全球資訊安全投資金額日增，資訊安全事件仍層出不窮，僅2014年第3季全球即超過1億8仟3佰餘萬筆個人及財務資料外洩，其中高達95%的資料外洩事故，與人為錯誤有關。因此，使用者資訊安全行為實有探討之必要。目前已有許多使用者資訊安全行為研究，其中以認知神經科學探討資訊安全行為之研究較少。本研究旨在透過電子郵件社交工程訊息，探討使用者資訊安全腦波感知差異，採用實驗法以腦波儀量測使用者感知過程之腦波活動。研究結果受測者腦波受習慣、性別及理解程度因素影響，且左右腦感知程度呈現不對稱情形。研究發現受測者在習慣、性別、理解程度及左右腦感知程度存在差異，大腦各區域對外來訊息反應特徵，可即時觀測受測者心理行為變化，並供作未來資訊安全防護措施發展與應用參考。

The investments in information security have been increasing globally, however there are still many security leakage incidents. 
In third quarter of 2014, more than one hundred eighty three million personal and financial information leakage and 95% of information leakage are related to human error. Therefore, further investigation of users’ information security behavior is necessary. Currently, there are many studies of users’ information security behavior, but still, few studies from the perspective of cognitive neuroscience. This study investigates the users’ information security behavior by measuring their brainwave activity while viewing email social engineer messages in an experimental setting. The result shows that a subject’s brainwave is affected by habits, gender, the level of understanding and the EEG power asymmetry of perception in two cerebral hemispheres. Observing the affects to a person’s brainwave from these external informational could be a reference for future information security studies.

目錄
第一章	緒論	1
第一節　研究背景與動機	1
第二節　研究目的	3
第三節　研究流程	4
第四節　論文架構	5
第二章	文獻探討	6
第一節　社交工程	6
第二節　腦波	9
第三節　習慣	12
第五節　性別	15
第六節　理解	17
第三章	研究方法	18
第一節　腦波量測系統架構	18
第二節　實驗對象及流程	23
第三節　腦波紀錄及資料分析	26
第四節　研究假說	29
第四章	資料分析	33
第一節　基本資料分析	33
第二節　測試結果分析	36
第三節　腦波分析	44
第五章	結論與建議	66
第一節　研究結果	66
第二節　研究貢獻	69
第三節　研究限制與後續研究建議	71
參考文獻	73
表目錄
表2-1腦波各波段功能一覽表	11
表3-1腦波數值收集及分析處理軟體	22
表4-1基本資料調查統計表	33
表4-2第1階段正確率一覽表	36
表4-3第2階段正確率一覽表	38
表4-4腦波感知習慣數據統計表	48
表4-5腦波感知習慣差異曼惠特尼U檢定表	49
表4-6左右腦腦波感知數據統計表	52
表4-7左右腦腦波感知差異曼惠特尼U檢定表	53
表4-8不同性別腦波感知數據統計表	57
表4-9不同性別腦波感知差異曼惠特尼U檢定表	58
表4-10不同理解程度腦波感知數據統計表	63
表4-11不同理解程度腦波感知差異曼惠特尼U檢定表	64
圖目錄
圖1-1 研究流程圖	4
圖3-1 Emotiv-EPOC	19
圖3-2實驗流程圖	25
圖3-3 β波段腦波頻譜圖	27
圖4-1第1階段平均回應時間統計圖	39
圖4-2第2階段平均回應時間統計圖	40
圖4-3第1階段錯誤次數統計圖	41
圖4-4第2階段錯誤次數統計圖	42
圖4-5性別差異統計圖	43
圖4-6 腦波通道位置圖	44
圖4-7習慣前後腦波頻譜圖	47
圖4-8腦波感知習慣顯著差異通道位置圖	50
圖4-9左腦及右腦腦波頻譜圖	52
圖4-10不同性別腦波頻譜圖	56
圖4-11不同性別腦波感知顯著差異通道位置圖	59
圖4-12不同理解程度腦波頻譜圖	62
圖4-13不同理解程度腦波感知顯著差異通道位置圖	65

[1]柯永河，1995，『習慣心理學』，台北市：張老師文化出版。
[2]陳姵君譯，高木繁治 著，2011，『大腦構造地圖』，新北市：三悅文化。
[3]張家豪，2014，『以腦波量測探討表情符號與貼圖運用於即時通訊之差異』，淡江大學資訊管理學系碩士在職專班學位論文。
[4]Alesina, A., & La Ferrara, E. (2002). Who trusts others? Journal of public economics, 85(2), pp. 207-234. 
[5]Acquisti, A., & Grossklags, J. (2005). Privacy and rationality in individual decision making. IEEE Security & Privacy, (1), pp. 26-33. 
[6]Andreasen, N. C. (1979). Thought, language, and communication disorders: I. Clinical assessment, definition of terms, and evaluation of their reliability. Archives of general Psychiatry, 36(12), pp. 1315-1321. 
[7]Basmajian, J. V., & De Luca, C. J. (1985). Muscles alive. Muscles alive: their functions revealed by electromyography, 278, pp.126.
