臺灣博碩士論文加值系統

　　資訊安全已成為現代組織不容忽視的議題，隨著企業的數位轉型以及資訊科技的普及、駭客組織的企業化，組織的資訊資產面臨越來越多的威脅和風險。為保障組織的資訊安全，許多組織採用了各種資訊安全政策和措施，然而，這些政策和措施的有效性往往受到員工的遵守程度之影響。因此，瞭解員工遵守資訊安全政策的合規行為意圖，及其影響因素成為本研究欲探討的主題。先前已有許多文獻探討員工遵守資訊安全政策的相關因素，大多數研究偏向個人主觀規範及態度、意識。近年來已有許多研究加入組織文化氛圍、國家文化等因素，而文化及教育的共同點在於它能夠引導人們的行為並產生長遠的影響。故本研究旨在探討不同風格的組織文化導向於實施資訊安全教育時對員工資訊安全合規行為意圖之影響。綜合考量組織環境和個人資訊安全態度。並發放問卷調查予221位有實施資訊安全教育之組織員工，而研究結果證實，不同的組織文化對於員工合規意圖無顯著影響，唯有已存在資訊安全文化之安全導向組織可顯著影響員工的合規意圖；另外資訊安全教育可有效增加員工的資訊安全意識，進而提昇員工合規意圖。總結來說，透過例行性地實施資訊安全教育可幫助組織形成資訊安全文化及加強組織的資訊安全管理。

Information security has become an undeniable concern for modern organizations. With the digital transformation of businesses, the widespread use of information technology, and the corporatization of hacker organizations, organizations' information assets face an increasing number of threats and risks. To protect the information security of organizations, many adopt various information security policies and measures. However, the effectiveness of these policies and measures is often influenced by the level of compliance among employees. Therefore, understanding employees' compliance behavior and the influencing factors of information security policies has become the subject of this study.
Previous literature has explored various factors related to employees' compliance with information security policies, mostly focusing on individual subjective norms, attitudes, and awareness. In recent years, many studies have incorporated factors such as organizational culture and national culture. The commonality between culture and education is that it can guide people's behavior and exert a lasting influence. Therefore, this study aims to investigate the impact of different styles of organizational culture orientation on employees' intention to comply with information security policies during the implementation of information security education. Considering both the organizational environment and individual information security attitudes. A questionnaire survey was conducted among 221 employees of organizations that have implemented information security education. The research findings confirm that different organizational cultures do not have a significant impact on employees' compliance intention, except for safety-oriented organizations with an existing information security culture, which can significantly influence employees' compliance intention. Additionally, information security education can effectively increase employees' awareness of information security and thereby enhance their compliance intention.
In conclusion, regularly implementing information security education can help organizations establish an information security culture and enforce information security management.

目錄
摘要 i
ABSTRACT ii
誌謝 iv
目錄　v
表目錄 vii
圖目錄 viii
第一章、緒論 1
第一節、研究背景與動機 1
第二節、研究目的 3
第三節、研究流程 3
第二章、文獻探討 5
第一節、組織文化 5
第二節、資訊安全教育 9
第三節、資訊安全意識 11
第四節、員工資訊安全合規行為意圖 13
第三章、研究方法 15
第一節、研究架構 15
第二節、研究假說 16
第三節、研究變數定義與衡量 19
第四節、研究對象與抽樣方法 23
第五節、資料分析方法 24
第四章、研究結果 24
第一節、樣本資料分析 24
第二節、問項敘述性統計分析 27
第三節、因素與效度、信度分析 29
第四節、模型分析與假說檢定 31
第五章、結論與建議 34
第一節、研究發現 34
第二節、研究結論及貢獻 37
第三節、研究限制與建議 39
參考文獻 40
英文部份 40
網路部份 44
附錄：問卷 45

