Education Journal, 7(3), 237-246.
10. Austin, J. L. (1962). How to Do Things with Words. Oxford university press.
11. Ayeomoni, O. M., and Akinkurolere, S. O. (2012). A Pragmatic Analysis of Victory and Inaugural Speeches of President Umaru Musa Yar' Adua. Theory and Practice in Language Studies, 2(3), 461-468. 
12. Baker, W.H., & Wallace, L.G. (2007). Is Information Security Under Control?: Investigating Quality in Information Security Management. IEEE Security & Privacy, 5(1), 36-44.
13. Basra, S. M., & Thoyyibah, L. (2017). A speech act analysis of teacher talk in an EFL classroom. International Journal of Education, 10(1), 73-81.
14. Bauer, S., Bernroider, E. W. N., & Chudzikowski, K. (2017). Prevention is better than cure! Designing information security awareness programs to overcome users' non-compliance with information security policies in banks. Computers & Security, 68, 145–159.
15. Béchir, B. L., & Montargot, N. (2016). Exploring change conversations through the rhetoric of french leaders. European Business Review, 28(4), 486-502.
16. Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness. MIS Quarterly, 34(3), 523-548.
17. Campbell, C. C. (2019). Solutions for counteracting human deception in social engineering attacks. Information Technology & People, 32(5), 1130-1152.
18. Celik, S. (2018). Tertiary-level internet users’ opinions and perceptions of cyberhate. Information Technology & People, 31(3), 845-868.
19. Chandler, J. D., Salvador, R., & Kim, Y. (2018). Language, brand and speech acts on twitter. The Journal of Product and Brand Management, 27(4), 375-384.
20. Chaudhry, P. E., Chaudhry, S., & Reese, R. (2012). DEVELOPING A MODEL FOR ENTERPRISE INFORMATION SYSTEMS SECURITY. Economics, Management and Financial Markets, 7(4), 587-599.
21. Chen, M. and Wang, S. (2010). A hybrid delphi-bayesian method to establish business data integrity policy: A benchmark data center case study. Kybernetes, 39(5), 800-824.
22. Cram, W. A., Proudfoot, J. G. & D’Arcy, J. (2017). Organizational information security policies: A review and research framework. European Journal of Information Systems, 26(6), 605-641.
23. Da Veiga, A. (2016). Comparing the information security culture of employees who had read the information security policy and those who had not. Information Management & Computer Security, 24(2), 139-151.
24. Darweesh, A. D., & Mehdi, W. S. (2016). Investigating the speech act of correction in Iraqi EFL context. Journal of Education and Practice, 7(7), 127-139.
25. Doherty, N. F., & Fulford, H. (2005). Do information security policies reduce the incidence of security breaches: An exploratory analysis. Information Resources Management Journal, 18(4), 21-39.
26. Drid, T. (2018). Language as Action: Fundamentals of the Speech Act Theory. Praxis International Journal of Social Science and Literature,1(10), 2-14.
27. Dylgjeri, A. (2017). ANALYSIS OF SPEECH ACTS IN POLITICAL SPEECHES. European Journal of Social Sciences Studies, 2(2), 19-26
28. ENISA Report. (2015), Definition of Cybersecurity, Retrieved from https://www.enisa.europa.eu/publications/definition-of-cybersecurity.
29. Fuchs, L., Pernul, G., & Sandhu, R. (2011). Roles in information security - A survey and classification of the research area. Computers & Security, 30(8), 748-769. 
30. Fyfe, S. (2017). Tracking hate speech acts as incitement to genocide in international criminal law. Leiden Journal of International Law, 30(2), 523-548.
31. Harrison, S., & Jürjens, J. (2017). Information security management and the human aspect in organizations. Information and Computer Security, 25(5), 494-534.
32. Hashim, S. S. M. (2015). Speech Acts in Selected Political Speeches. International Journal of Humanities and Cultural Studies, 2(3), 396-406.
33. Herath, T., and Rao, H.R. (2009a). Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), 106-125.
34. Herath, T., & Rao, H. R. (2009b). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2), 154-165.
35. Hong, K., Chi, Y., Chao, L.R. and Tang, J. (2003). An integrated system theory of information security management. Information Management and Computer Security, 11(5), 243-248.
36. Hong, K., Chi, Y., Chao, L.R. and Tang, J. (2006). An empirical study of information security policy on information security elevation in Taiwan. Information Management and Computer Security, 14(2), 104-115.
37. Hwang, I., Kim, D., Kim, T., & Kim, S. (2017). Why not comply with information security? An empirical approach for the causes of non-compliance. Online Information Review, 41(1), 2-18.
