爆發資訊安全事件將對組織造成嚴重影響，而為了避免令人懊悔的事故發生，在事前謹慎檢視環境處境、內部能力與資源的程序極為重要。本研究目的是探究商業市場環境面臨哪些資訊安全困難和挑戰，而台灣公部門與私部門又如何運用自身能力及資源做出處理和因應。本研究借助巨觀環境理論方法，將巨大的市場環境縮小化，以揭露影響組織營運的根本問題。另外本研究以態勢分析法，將商業環境和內部能力與資源彙整成優勢、劣勢、機會和威脅（SWOT）形式，以利進行結構化分析。

本研究以全球前四大會計師事務所資安顧問為主要訪談對象，包含7個公部門的個案、7個私部門的個案，我們使用內容分析方法，並以巨觀環境理論和態勢分析為基礎，進行資料分析。我們統整受訪者在訪談中所提及的市場環境問題和資訊安全策略，發現各產業會因為屬性、資源、能力不同，而影響他們對於資訊安全的做法和見解。

本研究讓管理者以多位專業人員角度檢視商業環境中資訊安全的關鍵問題，並了解組織本身與其他競爭對手的優勢與劣勢，使資訊安全策略制定時能有更多的考量和依據。同時制定資訊安全策略應善加運用優勢、加強改善弱點、即刻把握機會和盡量避免威脅，才能讓組織充分發揮長處、消弭短處以因應市場環境情況，避免被冷酷無情的現實市場所淘汰。

The outbreak of information security incidents will have a serious impact on the organization, and in order to avoid regrettable accidents, it is extremely important to carefully review the environmental situation, internal capabilities and resources before procedure. The purpose of this study is to explore the information security difficulties and challenges facing the business market environment, and how the public and private sectors in Taiwan use their capabilities and resources to deal with and respond. This study uses the PEST analysis model to reduce the huge market environment to expose  fundamental problems that affect  organization's operations.In addition, this study consolidate business environment and internal capabilities into strengths, weaknesses, opportunities and threat with situation analysis in order to conduct structural analysis.
This study concludes opinions from information security consultants of the world’s top four accounting firm including, 7 public-sector cases and 7 private-sector cases, carried out with content analysis method. We compile market environment issues and information security strategies from interviews figuring out that due to varied industries’ attributes, resources, capabilities could result in different practices and opinions.
This study provides managers with outlooks from several professionals so as to review fundamental issues and for managers to understand it advantages and disadvantages compared from other competitors, giving more references on making information security strategies. Besides, making information strategies should take advantage of strength, enhance improving weaknesses, seize opportunity immediately, and avoid threats as much as possible so that organizations can fully take advantage of strengths and eliminate weaknesses in order to make changes with business market avoiding being eradicated from real market.

目錄
第一章 緒論	1
第二章 文獻探討	3
2.１巨觀環境理論	3
2.1.1 政策和法律因素 Political and Legal Factor	4
2.1.2 市場經濟因素 Economic Factor	5
2.1.3 社會文化因素 Social and Cultural Factor	6
2.1.4 科技技術因素 Technical Factor	7
2.2 資訊安全	8
2.2.1 資訊安全標準	8
2.2.2 資訊安全管理與控制	12
2-3 資訊安全策略	14
2-4公部門與私部門資安現況	17
第三章 研究方法	23
3.1 個案研究	23
3.2 資料蒐集流程	26
3.3 內容分析	27
3.4 信度與效度衡量	29
第四章 資料分析與結果	31
4.1公部門的資訊安全現況分析	31
4.2私部門的資訊安全現況分析	34
第五章 結論	40
5.1 台灣公部門資訊安全所面臨的挑戰和困難	40
5.2 台灣私部門資訊安全所面臨的挑戰和困難	41
5.3 研究貢獻	43
5.4 研究限制	43
參考文獻	45
附錄一 研究訪談問卷	50
附錄二 資訊安全環境分類定義	51

