淡江大學覺生紀念圖書館 (TKU Library)
進階搜尋


系統識別號 U0002-1607201900443900
中文論文名稱 探討影響組織成員遵守資安政策意圖或抗拒的因素:應用資訊安全政策合規性統一模型
英文論文名稱 Exploring the Impacts of Factors on Organizational Members Intention to comply with information security policy: Using A Unified of Information Security Policy Compliance(UMISPC).
校院名稱 淡江大學
系所名稱(中) 資訊管理學系碩士在職專班
系所名稱(英) On-the-Job Graduate Program in Advanced Information Management
學年度 107
學期 2
出版年 108
研究生中文姓名 李家安
研究生英文姓名 CHIA-AN LEE
學號 706630299
學位類別 碩士
語文別 中文
口試日期 2019-06-01
論文頁數 67頁
口試委員 指導教授-吳錦波
委員-連志誠
委員-施盛寶
委員-吳錦波
中文關鍵字 資訊安全政策  UMISPC  統一模型 
英文關鍵字 UMISPC  Information Security Policy Compliance  Unified Model 
學科別分類
中文摘要 組織對資訊技術(IT)的快速增長使用已經徹底改變了資產和關鍵資源,因為數位化,使得其更易於轉移M. T. Siponen (2005); Warkentin and Siponen (2015)。現代化的組織大量利用資訊系統與網路為基礎,建構出整合組織內外舉凡政策、財務、法務、生產、進銷存等資訊流,快速提供組織決策時資訊,提升組織生產效率與快速反應能力,其中流竄的資訊關係著組織的生存,也包含商業機密與個人隱私的敏感資料,組織必須制定適當、合理、可被接受、符合工作性質與個人任務的資安政策,以抵禦資安威脅。至今,對資訊系統安全(ISS)行為的研究已產生數十項理論來解釋資訊安全政策的合規性,對此Moody, Siponen, and Pahnila (2018)提出了一個統一模型,稱為資訊安全政策合規性統一模型(UMISPC),整合了先前十一項理論,提供決策者了解組織成員遵守資安政策意圖的因素,為資安教育或干預活動提供基礎。本研究使用資訊安全政策合規性統一模型,在台灣進行實證研究,以 SmartPLS3.0分析結果證實,資訊安全政策合規性統一模型具有顯著的解釋力,與以往使用單一理論,如中立化理論及保護動機理論來解釋資訊安全政策合規性有所不同,可提供管理者在制定資組織安全政策時作為參考。
英文摘要 Organizations' rapid growth in the use of information technology (IT) has revolutionized assets and critical resources, as digitalization makes it easier to transfer M. T. Siponen (2005); Warkentin and Siponen (2015). The modern organization is based on a large number of information systems and networks, and integrates information flow such as policy, finance, legal affairs, production, and invoicing in the organization, providing information on organizational decision-making and improving organizational productivity and rapid response. The rogue information is related to the survival of the organization. It also contains sensitive information about trade secrets and personal privacy. The organization must formulate appropriate and reasonable, acceptable, and work-related and personal tasks to protect against the security threat. To date, research on information system security (ISS) behavior has produced dozens of theories to explain the compliance of information security policies. Moody, Siponen, and Pahnila (2018) proposed a unified model called information security policy. The Uniformity Compliance Model (UMISPC) integrates the previous eleven theories to provide decision makers with an understanding of the factors in which members of the organization comply with the intent of the security policy and provides the basis for education or intervention. This study used the unified model of information security policy compliance to conduct empirical research in Taiwan. The results of SmartPLS3.0 analysis confirmed that the unified model of information security policy compliance has significant explanatory power, and used a single theory, such as neutralization theory. And the theory of protection motivation to explain the differences in information security policy compliance, can provide managers as a reference when formulating the organization's security policy.
