淡江大學覺生紀念圖書館 (TKU Library)
進階搜尋


系統識別號 U0002-3008201811074800
中文論文名稱 資安政策違反因素之探討
英文論文名稱 A Study on the Factors Effecting Information Security Policy Violations
校院名稱 淡江大學
系所名稱(中) 資訊管理學系碩士班
系所名稱(英) Department of Information Management
學年度 106
學期 2
出版年 107
研究生中文姓名 蔡昀達
研究生英文姓名 Yun-Da Tsai
學號 605630036
學位類別 碩士
語文別 中文
口試日期 2018-06-02
論文頁數 48頁
口試委員 指導教授-施盛寶
委員-郭秋田
委員-張昭憲
委員-施盛寶
中文關鍵字 資訊安全政策  資訊安全政策違反  資訊安全訓練  中立化理論  實驗法 
英文關鍵字 Information security policy  Information security policy violation  Information security training  Neutralization Theory  Experimental Method 
學科別分類
中文摘要 現今資訊安全事件層出不窮。對於企業及組織來說,這些資安事件會對組織造成重大影響。除了組織外部的攻擊,其中一部分的資安事件,是來自企業內部員工不遵守資訊安全政策所造成的結果。過去文獻採用許多社會學、犯罪學及心理學等不同領域的理論,來探討是什麼原因讓員工不遵守資安政策。部份研究採用中立化理論,中立化理論是屬犯罪學領域的一環,被學者用來解釋員工如何使用中立化技術將自己的違反行為合理化,結果證實中立化技術對於員工的違反行為有直接地影響。但鮮少有研究說明是什麼因素驅使員工使用中立化技術。因此本研究從個人的內在與外在動機出發,探討個人自身評估違反資安政策的利益和察覺他人的不遵從,以及資安訓練是否會降低個人採用中立化技術。本研究利用情境方式描述,以實驗法蒐集樣本資料,總共蒐集342份有效樣本,利用 SmartPLS
的結構方程模式(SEM)分析。結果顯示,感知不遵從的利益與察覺他人的不遵從和資安訓練確實都會影響個人使用中立化技術,中立化也會影響個人的違反意圖。本研究的主要貢獻為,在中立化理論的應用上,以個人內在與外在動機的角度出發,提出兩項前置因子,探討是否會影響個人使用中立化,同時驗證資安訓練的調節效果;研究結果也可以為企業管理階層做為參考,應制定資訊安全政策以及建立良好組織資安政策遵從文化,以及實施完整的資安訓練,促使多數的人都遵守資安政策,以減少違反情形的發生。
英文摘要 There are an endless number of information security incidents today. For enterprises and organizations, these security incidents have had a major impact on the organization. In addition to the attacks from outside of the organization, some of the security incidents are the result of non-compliance with information security policies by internal employees. In the past, studies have used many theories from different perspectives such as sociology, criminology, and psychology to explore what causes employees to fail to comply with information security policies. Some of these studies used neutralization theory to explain how employees use neutralization techniques to rationalize their violation behaviors. However, few studies have shown what factors drive employees to use neutralization technology. Therefore, this study proposes a research model and speculates that leading factors including perceived benefits of non-compliance, perceived non-compliance by others, and security training will affect individuals' adoption of neutralization technology.
We collected data by using the experimental situational approach. A total of 342 valid samples were collected and were further analyzed using Smart PLS and Structural Equation Model (SEM). The results show that the two driving factors and information security training do affect the individual's use of neutralization techniques. Neutralization also positively affects the individual's violation intention. The main contribution of this study is to apply the neutralization theory and propose two leading factors to explore their effects on the use of neutralization by individuals, as well as to verify the moderating effect of information security training. The results of the study can be helpful for the corporate managers. We conclude that formulating information security policies, establishing good information security compliance culture and implementing complete information security training will enable employees to comply with the information security policies and to reduce the occurrence of violation behaviors.
