網路與資訊蓬勃發展,除帶來眾多便利亦伴隨著日益嚴重的資訊安全問題。各組織為能確保營運持續,紛紛投注相當資源來建立資訊安全管理系統,以保護重要資訊資產避免遭受各種威脅。有效的資訊安全管理系統並非消弭所有的風險,而是協助組織去辨識與評估所有的威脅與弱點,進而即早採取適當的方法來管理風險。 風險的存在性是不變的,但每個人對風險的認知與容忍程度都不盡相同,即使採用相同的方法論亦可能產生不同的風險評估結果。本研究將資訊安全風險評估之差異因素分成三大層面以進行分析,分別是驗證範圍層面、資訊特性層面與資訊類別層面,並用層級分析法(Analytic Hierarchy Process,AHP)所提的層級架構,建立研究架構的模式,最後並以實際案例說明其個別執行或相結合應用的程序。 本文探討相同風險評估模式應用於背景類似之組織時,其風險評估結果的差異原因,希望能找出風險評估方法與組織特質影響的關聯,以作為未來學術單位執行資訊風險評估之重要參考依據。 Recently, network and information have been vigorously developed, and have truly brought us much convenience for our every life. However, they also bring forth an increasingly serious security problem. Many organizations have invested considerable resources to establish their information security management systems to protect their critical information assets against threats and ensure the safety and security of their business continuity. The main task of an information security management system is not eliminating all risks, but assisting the organizations to identify and evaluate all threats and vulnerabilities, and then help them to take appropriate and immediate methods for risk management.Risks always exist in our surrounding. But a person's perception on risk and the degree of risk tolerance are different. Even with the same methodology, they may produce different risk assessment results. In this study, we compare the assessment results of two identical organizations. The information security risk assessment factors to be analyzed are divided into three levels, including the levels of risk verification, information characteristics and information category We use a hierarchical structure proposed by the Analytic Hierarchy Process (AHP for short) to establish our research model. Two actual implementation cases are employed to describe their processes on individuals and a combined application. This study also explores the key reasons of the different results generated by two organizations of similar background which deployed the same risk assessment model, and try to find the reasons for differences in the risk assessment results. The purpose is to identify the impact of organizational characteristics associated with academic institutions. Someday, when organizations with the similar characteristics and background wish to perform their risk assessment, the research results can be a valuable and important reference.