論文目次 第壹章 緒論 1
第一節 研究背景與動機 1
第二節 研究目的 2
第貳章 文獻探討 3
第一節 中立化技術理論 3
第二節 健康信念模型 3
第三節 理性行為理論 4
第四節 保護動機理論 4
第五節 人際行為理論 5
第六節 威懾理論與理性選擇理論 7
第七節 擴展保護動機理論 8
第八節 計劃行為理論 8
第九節 自我調節理論 8
第十節 擴展並行處理模型 9
第十一節 控制平衡理論 10
第十二節 國內相關研究 11
第十三節 人口特徵影響遵守資訊安全意識 11
第參章 研究方法 13
第一節 研究架構 13
第二節 研究假說 15
第三節 操作型定義與衡量問項 18
第肆章 統計分析 26
第一節 基本資料分析 26
第二節 各構面間的敘述性統計 28
第三節 問卷量表信度與效度檢驗 30
第四節 假說與理論模型之驗證 36
第伍章 結論與建議 40
第一節 研究結論 40
第二節 理論意涵 41
第三節 實務意涵 42
第四節 研究限制 42
第五節 研究建議與未來方向 42
參考文獻 44
附錄 59
本研究問卷 59
本研究結構模型分析結果 66
本研究模型路徑分析結果 67

表 1,3-1研究構面、操作型定義選項、資料來源 19
表 2,3-2調節變數:依照本國國情調整 24
表 3,4-1受訪者人口特徵分析表 27
表 4,4-2因素負荷量表表 31
表 5,4-3各構面信度檢定表 34
表 6,4-4因素負荷量與交叉負荷量檢定表 34
表 7,4-5區別效度檢定表 35
表 8,4-6研究模型 R Square 決定係數值檢定表 37
表 9,4-7假說路徑關係檢定表 37
表 10,4-8此研究中七組假設定的結果表 39
參考文獻 Ajzen, I. (1985). From intentions to actions: A theory of planned behavior. In Action control (pp. 11-39): Springer.
Akers, R. L., Krohn, M. D., Lanza-Kaduce, L., & Radosevich, M. (1979). Social learning and deviant behavior: A specific test of a general theory. American sociological review, 636-655.
Ashforth, B. E., & Mael, F. (1989). Social identity theory and the organization. Academy of management review, 14(1), 20-39.
Ashforth, B. E., Rogers, K. M., & Corley, K. G. (2011). Identity in organizations: Exploring cross-level dynamics. Organization science, 22(5), 1144-1156.
Bagozzi, R. P. (1992). The self-regulation of attitudes, intentions, and behavior. Social psychology quarterly, 178-204.
Bamberg, S., & Schmidt, P. (2003). Incentives, morality, or habit? Predicting students’ car use for university routes with the models of Ajzen, Schwartz, and Triandis. Environment and behavior, 35(2), 264-285.
Bandura, A. (1977). Self-efficacy: toward a unifying theory of behavioral change. Psychological review, 84(2), 191.
Barclay, D., Higgins, C., & Thompson, R. (1995). The partial least squares (PLS) approach to casual modeling: personal computer adoption ans use as an Illustration.
Barlow, J. B., Warkentin, M., Ormond, D., & Dennis, A. R. (2013). Don't make excuses! Discouraging neutralization to reduce IT policy violation. Computers & Security, 39, 145-159.
Becker, G. S. (1968). Crime and punishment: An economic approach. In The economic dimensions of crime (pp. 13-68): Springer.
Boss, S., Galletta, D., Lowry, P. B., Moody, G. D., & Polak, P. (2015). What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors.
Braithwaite, J. (1989). Crime, shame and reintegration: Cambridge University Press.
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523-548.
Cheung, C., & Limayem, M. (2005). The role of habit in information systems continuance: examining the evolving relationship between intention and usage. ICIS 2005 Proceedings, 39.
Chin, W. W. (1998). The partial least squares approach to structural equation modeling. Modern methods for business research, 295(2), 295-336.
Chin, W. W., & Newsted, P. R. (1999). Structural equation modeling analysis with small samples using partial least squares. Statistical strategies for small sample research, 1(1), 307-341.
Chua, H. N., Wong, S. F., Low, Y. C., & Chang, Y. (2018). Impact of Employees’ Demographic Characteristics on the Awareness and Compliance of Information Security Policy in Organizations. Telematics and Informatics.
Festinger, L. (1962). A theory of cognitive dissonance (Vol. 2): Stanford university press.
Fishbein, M., & Ajzen, I. (1975). Belief, attitude, intention and behavior: An introduction to theory and research.
Floyd, D. L., Prentice‐Dunn, S., & Rogers, R. W. (2000). A meta‐analysis of research on protection motivation theory. Journal of applied social psychology, 30(2), 407-429.
Fornell, C., & Larcker, D. F. (1981). Structural equation models with unobservable variables and measurement error: Algebra and statistics. In: SAGE Publications Sage CA: Los Angeles, CA.