論文目次 第一章 緒論 1
1.1 研究背景 1
1.2 研究動機與目的 1
第二章 文獻探討 4
2.1 中立化理論(Neutralization Theory) 4
2.1.1 中立化技術(Neutralization Techniques) 4
2.2 資訊安全政策(Information Security Policy) 9
2.3 資訊安全政策違反(Information Security Policy Violation) 9
2.4 感知利益(Perceived Benefits) 16
2.5 察覺他人的不遵從(Observing Noncompliance by Others) 17
2.6 資安訓練(Security Training) 18
第三章 研究模型與假說 19
3.1 研究架構 19
3.2 研究假說 23
3.2.1 感知不遵從資安政策的利益與中立化 23
3.2.2 察覺他人的不遵從與中立化 23
3.2.3 資安訓練與中立化 24
3.2.4 感知不遵從資安政策的利益、察覺他人的不遵從與資安訓練的交互作用 24
3.2.5 中立化與違反資安政策意圖 25
第四章 研究方法 26
4.1 實驗法(Experimental Method) 26
4.2 情境與問項 26
第五章 研究結果 28
5.1 資料蒐集 28
5.2 一般敘述性統計 28
5.3 量測模式(Measurement model) 29
5.4 結構模式(Structural model) 32
5.5 分析結果 32
第六章 結論 35
6.1 研究貢獻 35
6.1.1 研究意涵 35
6.1.2 實務意涵 35
6.2 研究限制與未來發展 36
參考文獻 37
附錄一:情境 45
附錄二:問項 46
表目錄
表 2–1 中立化理論應用於各行為之研究 6
表 2–2 IS領域應用中立化理論之研究整理 7
表 2–3 IS領域應用各理論之研究整理 10
表 3–1 各文獻使用之中立化技術 21
表 5–1 受測者之敘述性統計 28
表 5–2 信度檢測結果 29
表 5–3 效度檢測結果 30
表 5–4因素負荷量與交叉負荷量 30
表 5–5分析結果 32
圖目錄
圖 3 1 研究模型 19
圖 5 1 研究模型結果 32

參考文獻 Ajzen, I. (1985). From Intentions to Actions: A Theory of Planned Behavior Action Control (pp. 11-39): Springer.
Ajzen, I. (1991). The Theory of Planned Behavior. Organizational behavior and human decision processes, 50(2), 179-211.
Bagozzi, R. P., & Yi, Y. (1988). On the Evaluation of Structural Equation Models. Journal of the academy of marketing science, 16(1), 74-94.
Bandura, A. (1976). Self-Reinforcement: Theoretical and Methodological Considerations. Behaviorism, 4(2), 135-155.
Bandura, A. (1986). The Explanatory and Predictive Scope of Self-Efficacy Theory. Journal of social and clinical psychology, 4(3), 359.
Barlow, J. B., Warkentin, M., Ormond, D., & Dennis, A. R. (2013). Don't Make Excuses! Discouraging Neutralization to Reduce IT Policy Violation. Computers & security, 39, 145-159.
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness. MIS quarterly, 34(3), 523-548.
Cao, L. (2004). Major Criminological Theories: Concepts and Measurements: Wadsworth Publishing Company.
Cheng, L., Li, W., Zhai, Q., & Smyth, R. (2014). Understanding Personal Use of the Internet at Work: An Integrated Model of Neutralization Techniques and General Deterrence Theory. Computers in Human Behavior, 38, 220-228.
Cohen, E., & Cornwell, L. (1989). A Question of Ethics: Developing Information System Ethics. Journal of Business Ethics, 8(6), 431-437.
Compeau, D., Higgins, C. A., & Huff, S. (1999). Social Cognitive Theory and Individual Reactions to Computing Technology: A Longitudinal Study. MIS quarterly, 145-158.
Cone, B. D., Irvine, C. E., Thompson, M. F., & Nguyen, T. D. (2007). A Video Game for Cyber Security Training and Awareness. Computers & security, 26(1), 63-72.
Copes, H., Vieraitis, L., & Jochum, J. M. (2007). Bridging the Gap between Research and Practice: How Neutralization Theory Can Inform Reid Interrogations of Identity Thieves. Journal of Criminal Justice Education, 18(3), 444-459.
Cox, J. (2012). Information Systems User Security: A Structured Model of the Knowing–Doing Gap. Computers in Human Behavior, 28(5), 1849-1858.
D'arcy, J., & Herath, T. (2011). A Review and Analysis of Deterrence Theory in the Is Security Literature: Making Sense of the Disparate Findings. European Journal of Information Systems, 20(6), 643-658.