參考文獻

英文部份
1. Alassaf, M., & Alkhalifah, A. (2021). Exploring the influence of direct and indirect factors on information security policy compliance: A systematic literature review. IEEE Access, 9, 162687-162705.
2. Amankwa, E., Loock, M., & Kritzinger, E. (2018). Establishing information security policy compliance culture in organizations. Information & Computer Security, 26(4), 420-436.
3. Burns, A. J., Roberts, T. L., Posey, C., Bennett, R. J., & Courtney, J. F. (2018). Intentions to comply versus intentions to protect: A VIE theory approach to understanding the influence of insiders’ awareness of organizational SETA efforts. Decision Sciences, 49(6), 1187-1228.
4. Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS quarterly, 523-548.
5. Caballero, A. (2017). Security education, training, and awareness. In Computer and information security handbook (pp. 497-505). Morgan Kaufmann.
6. Chen, Y., Ramamurthy, K., & Wen, K. W. (2012). Organizations' information security policy compliance: Stick or carrot approach?. Journal of Management Information Systems, 29(3), 157-188.
7. Da Veiga, A., & Martins, N. (2017). Defining and identifying dominant information security cultures and subcultures. Computers & Security, 70, 72-94.
8. Dhillon, G., Abdul Talib, Y. Y., & Picoto, W. N. (2020). The mediating role of psychological empowerment in information security compliance intentions. Journal of the Association for Information Systems, 21(1), 152-174.
9. Da Veiga, A., & Eloff, J. H. (2010). A framework and assessment instrument for information security culture. Computers & security, 29(2), 196-207.
10. Da Veiga, A., Astakhova, L. V., Botha, A., & Herselman, M. (2020). Defining organisational information security culture—Perspectives from academia and industry. Computers & Security, 92, 101713.
11. Eisenberger, R., Rhoades Shanock, L., & Wen, X. (2020). Perceived organizational support: Why caring about employees counts. Annual Review of Organizational Psychology and Organizational Behavior, 7, 101-124.
12. Eisenberger, R., Huntington, R., Hutchison, S., & Sowa, D. (1986). Perceived organizational support. Journal of Applied psychology, 71(3), 500-507.
13. Groysberg, B., Lee, J., Price, J., & Cheng, J. (2018). The leader’s guide to corporate culture. Harvard business review, 96(1), 44-52.
14. Gundu, T., & Flowerday, S. V. (2013). Ignorance to awareness: Towards an information security awareness process. SAIEE Africa Research Journal, 104(2), 69-79.
15. Hu, Q., Dinev, T., Hart, P., & Cooke, D. (2012). Managing employee compliance with information security policies: The critical role of top management and organizational culture. Decision Sciences, 43(4), 615-660.
16. Hwang, I. H., & Hu, S. H. (2021). A Study on the Information Security Related Organizational Citizenship Behavior: From Prospect Theory and Goal Orientation Theory Perspective. Journal of Digital Convergence, 19(1), 89-97.
17. Hengstler, S., & Pryazhnykova, N. (2021). Reviewing the Interrelation Between Information Security and Culture: Toward an Agenda for Future Research. In International Workshop on Current Compliance Issues in Information Systems Research (CIISR 2021) in: 16th International Conference on Wirtschaftsinformatik (WI2021), 36-51.
18. Hina, S., Selvam, D. D. D. P., & Lowry, P. B. (2019). Institutional governance and protection motivation: Theoretical insights into shaping employees’ security compliance behavior in higher education institutions in the developing world. Computers & Security, 87, 101594, 1-15.
19. Hassandoust, F., & Techatassanasoontorn, A. A. (2020). Understanding users' information security awareness and intentions: A full nomology of protection motivation theory. In Cyber influence and cognitive threats (pp. 129-143). Academic Press.
20. Hanus, B., & Wu, Y. A. (2016). Impact of users’ security awareness on desktop security behavior: A protection motivation theory perspective. Information Systems Management, 33(1), 2-16.
21. Hu, S. H., & Hwang, I. H. (2021). Analysis of the effects of Information Security Awareness, Response Efficacy, and Compliance Behavioral Intention on Information Security Behavior: Focursing on Availability and Culture. Journal of the Korea Convergence Society, 12(1), 211-218.