Frattaroli, J. (2006). Experimental disclosure and its moderators: a meta-analysis. Psychological bulletin, 132(6), 823.
Gagnon, M.-P., Godin, G., Gagné, C., Fortin, J.-P., Lamothe, L., Reinharz, D., & Cloutier, A. (2003). An adaptation of the theory of interpersonal behaviour to the study of telemedicine adoption by physicians. International journal of medical informatics, 71(2-3), 103-115.
Galletta, D. F., & Polak, P. (2003). An empirical investigation of antecedents of Internet abuse in the workplace. SIGHCI 2003 Proceedings, 14.
Herath, T., & Rao, H. R. (2009a). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2), 154-165.
Herath, T., & Rao, H. R. (2009b). Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), 106-125.
Hovland, C. I. (1959). Reconciling conflicting results derived from experimental and survey studies of attitude change. American psychologist, 14(1), 8.
Hulland, J. (1999). Use of partial least squares (PLS) in strategic management research: a review of four recent studies. Strategic management journal, 20(2), 195-204.
Ifinedo, P. (2012). Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & Security, 31(1), 83-95.
Janz, N. K., & Becker, M. H. (1984). The health belief model: A decade later. Health education quarterly, 11(1), 1-47.
Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information security behaviors: an empirical study. MIS Quarterly, 549-566.
Lee, S. M., Lee, S.-G., & Yoo, S. (2004). An integrative model of computer abuse based on social control and general deterrence theories. Information & Management, 41(6), 707-718.
Leone, L., Perugini, M., & Ercolani, A. P. (1999). A comparison of three models of attitude–behavior relationships in the studying behavior domain. European Journal of Social Psychology, 29(2‐3), 161-189.
Liang, H., & Xue, Y. (2009). Avoidance of information technology threats: a theoretical perspective. MIS Quarterly, 71-90.
Maddux, J. E., & Rogers, R. W. (1983). Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change. Journal of experimental social psychology, 19(5), 469-479.
Milne, S., Sheeran, P., & Orbell, S. (2000). Prediction and intervention in health‐related behavior: A meta‐analytic review of protection motivation theory. Journal of applied social psychology, 30(1), 106-143.
Mishra, S., & Dhillon, G. (2006). Information systems security governance research: a behavioral perspective. Paper presented at the 1st Annual Symposium on Information Assurance, Academic Track of 9th Annual NYS Cyber Security Conference.
Moody, G. D., Siponen, M., & Pahnila, S. (2018). TOWARD A UNIFIED MODEL OF INFORMATION SECURITY POLICY COMPLIANCE, 42(1).
Ng, B.-Y., Kankanhalli, A., & Xu, Y. C. (2009). Studying users' computer security behavior: A health belief perspective. Decision Support Systems, 46(4), 815-825.
Nunnally, J. (1978). Psychometric methods. In: New York: McGraw-Hill.
Osman, A., Barrios, F. X., Osman, J. R., Schneekloth, R., & Troutman, J. A. (1994). The Pain Anxiety Symptoms Scale: psychometric properties in a community sample. Journal of behavioral medicine, 17(5), 511-522.
Pahnila, S., Siponen, M., & Mahmood, A. (2007). Employees' behavior towards IS security policy compliance. Paper presented at the System sciences, 2007. HICSS 2007. 40Th annual hawaii international conference on.
Paternoster, R., & Simpson, S. (1996). Sanction threats and appeals to morality: Testing a rational choice model of corporate crime. Law and Society Review, 549-583.
Pee, L. G., Woon, I. M., & Kankanhalli, A. (2008). Explaining non-work-related computing in the workplace: A comparison of alternative models. Information & Management, 45(2), 120-130.
Piquero, N. L., & Piquero, A. R. (2006). Control balance and exploitative corporate crime. Criminology, 44(2), 397-430.
Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change1. The journal of psychology, 91(1), 93-114.
Rosenstock, I. M. (1974). The health belief model and preventive health behavior. Health education monographs, 2(4), 354-386.
Sheppard, B. H., Hartwick, J., & Warshaw, P. R. (1988). The theory of reasoned action: A meta-analysis of past research with recommendations for modifications and future research. Journal of consumer research, 15(3), 325-343.
Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees’ adherence to information security policies: An exploratory field study. Information & Management, 51(2), 217-224.