圖目錄
圖 1 :各產業2020資安投資金額	18
圖 2: 各產業2020資安投資成長率	18
圖 3: 資安投資成長率變化	19
圖 4: 2019年Top10企業資安投資項目	19
圖 5: 各產業有資安缺額的企業比例	20
圖 6: 各產業專職資安平均招募人數	20
圖 7: 企業資安編制現況	20
圖 8: 2019年Top10企業資安風險	21
圖 9: 2019年政府機關網路攻防演練弱點類型現況	21 

表目錄
表 1：台灣金融產業資安法規彙整表	11
表 2: 態勢分析	17
表 3: 訪談對象彙整表	24
表 4: 個案分類表	25
表 5: 公部門SWOT資訊安全環境分析	31
表 6: 私部門SWOT資訊安全環境分析	35

參考文獻
1.	林義男 與 陳淳文 (1988). 內容分析法導論, 臺北市: 巨流.
2.	趙龍 (2018).資通安全管理法的影響與遵循.證券服務(668): 11-13.
1.	Allen, B. (1968). Danger ahead! Safeguard your computer. Harvard Business Review 46(6): 97-101.
2.	Almuhammadi, S. and M. Alsaleh (2017). Information security maturity model for NIST cyber security framework.Computer Science & Information Technology (CS & IT) 7(3): 51-62.
3.	Abdullahu, L. and N. Reshidi (2018). Factors Impacting Airport Performance: The Case of Prishtina and Tirana.Ekonomika (Economics) 97(2): 91-105.
4.	Ahmad, A., et al. (2014). Information security strategies: towards an organizational multi-strategy perspective. Journal of Intelligent Manufacturing 25(2): 357-370.
5.	Armstrong, D., et al. (2003). Autonomic defense: Thwarting automated attacks via real‐time feedback control. Complexity 9(2): 41-48.
6.	Babatunde, B. O. and A. O. Adebisi (2012). Strategic Environmental Scanning and Organization Performance in a Competitive Business Environment.Economic Insights-Trends & Challenges 64(1).
7.	Bulgurcu, B., et al. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS quarterly 34(3): 523-548.
8.	Barbara, C., et al. (2017). The european insurance industry: A PEST analysis. International Journal of Financial Studies 5(2): 14.
9.	Bowen, P., et al. (2007). Information security handbook: a guide for managers. NIST SPECIAL PUBLICATION 800-100, NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, Citeseer.
10.	Beckman SL, Rosenfield DB (2008) Operations Strategy: Competing in the 21st Century. McGraw-Hill/Irwin, New York
11.	Brand, R. (1990). Coping with the threat of computer security incidents: A primer from prevention through recovery.R. Brand, available on-line from: cert. sei. cmu. edu:/pub/info/primer 8.
12.	Chapman, J. (2019). How safe is your data? Cyber-security in higher education.Higher Education Policy Institute Policy.
13.	Cao, F., et al. (2003). Medical image security in a HIPAA mandated PACS environment. Computerized medical imaging and graphics 27(2-3): 185-196.
14.	Da Veiga, A. (2016). Comparing the information security culture of employees who had read the information security policy and those who had not.Information & Computer Security.
15.	Disterer, G. (2013). ISO/IEC 27000, 27001 and 27002 for information security management.
16.	Drozd, O. (2015). Privacy pattern catalogue: A tool for integrating privacy principles of ISO/IEC 29100 into the software development process. IFIP International Summer School on Privacy and Identity Management, Springer.
17.	Dyson, R. G. (2004). Strategic development and SWOT analysis at the University of Warwick. European journal of operational research 152(3): 631-640.
18.	David, F. R. (2011). Strategic Management: Concepts and Cases. Singapore: Pearson
19.	Doyle, J., et al. (2001). Agile monitoring for cyber defense. Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01, IEEE.
20.	Fenz, S., et al. (2016). Mapping information security standard ISO 27002 to an ontological structure. Information & Computer Security.
21.	Gupta, A. (2013). Environment & PEST analysis: an approach to the external business environment. International Journal of Modern Social Sciences 2(1): 34-43.
22.	Gordon, L. A. and M. P. Loeb (2006). Economic aspects of information security: An emerging field of research.Information Systems Frontiers 8(5): 335-337.
23.	Gillies (2011). Improving the quality of information security management systems with ISO27000. The TQM Journal.
24.	Grance, T., et al. (2004). Computer security incident handling guide. NIST Special Publication 800(61): 11.