22. Hadlington, L., Binder, J., & Stanulewicz, N. (2021). Exploring role of moral disengagement and counterproductive work behaviours in information security awareness. Computers in Human Behavior, 114, 106557.
23. Hau, Y. S., Kim, B., Lee, H., & Kim, Y. G. (2013). The effects of individual motivations and social capital on employees’ tacit and explicit knowledge sharing intentions. International Journal of Information Management, 33(2), 356-366.
24. Ifinedo, P. (2014). Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Information & Management, 51(1), 69-79.
25. Ifinedo, P. (2018). Roles of organizational climate, social bonds, and perceptions of security threats on IS security policy compliance intentions. Inf. Resour. Manag. J., 31(1), 53-82.
26. Karlsson, M., Karlsson, F., Åström, J., & Denk, T. (2022). The effect of perceived organizational culture on employees’ information security compliance. Information & Computer Security, 30(3), 382-401.
27. Kam, H. J., Mattson, T., & Goel, S. (2020). A cross industry study of institutional pressures on organizational effort to raise information security awareness. Information Systems Frontiers, 22(5), 1241-1264.
28. Khando, K., Gao, S., Islam, S. M., & Salman, A. (2021). Enhancing employees information security awareness in private and public organisations: A systematic literature review. Computers & security, 106, 102267.
29. Quinn, R. E. (1988). Beyond rational management: Mastering the paradoxes and competing demands of high performance. Jossey-Bass.
30. Quinn, R. E., & Rohrbaugh, J. (1983). A spatial model of effectiveness criteria: Towards a competing values approach to organizational analysis. Management science, 29(3), 363-377.
31. Schein, E. H. (2010). Organizational culture and leadership (Vol. 2). John Wiley & Sons.
32. Sharma, S., & Aparicio, E. (2022). Organizational and team culture as antecedents of protection motivation among IT employees. Computers & Security, 120, 102774.
33. Safa, N. S., Von Solms, R., & Futcher, L. (2016). Human aspects of information security in organisations. Computer Fraud & Security, 2016(2), 15-18.
34. Solomon, G., & Brown, I. (2021). The influence of organisational culture and information security culture on employee compliance behaviour. Journal of Enterprise Information Management, 34(4), 1203-1228.
35. Stafford, T., Deitz, G., & Li, Y. (2018). The role of internal audit and user training in information security policy compliance. Managerial Auditing Journal, 33(4), 410-424.
36. Siponen, M., & Vance, A. (2014). Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations. European Journal of Information Systems, 23(3), 289-305.
37. Trang, S., & Nastjuk, I. (2021). Examining the role of stress and information security policy design in information security compliance behaviour: An experimental study of in-task behaviour. Computers & Security, 104, 102222.
38. Van Muijen, J. J. (1999). Organizational culture: The focus questionnaire. European Journal of work and organizational psychology, 8(4), 551-568.
39. VandeWalle, D. (1997). Development and validation of a work domain goal orientation instrument. Educational and psychological measurement, 57(6), 995-1015.
40. Wiley, A., McCormac, A., & Calic, D. (2020). More than the individual: Examining the relationship between culture and Information Security Awareness. Computers & security, 88, 101640.
41. Wall, J. D., Palvia, P., & Lowry, P. B. (2013). Control-related motivations and information security policy compliance: The role of autonomy and efficacy. Journal of Information Privacy and Security, 9(4), 52-79.
42. Yuryna Connolly, L., Lang, M., Gathegi, J., & Tygar, D. J. (2017). Organisational culture, procedural countermeasures, and employee security behaviour: A qualitative study. Information & Computer Security, 25(2), 118-136.
網路部份
1. iThome。[iThome大調查系列1：2023資安大調查] 2022年臺灣企業的資安災情有多嚴重？。2023年5月21日。取自https://www.ithome.com.tw/article/156839
2. CompTIA美國電腦工業協會。CompTIA 2022年網路安全狀況研究報告。2022年9月。取自https://www.comptia.org/content/research/cybersecurity-trends-research
3. 趨勢科技。趨勢科技2023資安報告與年度預測(中文版)。2022年12月21日。取自https://www.trendmicro.com/zh_tw/security-intelligence/threat-report.html