D'Arcy, J., Hovav, A., & Galletta, D. (2009). User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach. Information Systems Research, 20(1), 79-98.
Deshpande, S. P., George, E., & Joseph, J. (2000). Ethical Climates and Managerial Success in Russian Organizations. Journal of Business Ethics, 23(2), 211-217.
Dhillon, G., & Moores, S. (2001). Computer Crimes: Theorizing About the Enemy Within. Computers & security, 20(8), 715-723.
Efron, B., & Tibshirani, R. J. (1994). An Introduction to the Bootstrap: CRC press.
Eliason, S. L., & Dodder, R. A. (1999). Techniques of Neutralization Used by Deer Poachers in the Western United States: A Research Note. Deviant Behavior, 20(3), 233-252.
Fishbein, M., & Ajzen, I. (1975). Belief, Attitude, Intention and Behavior: An Introduction to Theory and Research.
Fornell, C., & Larcker, D. F. (1981). Evaluating Structural Equation Models with Unobservable Variables and Measurement Error. Journal of marketing research, 18(1), 39-50.
Fritzsche, D. J. (2000). Ethical Climates and the Ethical Dimension of Decision Making. Journal of Business Ethics, 24(2), 125-140.
Hair, J. F., Ringle, C. M., & Sarstedt, M. (2011). Pls-Sem: Indeed a Silver Bullet. Journal of Marketing theory and Practice, 19(2), 139-152.
Harrington, S. J. (1996). The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions. MIS quarterly, 257-278.
Harris, L. C., & Dumas, A. (2009). Online Consumer Misbehaviour: An Application of Neutralization Theory. Marketing Theory, 9(4), 379-402.
Henry, S. (1990). Degrees of Deviance: Student Accounts of Their Deviant Behavior: Sheffield Publishing Company.
Herath, T., & Rao, H. R. (2009). Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations. European Journal of Information Systems, 18(2), 106-125.
Hinduja, S. (2007). Neutralization Theory and Online Software Piracy: An Empirical Analysis. Ethics and Information Technology, 9(3), 187-204.
Hu, Q., Dinev, T., Hart, P., & Cooke, D. (2012). Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture. Decision Sciences, 43(4), 615-660.
Hu, Q., Xu, Z., Dinev, T., & Ling, H. (2011). Does Deterrence Work in Reducing Information Security Policy Abuse by Employees? Communications of the ACM, 54(6), 54-60.
Ifinedo, P. (2012). Understanding Information Systems Security Policy Compliance: An Integration of the Theory of Planned Behavior and the Protection Motivation Theory. Computers & security, 31(1), 83-95.
Jarvenpaa, S. L., & Todd, P. A. (1997). Is There a Future for Retailing on the Internet. Electronic marketing and the consumer, 1(12), 139-154.
Johnson, N. A., & Heller, R. F. (1998). Prediction of Patient Nonadherence with Home-Based Exercise for Cardiac Rehabilitation: The Role of Perceived Barriers and Perceived Benefits. Preventive Medicine, 27(1), 56-64.
Johnston, A. C., & Warkentin, M. (2010). Fear Appeals and Information Security Behaviors: An Empirical Study. MIS quarterly, 549-566.
Johnston, A. C., Warkentin, M., McBride, M., & Carter, L. (2016). Dispositional and Situational Factors: Influences on Information Security Policy Violations. European Journal of Information Systems, 25(3), 231-251.
Johnston, A. C., Wech, B., & Jack, E. (2013). Engaging Remote Employees: The Moderating Role of “Remote” Status in Determining Employee Information Security Policy Awareness. Journal of Organizational and End User Computing (JOEUC), 25(1), 1-23.
Klockars, C. B. (1974). The Professional Fence: Free Press New York.
Kumer, D. A. A., & George, S. Day (1999), Essential of Marketng Research: John Wiley & Sons, Inc., Canada.
Lee, J., & Lee, Y. (2002). A Holistic Model of Computer Abuse within Organizations. Information management & computer security, 10(2), 57-63.
Li, H., Sarathy, R., & Zhang, J. (2008). The Role of Emotions in Shaping Consumers’ Privacy Beliefs About Unfamiliar Online Vendors. Journal of Information Privacy and Security, 4(3), 36-62.