25.	Hong, K. S., et al. (2006). An empirical study of information security policy on information security elevation in Taiwan. Information Management & Computer Security.
26.	Hausken, K. (2006). Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information System Frontiers, 8(5), 338–349.
27.	Ho, J. K.-K. (2014). Formulation of a systemic PEST analysis for strategic analysis. European academic research 2(5): 6478-6492.
28.	Huckle, S., et al. (2016). Internet of things, blockchain and shared economy applications. Procedia computer science 98: 461-466.
29.	Howard M (1979) The Forgotten Dimensions of Strategy. Foreign Affairs 57 (5):975-986
30.	Hamill, J. T., et al. (2005). Evaluating information assurance strategies.Decision Support Systems 39(3): 463-484.
31.	Itradat, A., et al. (2014). Developing an ISO27001 Information Security Management System for an Educational Institute: Hashemite University as a Case Study.Jordan Journal of Mechanical & Industrial Engineering 8(2).
32.	Jerman-Blažič, B. (2012). Quantitative model for economic analyses of information security investment in an enterprise information system. Organizacija 45(6): 276-288.
33.	Johnson, G., et al. (2008). Exploring corporate strategy: text & cases, Pearson education.
34.	Jobber, D., & Ellis-Chadwick, F. (2016). Principles and practice of marketing (8th ed.). London: McGraw-Hill Education.
35.	Kalu, A. O., et al. (2017). Environmental Forces as Catalysts in Electronic Marketing, the 21st Century Trends in Nigeria. Kuwait Chapter of Arabian Journal of Business and Management Review 33(81): 1-11.
36.	Kong, H.-K., et al. (2010). An analysis on effects of information security investments: a BSC perspective. Journal of Intelligent Manufacturing 23(4): 941-953.
37.	Klete H (ed) (1975) Some Minimum Requirements for Legal Sanctioning Systems with Special Emphasis on Detection.Deterrence and Incapacitation: Estimating the Effects of Criminal Sanctions on Crime Rates. National Academy of Sciences, Washington, D.C.
38.	Kluge, D. and S. Sambasivam (2008). Formal information security standards in German medium enterprises. CONISAR: The Conference on Information Systems Applied Research.
39.	Kankanhalli, A., et al. (2003). An integrative study of information systems security effectiveness.International journal of information management 23(2): 139-154.
40.	Lin, I.-C., et al. (2016). Corresponding Security Level with the Risk Factors of Personally Identifiable Information through the Analytic Hierarchy Process. JCP 11(2): 124-131.
41.	Liu, S., et al. (2001). A practical approach to enterprise IT security.IT Professional 3(5): 35-42.
42.	Lampson, B. W. (2004). Computer security in the real world. Computer 37(6): 37-46.
43.	Lepofsky, R. (2014). Payment Card Industry (PCI) Data Security Standard Template for Report on Compliance for use with PCI DSS v3. 0. The Manager’s Guide to Web Application Security:, Springer: 179-196.
44.	Lamas Leite, J. G., et al. (2017). Using Analytic Hierarchy Process to Optimize PESTEL Scenario Analysis Tool in Huge Construction Projects. Applied Mechanics and Materials, Trans Tech Publ.
45.	McFadzean, E., et al. (2007). Perception of risk and the strategic impact of existing IT on information security strategy at board level. Online Information Review.
46.	McDermott, J. P. (2001). Attack net penetration testing. Proceedings of the 2000 workshop on New security paradigms.
47.	McHugh, J., et al. (2000). Defending yourself: The role of intrusion detection systems. IEEE software 17(5): 42-51.
48.	Neisse, R., et al. (2019). Toward a Blockchain-based Platform to Manage Cybersecurity Certification of IoT devices. 2019 IEEE Conference on Standards for Communications and Networking (CSCN), IEEE.
49.	Neuendorf, K. (2002). The content analysis guidebook Sage Publications, Inc. Library of Congress. CA: United States.
50.	Porter, M. E. (1996). What is strategy? Harvard Business Review 74(6): 61-78.