38. Ilyas,S., and Khushi,Q. (2012). FACEBOOK STATUS UPDATES: A SPEECH ACT ANALYSIS. Academic Research International, 3(2), 500-507.
39. Information Systems Audit and Control Association. (2009). An Introduction to the Business Model for Information Security. Retrieved from http://media.techtarget.com/Syndication/SECURITY/BusiModelforInfoSec.pdf
40. Information Systems Audit and Control Association. (2015). GLOSSARY. Retrieved from https://www.isaca.org/resources/glossary
41. ISO 9001:2015. Quality Management Systems — Requirements, International Standard Organization, International Standard Organization
42. ISO 14001:2015. Environmental management systems — Requirements with guidance for use, International Standard Organization.
43. ISO 27000:2016. Information technology — Security techniques — Information security management systems — Overview and vocabulary, International Standard Organization
44. ISO 27000:2018. Information technology — Security techniques — Information security management systems — Overview and vocabulary, International Standard Organization 
45. ISO/IEC 27001:2013. Information technology — Security techniques — Information security management systems — Requirements, International Standard Organization
46. ISO/IEC 27002:2013. Information technology — Security techniques — Code of practice for information security controls, International Standard Organization
47. Kadam, A. W. (2007). Information security policy development and implementation. Information Systems Security, 16(5), 246-256.
48. Kaiser, C., & Bodendorf, F. (2012). Mining consumer dialog in online forums. Internet Research, 22(3), 275-297.
49. Kibble, R. (2006). Speech acts, commitment and multi-agent communication. Computational and Mathematical Organization Theory, 12(2-3), 127-145.
50. Kiuk, P. Y., & Ghozali, I. (2018). Speech acts analysis in Desmond’s conversation in “hacksaw ridge” movie. Journal of English Language and Language Teaching (JELLT), 2(1), 59-72.
51. Koohang, A., Anderson, J., Jeretta, H. N., & Paliszkiewicz, J. (2019). Building an awareness-centered information security policy compliance model. Industrial Management & Data Systems, 120(1), 231-247.
52. Krippendorff, K. (1980), Content analysis an introduction to its Methodology. London: Sage.
53. Ku, C.-Y., Chang, Y.-W., & Yen, D. C. (2009). National information security policy and its implementation: A case study in Taiwan. Telecommunications Policy, 33(7), 371–384.
54. Kuru, H., & Ocak, M.A. (2016). Determination of cyber security awareness of public employees and consciousness-rising suggestions. Journal of Learning and Teaching in Digital Age, 1(2), 57-65.
55. Leung, H.K.N., Liao, L. and Qu, Y. (2007). Automated support of software quality improvement. International Journal of Quality & Reliability Management, 24(3), 230-243.
56. Li, Y., Pan, T. and Zhang, N. (2019). From hindrance to challenge: How employees understand and respond to information security policies. Journal of Enterprise Information Management, 33(1), 191-213.
57. Ma, X. (2016). A Case Study on Characters in Pride and Prejudice: From Perspectives of Speech Act Theory and Conversational Implicature. International Journal of English Linguistics, 6(4), 136-143.
58. McAlister, A. M., Lee, D. M., Ehlert, K. M., Kajfez, R. L., Faber, C. J., & Kennedy, M. S. (2017). Qualitative Coding: An Approach to Assess Inter-Rater Reliability. American Society for Engineering Education
59. Moradi, S., Tous, M. D., & Tahriri, A. (2016). EFL students' english pragmatic knowledge: Evidence from university of gulian *. Theory and Practice in Language Studies, 6(11), 2175-2185.
60. Mufiah, N. S., and Rahman, M. Y. N. (2019). SPEECH ACTS ANALYSIS OF DONALD TRUMP’S SPEECH. PROJECT (Professional Journal of English Education), 1(2), 125-132.
61. National Institute for Standards and Technology. (2013). Glossary of Key Information Security Terms(NIST Interagency or Internal Report 7298 Rev. 2). 
62. Nicho, M. (2018). A process model for implementing information systems security governance. Information and Computer Security, 26(1), 10-38.
63. Oishi, E. (2006). Austin’s Speech Act Theory and the Speech Situation. Esercizi Filosofici, 1, 1-14.
64. Olamide, I., and Segun, A. (2014). A Speech Act Analysis of Editorial Comments of TELL Magazine. Research on Humanities and Social Sciences, 4(9), 1-7.
65. Orozova, D., Kaloyanova, K., & Todorova, M. (2019). Introducing information security concepts and standards in higher education. TEM Journal, 8(3), 1017-1024.
66. Ouyang, K., & Cheng, H. (2019). GUIDELINES FOR UNMANNED AUTONOMOUS VESSELS FOR SEAWORTHINESS. International Journal of Organizational Innovation (Online), 12(2), 155-166.