Siponen, M., & Vance, A. (2010). Neutralization: new insights into the problem of employee information systems security policy violations, 487-502.
Siponen, M. T. (2005). Analysis of modern IS security development approaches: towards the next generation of social and adaptable ISS methods. Information and organization, 15(4), 339-375.
Straub Jr, D. W. (1990). Effective IS security: An empirical study. Information Systems Research, 1(3), 255-276.
Sykes, G. M., & Matza, D. (1957). Techniques of neutralization: A theory of delinquency. American sociological review, 22(6), 664-670.
Teh, P.-L., Ahmed, P. K., & D'Arcy, J. (2015). What Drives Information Security Policy Violations among Banking Employees?: Insights from Neutralization and Social Exchange Theory. Journal of Global Information Management (JGIM), 23(1), 44-64.
Theoharidou, M., Kokolakis, S., Karyda, M., & Kiountouzis, E. (2005). The insider threat to information systems and the effectiveness of ISO17799. Computers & Security, 24(6), 472-484.
Triandis, H. C. (1977). Interpersonal behavior: Brooks/Cole Pub. Co.
Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: insights from habit and protection motivation theory. Information & Management, 49(3-4), 190-198.
Vance, A., & Siponen, M. T. (2012). IS security policy violations: A rational choice perspective. Journal of Organizational and End User Computing (JOEUC), 24(1), 21-41.
Venkatesh, V., Morris, M. G., Davis, G. B., & Davis, F. D. (2003). User acceptance of information technology: Toward a unified view. MIS Quarterly, 425-478.
Venkatesh, V., Thong, J. Y., & Xu, X. (2012). Consumer acceptance and use of information technology: extending the unified theory of acceptance and use of technology. MIS Quarterly, 157-178.
Verplanken, B. (2006). Beyond frequency: Habit as mental construct. British Journal of Social Psychology, 45(3), 639-656.
Verplanken, B., & Orbell, S. (2003). Reflections on Past Behavior: A Self‐Report Index of Habit Strength 1. Journal of applied social psychology, 33(6), 1313-1330.
Warkentin, M., & Siponen, M. (2015). An enhanced fear appeal rhetorical framework: Leveraging threats to the human asset through sanctioning rhetoric. MIS Quarterly, 39(1), 113-134.
Witte, K. (1992). Putting the fear back into fear appeals: The extended parallel process model. Communications Monographs, 59(4), 329-349.
Witte, K. (1996). Predicting risk behaviors: Development and validation of a diagnostic scale. Journal of health communication, 1(4), 317-342.
Woon, I., Tan, G.-W., & Low, R. (2005). A protection motivation theory approach to home wireless security. ICIS 2005 Proceedings, 31.
Wei, L.-C. (2014). 探討員工舉發資訊安全違規事件之意圖研究. 臺灣大學資訊管理學研究所學位論文, 1-59.
沈翊芯. (2018). 從道德疏離的角度探討員工資訊安全政策違反意圖. (碩士), 國立中山大學, 高雄市. Retrieved from https://hdl.handle.net/11296/76qbau
張師獻. (2017). 以保護動機理論探討資訊安全壓力對資安政策遵守之影響. (碩士), 國立中山大學, 高雄市. Retrieved from https://hdl.handle.net/11296/nqrx94
陳鵬文. (2017). 組織員工內外部動機對遵守資訊安全政策意向之影響. (碩士), 國立中正大學, 嘉義縣. Retrieved from https://hdl.handle.net/11296/xdw2c7
蔡昀達. (2018). 資安政策違反因素之探討. 淡江大學資訊管理學系碩士班學位論文, 1-48.
謝勝文. (2016). 瞭解遵守資訊政策意圖:處罰、社會影響、價值認知及安全風氣. (碩士), 國立中正大學, 嘉義縣. Retrieved from https://hdl.handle.net/11296/sda4g6
蘇建源, 江琬瑂, & 阮金聲. (2010). 資訊安全政策實施對資訊安全文化與資訊安全有效性影響之研究. 資訊管理學報, 17(4), 61-87.
論文使用權限
  • 同意紙本無償授權給館內讀者為學術之目的重製使用,於2024-07-25公開。
  • 同意授權瀏覽/列印電子全文服務,於2024-07-25起公開。


  • 若您有任何疑問,請與我們聯絡!
    圖書館: 請來電 (02)2621-5656 轉 2486 或 來信