51.	PANFIL, G. (2017). PEST Analysis of the Educational System from Romanian Police Academy. A Focus on Modern Learning Technologies. Conference proceedings of eLearning and Software for Education, Carol I  National Defence University Publishing House.
52.	Peng, G. C. A. and M. B. Nunes (2007). Using PEST analysis as a tool for refining and focusing contexts for information systems research. 6th European conference on research methodology for business and management studies, Lisbon, Portugal.
53.	Puhakainen, P. and M. Siponen (2010). Improving employees' compliance through information systems security training: an action research study. MIS quarterly: 757-778.
54.	Pub, F. (2004). Standards for security categorization of federal information and information systems. NIST FIPS 199.
55.	Paliwal, R. (2006). EIA practice in India and its evaluation using SWOT analysis. Environmental impact assessment review 26(5): 492-510.
56.	Park S, Ruighaver T (2008) Strategic Approach to Information Security in Organizations. Paper presented at the 2008 IEEE International Conference on Informarion Science and Security (ICISS 2008), Seoul, Korea.,
57.	Rees, J., et al. (2003). PFIRES: a policy framework for information security Communications of the ACM 46(7): 101-106.
58.	Regulation, P. (2018). General data protection regulation. INTOUCH.
59.	Rastogi, N. and M. Trivedi (2016). PESTLE technique–a tool to identify external risks in construction projects. International Research Journal of Engineering and Technology (IRJET) 3(1): 384-388.
60.	Ryan, J. J. and D. J. Ryan (2006). Expected benefits of information security investments. Computers & Security 25(8): 579-588.
61.	Susanto, H., et al. (2011). Information security management system standards: A comparative study of the big five. International Journal of Electrical Computer Sciences IJECSIJENS 11(5): 23-29.
62.	Siponen M, Vance A (2010) Neutralization: New Insights into the Problem of Employee Information Systems security Policy Vilations. MIS Quarterly 34 (3):487-502
63.	Singh, N. and A. Kosi–Katarmal (2009). SWOT analysis–a useful tool for community vision. Researcher 1(3): 25.
64.	Stewart, H. and J. Jürjens (2017). Information security management and the human aspect in organizations. Information & Computer Security.
65.	Shropshire, J., et al. (2015). Personality, attitudes, and intentions: Predicting initial adoption of information security behavior. Computers & Security 49: 177-191.
66.	Stytz, M. R. (2004). Considering defense in depth for software applications. IEEE Security & Privacy 2(1): 72-75.
67.	Tapiador, J. E. and J. A. Clark (2011). Masquerade mimicry attack detection: A randomised approach. Computers & Security 30(5): 297-310.
68.	Talib, M., et al. (2014). Halal logistics PEST analysis: the Malaysia perspectives. Asian Social Science 10(14): 119-131.
69.	Tsohou, K. L., et al. (2010). A security standards framework to facilitate best practices awareness and conformity. Information Management & Computer Security.
70.	Vintilă, D.-F., et al. (2019). Maritime Spatial Planning in The Black Sea. FAIMA Business & Management Journal 7(1): 37-48.
71.	Wood, C. C. (1995). Writing infosec policies. Computers & Security 5(14): 418.
72.	Weaver, J. M. (2017). Security of classified information: one standard or many? International Journal of Public Leadership.
73.	Weihrich, H. (1982). The TOWS matrix—A tool for situational analysis.Long range planning 15(2): 54-66.
74.	Werlinger, H. B.., et al. (2009). An integrated view of human, organizational, and technological challenges of IT security management. Information Management & Computer Security.
75.	Xiao, S. (2018). Research on the information security of sharing economy customers based on block chain technology.Information Systems and e-Business Management: 1-10.
76.	Yoo, J. and H. Chang (2014). Public IT service strategy for social information security in the intelligence all-things environment. Electronic Commerce Research