67. Pahnila, S., Siponen, M., & Mahmood, A. (2007). Employees' behavior towards IS security policy compliance. Paper presented at the System Sciences, 2007. HICSS 2007. 40th Annual Hawaii International Conference on.
68. Palmer, I., King, A.W., and Kelleher, D. (2004). Listening to Jack: GE's change conversations with shareholders. Journal of Organizational Change Management, 17(6), 593-614.
69. Park, C. S. (2011). Alarming reports: Communicating conflict in the daily news. Journalism and Mass Communication Quarterly, 88(3), 650-652.
70. Raggad, B.G. (2010). Information Security Management: Concepts and Practice. CRC Press.
71. Rahimifar, M., Salim, S.S. (2012). Structuring persistent chat conversations: experimental results of the chatsistance tool. Knowledge and Information System, 33, 685–705. https://doi-org.ezproxy.lib.tku.edu.tw/10.1007/s10115-012-0536-3
72. Riley, K. (1993). Telling more than the truth: Implicature, speech acts, and ethics in professional communication. Journal of Business Ethics, 12, 179–196. https://doi-org.ezproxy.lib.tku.edu.tw/10.1007/BF01686446
73. Rostami, E., Karlsson, F. and Kolkowska, E. (2020). The hunt for computerized support in information security policy management: A literature review. Information and Computer Security, 28(2), 215-259.
74. Rukijkanpanich, J., & Pasuk, P. (2018). Maintenance management for transportation process in quarry industry. Journal of Quality in Maintenance Engineering, 24(2), 185-199.
75. Schultz, E.E., Proctor, R.W., Lien, M.-C., & Salvendy, G. (2001). Usability and Security An Appraisal of Usability Issues in Information Security Methods. Computers & Security, 20(7), 620-634.
76. Saier, M. C. (2017). Going back to the roots of W.A. shewhart (and further) and introduction of a new CPD cycle. International Journal of Managing Projects in Business, 10(1), 143-166.
77. Searle, J. (1976). A Classification of Illocutionary Acts. Language in Society, 5(1), 1-23.
78. Sheikhpour, R., & Modiri, N.. (2012). An approach to map COBIT processes to ISO/IEC 27001 information security management controls. International Journal of Security and its Applications, 6(2), 13-28.
79. Sindhuja, P. N., & Kunnathur, A. S. (2015). Information security in supply chains: A management control perspective. Information and Computer Security, 23(5), 476-496.
80. Siponen, M., Pahnila, S., & Mahmood, A. (2007). Employees’ adherence to information security policies: An empirical study New Approaches for Security, Privacy and Trust in Complex Environments (pp. 133-144): Springer.
81. Siponen, M., Pahnila, S., and Mahmood, M. A. (2010). Compliance with information security policies: an empirical investigation. Computer, 43(2), 64-71.
82. Siponen, M., Mahmood, M. A. & Pahnila, S. (2014). Employees’ adherence to information security policies: An exploratory field study. Information & Management, 51(2), 217-224.
83. Sommestad, T., Karlzén, H., & Hallberg, J. (2015). The sufficiency of the theory of planned behavior for explaining information security policy compliance. Information and Computer Security, 23(2), 200-217.
84. Sommestad, T. (2018). Work-related groups and information security policy compliance. Information and Computer Security, 26(5), 533-550.
85. Tang, J. (2008). The Implementation of Deming's System Model to Improve Security Management: A Case Study. International Journal of Management, 25(1), 54-68.
86. Tajudeen, O. B., Awoniyi, F. E., Fatimo, O. A., & Odusanya, O. (2019). The perlocutionary effects of cautionary notices on motoristusing nigeria highways. Theory and Practice in Language Studies, 9(10), 1253-1269.
87. Wahyono. (2018). A conceptual framework of strategy, action and performance dimensions of organizational agility development. Industrial and Commercial Training, 50(6), 326-341. doi:http://dx.doi.org.ezproxy.lib.tku.edu.tw/10.1108/ICT-12-2017-0103
88. Wang, Q. (2019). A comparative study of gender differences in refusal strategies from english majors. Theory and Practice in Language Studies, 9(8), 1040-1048.
89. Weber, R. P. (1984). Computer-Aided Content Analysis: A Short Primer. Qualitative Sociology, 7, 126-147
90. Xie, S. L. (2019). A must for agencies or a candidate for deletion: A grounded theory investigation of the relationships between records management and information security. Records Management Journal, 29(1/2), 57-85.
91. Wu, Y. C., Sun, R., & Wu, Y. J. (2020). Smart city development in Taiwan: From the perspective of the information security policy. Sustainability (Switzerland), 12(7), [2916]. https://doi.org/10.3390/su12072916