[8]Berger, H. (1929), “Ueber das Electrocephalogramm des Menschen” Arch Psychiatr Nervenkr, vol. 87, no. 1, pp. 527–570. 
[9]Bravo-Lillo, C., Komanduri, S., Cranor, L. F., Reeder, R. W., Sleeper, M., Downs, J., & Schechter, S. (2013). Your attention please: designing security-decision UIs to make genuine risks harder to ignore. In Proceedings of the Ninth Symposium on Usable Privacy and Security ACM. pp. 6. 
[10]Cacioppo, J. T., Petty, R. E., Kao, C. F., and Rodriguez, R. (1986). “Central and peripheral routes to persuasion: An individual difference perspective,” Journal of Personality and Social Psychology, 51, pp. 1032–1043. 
[11]Calluzzo, V. J., & Cante, C. J. (2004). Ethics in information technology and software use. Journal of Business Ethics, 51(3), pp. 301-312.
[12]Cialdini, R. B. (1984). The psychology of persuasion. New York: Quill William Morrow. 
[13]Cooper, D. (2003). Psychology, risk and safety. Professional Safety, 48(11), pp. 39-46. 
[14]Cram, J. R., Kasman, G. S., & Holtz, J. (1998). Introduction to Surface Electromyography, Gaithersburg. Maryland: Aspen Publishers, Inc.
[15]Davidson, R. J. (1984). Affect, cognition and hemispheric specialization. In C. E. Izard, J. Kagan, & R. Zajonc (Eds.), Emotion, Cognition and Behavior (pp. 320-365). New York: Cambridge University Press.
[16]Davidson, R. J. (1995). Cerebral asymmetry, emotion, and affective style. In R. J. Davidson & K. Hudgahl (Eds.), Brain asymmetry (pp. 361–387). Cambridge, MA: MIT Press. 
[17]Dhamija, R., Tygar, J. D., & Hearst, M. (2006). Why phishing works. InProceedings of the SIGCHI conference on Human Factors in computing systems. ACM, pp. 581-590
[18]Dodge, R. C., Carver, C., & Ferguson, A. J. (2007). Phishing for user security awareness. Computers & Security, 26(1), pp. 73-80. 
[19]Egelman, S., Cranor, L. F., & Hong, J. (2008). You've been warned: an empirical study of the effectiveness of web browser phishing warnings. InProceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, pp. 1065-1074
[20]Furnell, S., & Clarke, N. (2012). Power to the people? The evolving recognition of human aspects of security. Computers & security, 31(8), pp. 983-988. 
[21]Gao, W., & Kim, J. (2007). Robbing the cradle is like taking candy from a baby. In Annual Conference of the Security Policy Institute, Amsterdam, the Netherlands. 
[22]Garbarino, E., & Strahilevitz, M. (2004). Gender differences in the perceived risk of buying online and the effects of receiving a site recommendation. Journal of Business Research, 57(7), pp. 768-775. 
[23]Gartner. (2014). “Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014 as Organizations Become More Threat-Aware” Retrieved March 6, 2015, from http://www.gartner.com/newsroom/id/2828722
[24]Glaeser, E. L., Laibson, D. I., Scheinkman, J. A., & Soutter, C. L. (2000). Measuring trust. Quarterly Journal of Economics, pp. 811-846. 
[25]Harmon-Jones, E. (2004). Contributions from research on anger and cognitive dissonance to understanding the motivational functions of asymmetrical frontal brain activity. Biological psychology, 67(1), pp. 51-76.
[26]Harmon-Jones, E., Gable, P. A., & Peterson, C. K. (2010). The role of asymmetric frontal cortical activity in emotion-related phenomena: A review and update. Biological psychology, 84(3), pp.451-462. 
[27]Harrington, S. J. (1996). The effect of codes of ethics and personal denial of responsibility on computer abuse judgments and intentions. MIS quarterly, pp. 257-278. 
[28]Hsu, M. H., & Kuo, F. Y. (2003). An investigation of volitional control in information ethics. Behaviour & Information Technology, 22(1), pp. 53-62.
[29]Huang, D. L., Rau, P. L. P., & Salvendy, G. (2007). A survey of factors influencing people’s perception of information security. In Human-Computer Interaction. HCI Applications and Services. Springer Berlin Heidelberg, pp. 906-915
[30]Hosaka, N., Tanaka, J., Koyama, A., & Magatani, K. (2006). The EEG measurement technique under exercising. In Engineering in Medicine and Biology Society, 2006. EMBS'06. 28th Annual International Conference of the IEEE. IEEE, pp. 1307-1310. 
[31]IBM. (2014). “IBM Security Services 2014 Cyber Security Intelligence Index” Retrieved March 6, 2015, from http://www-935.ibm.com/services/us/en/it-services/security-services/2014-cyber-security-intelligence-index-infographic
[32]Ingalhalikar, M., Smith, A., Parker, D., Satterthwaite, T. D., Elliott, M. A., Ruparel, K., ... & Verma, R. (2014). Sex differences in the structural connectome of the human brain. Proceedings of the National Academy of Sciences, 111(2), pp. 823-828.
