| Abstract: | 過去五?,我們的研究主題?圍繞在「資訊安全的?為」上,希望協助資訊安全業者或政府部門推動資訊安全業務。Yeh and Chang (2007a) 對台灣資訊安全的採用?況進?調查,發現組織資訊主管對資訊資產的「威脅認知」與其「資訊安全措施」採用並沒有正向關係。這意謂較高的資訊安全風險認知,並沒有造成主管?積極去採用「資訊安全措施」。此「風險認知」與「風險防治科技採用」的?對稱現象,與過去學者所提出的「計劃?為模式」及「科技接受模式」基本??是相背?的。因此,我們在前期計畫深入探討「決策者對資訊安全措施的採用及制定?為」。而接下?之後續??期計畫分述如下:第一階段計畫初步先延續前期國科會計畫的研究結果,去探究一般性「防禦型科技」的決策採用的因素。組織在採用「防禦性科技」時,所考?的因素,有別於傳統科技接受的模式,「有用性認知」並?是由正向??思考,而是反向以風險?低的角?去衡?。我們?酌「風險性決策?為(Risky Decision-making Behavior)」及「保護動機?? (Protection Motivation Theory)」,並加上?項「知覺風險」,即知覺採用風險及知覺資產風險,?擬出影響決策者對「防禦性科技」態?之預測變?。除?「決策者的態?」外,本研究也加上「主觀規範」、「認知?為控制」重要影響科技接受的決定性因子,並納入 Banerjee et al. (1998)「道德觀」的因子於模型中。以提出完整的「防禦型科技」決策採用之?為模型。第二?階段計畫的研究重點在「組織成員對組織資訊安全政策所規範的資訊安全措施之採用或遵循意圖。」資訊安全?域逐漸受到台灣政府及企業組織所重視,然而組織的資訊安全程?,除?管?階層要制定資訊安全政策外,還必須員工的遵循才能發揮效果。在前期計畫中,我們已深入探討「決策者對資訊安全措施的決策採用或擬定?為模式」,而此次第二?計畫則探討「個體面的?為意圖」,也就是「組織內個體對資安措施的?為意圖」。在探討個體面的?為意圖時,「員工的態?」是一個重要預測變?,然而過去文獻僅著重在個體對「資安措施」本身的態?(Bulgurcu, Cavusoglu, and Benbasat, 2010; Herath and Rao, 2009; Pahnila, Siponen, and Mahmood, 2007),而忽?個體對工作及組織的態?。組織?為?域的研究顯示,組織公民?為(Organizational Citizenship Behavior)會影響個體對組織政策的遵循,且個體對工作及組織態?是公民?為的重要因素。因此,本研究欲同時考?個體的三種態?(工作、態?、及資安措施本身的態?),?探究個體面可能的「資訊安全措施之採用或遵循?為模式」。
Over the past five years, our research has focused on “information system (IS) security usage,” to assist the government or organizations enhance their IS security effectiveness. We conducted a survey and observed that the scope of the countermeasures adopted by IS managers was not commensurate with their perception of threat severity (Yeh and Chang, 2007a). The result means that an IS manager perceived a higher risk for an IS asset did not adopt more security measures for it. This asymmetric relationship between “risk perception” and “the scope of countermeasures adopted” deviates from the principles of traditional information technology utilization models, such as TPB and TAM. Therefore, on the earlier NSC project we intended to propose a decision-makers’ behavioral model regarding adoption of security measures. On the next two-year NSC project, our research will be concentrated on the following issues: On the first year, we intend to clarify decision-makers’ behavior toward protective technologies adoption from the finding of pre-NSC project. As adoption of IS security technologies, the role of perceived usefulness in taking protective technologies fundamentally differ from its role in adopting general benefit technologies. The former emphasizes degree of hazard prevention or mitigation to associate with adoption of a particular protective technology, while the latter primarily considers degree of positive benefits and individual believes using a specific technology will achieve. We refer to the concept of traditional theories “risky decision-making behavior” and “protection motivation theory (PMT)”, add two determinants regarding risk perception, that is perceived risk of adoption and perceive risk of assets protected, into our behavior model, and try to explain decision-makers’ behavior towards protective technology usage. In addition to decision-maker’s attitude, we also consider the effects of three constructs, subjective norm, perceived behavior control, extracted from DTPB, as well as moral judgment extracted from Banerjee et al. (1998) on protective technology adoption. On the second year, this study will be focus on employees’ behavior towards IS security policy compliance. To enhance the effectiveness of organizations’ IS security, besides security policy should be developed by managers, it must also be adopted or complied by staffs. Past works indicated that employees’ attitudes play a key role when predict their behavioral intention. However, traditional studies related to this issue (e.g., Bulgurcu et al., 2010; Herath and Rao, 2009; Pahnila et al., 2007) merely consider staff’s attitude towards adopting security control, but ignore their other attitude which can lead to security control adoption, e.g., individuals’ attitudes on job and organization. Studies on the field of organization behavior showed organizational citizenship behavior (OCB) will affect the individual’s compliance with organizational policies, and individuals’ attitudes on work and organization are important factors affecting their extra-role citizenship behavior. Therefore, this study considers simultaneously the effects of three individuals’ attitudes, including towards job satisfaction, organizational commitment, and security control itself, on IS security policy adoption and compliance. |