Lim, V. K. (2002). The IT Way of Loafing on the Job: Cyberloafing, Neutralizing and Organizational Justice. Journal of Organizational Behavior, 23(5), 675-694.
Marakas, G. M., Yi, M. Y., & Johnson, R. D. (1998). The Multilevel and Multifaceted Character of Computer Self-Efficacy: Toward Clarification of the Construct and an Integrative Framework for Research. Information Systems Research, 9(2), 126-163.
Mimouni-Chaabane, A., & Volle, P. (2010). Perceived Benefits of Loyalty Programs: Scale Development and Implications for Relational Strategies. Journal of Business Research, 63(1), 32-37.
Minor, W. W. (1981). Techniques of Neutralization: A Reconceptualization and Empirical Examination. Journal of Research in Crime and Delinquency, 18(2), 295-318.
Morris, R. G., & Copes, H. (2012). Exploring the Temporal Dynamics of the Neutralization/Delinquency Relationship. Criminal Justice Review, 37(4), 442-460.
O'Dea, J. A. (2003). Why Do Kids Eat Healthful Food? Perceived Benefits of and Barriers to Healthful Eating and Physical Activity among Children and Adolescents. Journal of the American Dietetic Association, 103(4), 497-501.
Padayachee, K. (2012). Taxonomy of Compliant Information Security Behavior. Computers & security, 31(5), 673-680.
Parker, D. B., & Parker, D. (1976). Crime by Computer: Scribner New York.
Parker, D. B., & Parker, D. B. (1998). Fighting Computer Crime: A New Framework for Protecting Information: Wiley New York.
Pee, L. G., Woon, I. M., & Kankanhalli, A. (2008). Explaining Non-Work-Related Computing in the Workplace: A Comparison of Alternative Models. Information & Management, 45(2), 120-130.
Pershing, J. L. (2003). To Snitch or Not to Snitch? Applying the Concept of Neutralization Techniques to the Enforcement of Occupational Misconduct. Sociological Perspectives, 46(2), 149-178.
Puhakainen, P., & Ahonen, R. (2006). Design Theory for Information Security Awareness.
Puhakainen, P., & Siponen, M. (2010). Improving Employees' Compliance through Information Systems Security Training: An Action Research Study. MIS quarterly, 757-778.
Reichers, A. E., & Schneider, B. (1990). Climate and Culture: An Evolution of Constructs. Organizational climate and culture, 1, 5-39.
Ringle, C. M., Wende, S., & Will, S. (2005). Smartpls 2.0 (M3) Beta, Hamburg 2005.
Silic, M., Barlow, J. B., & Back, A. (2017). A New Perspective on Neutralization and Deterrence: Predicting Shadow IT Usage. Information & Management, 54(8), 1023-1037.
Siponen, M., & Iivari, J. (2006). Six Design Theories for Is Security Policies and Guidelines 1. Journal of the Association for Information systems, 7(7), 445.
Siponen, M., & Vance, A. (2010). Neutralization: New Insights into the Problem of Employee Information Systems Security Policy Violations. MIS quarterly, 487-502.
Siponen, M., Vance, A., & Willison, R. (2012). New Insights into the Problem of Software Piracy: The Effects of Neutralization, Shame, and Moral Beliefs. Information & Management, 49(7-8), 334-341.
Siponen, M. T. (2000). A Conceptual Foundation for Organizational Information Security Awareness. Information management & computer security, 8(1), 31-41.
Siponen, M. T. (2001). Five Dimensions of Information Security Awareness. SIGCAS Computers and Society, 31(2), 24-29.
Stanton, J. M., Stam, K. R., Mastrangelo, P., & Jolton, J. (2005). Analysis of End User Security Behaviors. Computers & security, 24(2), 124-133.
Straub Jr, D. W., & Nance, W. D. (1990). Discovering and Disciplining Computer Abuse in Organizations: A Field Study. MIS quarterly, 45-60.
Sykes, G. M. (1956). The Corruption of Authority and Rehabilitation. Social Forces, 257-262.
Sykes, G. M., & Matza, D. (1957). Techniques of Neutralization: A Theory of Delinquency. American sociological review, 22(6), 664-670.