[33]Kalsher, M. J., & Williams, K. J. (2006). Behavioral compliance: Theory, methodology, and results. Handbook of warnings, pp. 313-331. 
[34]Kim, S., & Wogalter, M. S. (2009). Habituation, dishabituation, and recovery effects in visual warnings. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting (53)20, pp. 1612-1616. 
[35]Kurland, N. B. (1995). Ethical Intentions and the Theories of Reasoned Action and Planned Behavior1. Journal of Applied Social Psychology, 25(4), pp. 297-313.
[36]Miller, K. (2004). Communication theories: Perspectives, processes, and contexts. McGraw-Hill Humanities/Social Sciences/Languages.
[37]Mitnick, K. D., & Simon, W. L. (2011). The art of deception: Controlling the human element of security. John Wiley & Sons.
[38]Ong, T. H., Tan, C. P., Tan, Y. T., & Ting, C. (1999). SNMS-Shadow Network Management System. In Recent Advances in Intrusion Detection.
[39]Pizzagalli, D. A., Sherwood, R. J., Henriques, J. B., & Davidson, R. J. (2005). Frontal brain asymmetry and reward responsiveness a source-localization study. Psychological Science, 16(10), pp. 805-813.
[40]Riedl, R., Hubert, M., & Kenning, P. (2010). Are there neural gender differences in online trust? An fMRI study on the perceived trustworthiness of eBay offers. Mis Quarterly, 34(2), pp. 397-428. 
[41]Ruighaver, A. B., Maynard, S. B., & Chang, S. (2007). Organisational security culture: Extending the end-user perspective. Computers & Security, 26(1), pp. 56-62. 
[42]Rusch, J. J. (1999). The “social engineering” of Internet fraud. In Internet Society Annual Conference, http://www.isoc.org/isoc/conferences/inet/99/proceedings/3g/3g_2. htm.
[43]SafeNet. (2014). “BREACH LEVEL INDEX THIRD QUARTER RECAP 2014 (July – September )” Retrieved March 6, 2015, from http://breachlevelindex.com/pdf/Breach-Level-Index-Report-Q32014.pdf
[44]Salvendy, G.(1997). Handbook of human factors and ergonomics, New York: Wiley-Interscience.
[45]Salvendy, G. (2012). Handbook of human factors and ergonomics. John Wiley & Sons. 
[46]Schultz, E. E., Proctor, R. W., Lien, M. C., & Salvendy, G. (2001). Usability and security an appraisal of usability issues in information security methods. Computers & Security, 20(7), pp. 620-634.
[47]Sharek, D., Swofford, C., & Wogalter, M. (2008). Failure to recognize fake internet popup warning messages. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting. Sage Publications, Vol. 52, No. 6, pp. 557-560. 
[48]Sherif, J. S., Ayers, R., & Dearmond, T. G. (2003). Intrusion detection: The art and the practice, Information Management and Computer Security, 11(4), pp. 175-186. 
[49]Simmering, M. J., Posey, C., & Piccoli, G. (2009). Computer Self‐Efficacy and Motivation to Learn in a Self‐Directed Online Course. Decision Sciences Journal of Innovative Education, 7(1), pp. 99-121.
[50]Sokolov, A. A., Krüger, S., Enck, P., Krägeloh-Mann, I., & Pavlova, M. A. (2011). Gender affects body language reading. Frontiers in psychology,2
[51]Straub Jr, D. W., & Nance, W. D. (1990). Discovering and disciplining computer abuse in organizations: a field study. Mis Quarterly, pp. 45-60. 
[52]Strube, M. J., & Newman L. C. (2007). Psychometrics. In J. T. Cacioppo, L. G. Tassinary, & G. G. Berntson (Eds.), Handbook of psychophysiology (3rd edn.) (pp. 789-811). Cambridge: Cambridge University Press. 
[53]Straub, Detmar W., and Richard J. Welke. (1998). "Coping with systems risk: security planning models for management decision making." Mis Quarterly, pp. 441-469. 
[54]Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., & Cranor, L. F. (2009). Crying Wolf: An Empirical Study of SSL Warning Effectiveness. InUSENIX Security Symposium, pp. 399-416. 
[55]Sutton, S. K., & Davidson, R. J. (1997). Prefrontal brain asymmetry: A biological substrate of the behavioral approach and Inhibition Systems. Psychological Science, 8(3), pp. 204-210.
[56]Van Honk J, Schutter DJLG (2006). From affective valence to motivational direction: The frontal asymmetry of emotion revisited. Psychol Sci 17: pp. 963–965. 
[57]Workman, M. (2007). Gaining access with social engineering: An empirical study of the threat. Information Systems Security, 16(6), pp. 315-331.
[58]Workman, M. (2008). A test of interventions for security threats from social engineering. Information Management & Computer Security, 16(5), pp. 463-483. 
[59]Workman, M. (2008). Wisecrackers: A theory‐grounded investigation of phishing and pretext social engineering threats to information security. Journal of the American Society for Information Science and Technology, 59(4), pp. 662-674. 
[60]Zurawicki, L. (2010). Neuromarketing: Exploring the brain of the consumer. Springer Science & Business Media.