Teh, P.-L., Ahmed, P. K., & D'Arcy, J. (2015). What Drives Information Security Policy Violations among Banking Employees?: Insights from Neutralization and Social Exchange Theory. Journal of Global Information Management (JGIM), 23(1), 44-64.
Tetlock, P. E. (1983). Accountability and Complexity of Thought. Journal of personality and social psychology, 45(1), 74.
Tetlock, P. E. (1983). Accountability and the Perseverance of First Impressions. Social Psychology Quarterly, 285-292.
Thompson, R. L., Higgins, C. A., & Howell, J. M. (1994). Influence of Experience on Personal Computer Utilization: Testing a Conceptual Model. Journal of Management Information Systems, 11(1), 167-187.
Thurman, Q. C. (1984). Deviance and the Neutralization of Moral Commitment: An Empirical Analysis. Deviant Behavior, 5(1-4), 291-304.
Trevino, L. K. (1986). Ethical Decision Making in Organizations: A Person-Situation Interactionist Model. Academy of management Review, 11(3), 601-617.
Treviño, L. K., Butterfield, K. D., & McCabe, D. L. (1998). The Ethical Context in Organizations: Influences on Employee Attitudes and Behaviors. Business Ethics Quarterly, 8(3), 447-476.
Trevino, L. K., & Webster, J. (1992). Flow in Computer-Mediated Communication: Electronic Mail and Voice Mail Evaluation and Impacts. Communication research, 19(5), 539-573.
Turnipseed, D. L. (1998). Anxiety and Burnout in the Health Care Work Environment. Psychological Reports, 82(2), 627-642.
Vance, A., Lowry, P., & Eggett, D. (2015). Increasing Accountability through the User Interface Design Artifacts: A New Approach to Addressing the Problem of Access-Policy Violations.
Vance, A., Lowry, P. B., & Eggett, D. (2013). Using Accountability to Reduce Access Policy Violations in Information Systems. Journal of Management Information Systems, 29(4), 263-290.
Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating Is Security Compliance: Insights from Habit and Protection Motivation Theory. Information & Management, 49(3-4), 190-198.
Venkatesh, V., Morris, M. G., Davis, G. B., & Davis, F. D. (2003). User Acceptance of Information Technology: Toward a Unified View. MIS quarterly, 425-478.
Victor, B., & Cullen, J. B. (1987). A Theory and Measure of Ethical Climate in Organizations. Research in corporate social performance and policy, 9(1), 51-71.
Warkentin, M., & Willison, R. (2009). Behavioral and Policy Issues in Information Systems Security: The Insider Threat. European Journal of Information Systems, 18(2), 101-105.
Whitman, M. E., Townsend, A. M., & Aalberts, R. J. (2001). Information Systems Security and the Need for Policy Information Security Management: Global Challenges in the New Millennium (pp. 9-18): IGI Global.
Willison, R., & Warkentin, M. (2013). Beyond Deterrence: An Expanded View of Employee Computer Abuse. MIS quarterly, 37(1).
Willison, R., Warkentin, M., & Johnston, A. C. (2018). Examining Employee Computer Abuse Intentions: Insights from Justice, Deterrence and Neutralization Perspectives. Information Systems Journal, 28(2), 266-293.
Wimbush, J. C., & Shepard, J. M. (1994). Toward an Understanding of Ethical Climate: Its Relationship to Ethical Behavior and Supervisory Influence. Journal of Business Ethics, 13(8), 637-647.
Yechiam, E., Druyan, M., & Ert, E. (2008). Observing Others' Behavior and Risk Taking in Decisions from Experience. Judgment and Decision Making, 3(7), 493.
Yi, M. Y., & Davis, F. D. (2003). Developing and Validating an Observational Learning Model of Computer Software Training and Skill Acquisition. Information Systems Research, 14(2), 146-169.
論文使用權限
  • 同意紙本無償授權給館內讀者為學術之目的重製使用,於2023-08-30公開。
  • 同意授權瀏覽/列印電子全文服務,於2023-08-30起公開。


  • 若您有任何疑問,請與我們聯絡!
    圖書館: 請來電 (02)2621-5656 轉 2486 或 來信