資訊安全環境威脅手段層出不窮，已無法只靠軟硬體進行資訊安全的防護，組織員工在組織整體資訊安全防護體系中的核心地位日益升高。已有眾多學者通過大量理論與證實的研究證明了組織員工資訊安全行為是影響組織安全的重要因素，然而對於員工資訊安全行為影響因素的研究卻還未得到應有的重視。因此，本文以保護動機理論套用國際公認最完整的資訊安全管理標準ISO 27001，並實證分析之中的影響因素和影響模式。本文的研究結果將利於組織管理者透過對影響因素的控制來促使員工積極、正確的實施資訊安全行為，提升組織資訊安全防護體系的牢固性。
本文基於保護動機理論，引入ISO 27001標準的組織環境、領導、支援機制、改善機制之影響因素，建構了組織員工資訊安全行為影響因素模型。針對建構的模型，提出相應的研究假說，並對每項假說進行詳細、客觀地闡述和論證，進而設計測量量表和調查問卷，對回收的296份有效問卷數據進行分析。
本文透過國際通用資訊安全政策標準進行分析，實驗結果分析較能夠在實務上能提供組織資訊安全服務管理者未來可操作性的策略、建議及方向。為組織的管理者對於使員工遵從資訊安全政策，提供了可操作性的建議呼應上述理論與觀點。

Improved technology, hardware and software have been unable to protect the information security of the complex environment of the external information security and various threats. As consequence,the core position of these employees in the organization of the overall information security system has becoming more and more important. With a lot of theoretical and empirical research, many scholars have proved that the information security behavior of the employees is an important factors influencing the information security behavior of the employees has not been paid much attention. Therefore, this thesis draws on the relevant theories of psychology and statistics to analyze the mechanism of various factors that influence the information security behavior of employees and analyze the categories and influencing modes of these influencing factors. The results of this study will help the organizational manager control the influencing factors to promote the employees to carry out the information security behavior actively and correctly, what is aimed at enhancing the firmness of the organizational security system.
Based on the Protection Motivation Theory, this thesis introduces the influencing factors such as organizational environment, organization leadership, organization support mechanism, organization improvement mechanism from ISO 27001, to construct the influencing factors model of organization employees’ information security policies behavior.
Therefore, when organizations can pay attention to the influence of leadership, support mechanisms and improvement mechanisms on employees, they can make employees' information security policies behavior higher.

論文審定書 i
中文摘要 ii
英文摘要 iii
第一章 緒論 1
1.1 研究背景 1
1.2 研究動機 1
1.3 研究目標 4
第二章 文獻探討 5
2.1 資訊安全 5
2.2 資訊安全管理系統（Information Security Management System , ISMS） 6
2.2.1 國際標準組織（International Organization for Standardization , ISO） 6
2.2.2 ISO 27001介紹 7
2.2.3 ISO 27001:2013的組成 7
2.2.4 ISO 27001目前全球導入狀況 9
2.3 保護動機理論（Protection Motivation Theory , PMT） 10
2.3.1 保護動機理論概論 10
2.3.2 保護動機理論相關研究 13
第三章 理論模型和研究假設 16
3.1 研究模型 16
3.2 研究假說與推論 17
3.3 操作型定義 24
3.4 研究設計 30
3.4.1 問卷設計 30
3.4.2 研究對象 31
3.5 資料分析方法 31
3.5.1 敘述性統計分析 31
3.5.2 信度分析 31
3.5.3 一階構面之效度分析 32
3.5.4 二階構面之效度分析 33
3.5.5 假說檢定 33
第四章 資料分析與實證結果 34
4.1 樣本分析 34
4.1.1 人口統計變數敘述性統計分析 34
4.1.2 使用行為之敘述性統計分析 39
4.2 信效度分析 39
4.2.1 收斂效度分析 40
4.2.2 區別效度分析 43
4.3 假說檢定 44
4.3.1 研究假說檢定 44
4.3.2 假說分析與討論 47
4.4 分群檢定 50
4.4.1 依性別分群 50
第五章 結論與建議 53
5.1 研究結論 54
5.2 研究貢獻 55
5.3 研究限制 55
5.4 未來研究方向 56
第六章 參考文獻 57

Aggeliki T, Maria K, Spyros K, Evangelos K. (2015). Managing the introduction of information security awareness programmes in organisations. European Journal of Information Systems. 24(1), 28-58.
Alliance. (2013). Definition of Information Security. Cloud Security. https://tutcris.tut.fi/portal/files/5468721/ilvonen.pdf.
Avison D, Baskerville R and Myers M. (2014). Controlling action research projects. Information Technology & People. 2 (19), 1-31.
Barafort B, Humbert J, Poggi S. (2006). Information security management and ISO/IEC 15504：the link opportunity between security and quality. Proceedings of the SPICE 2006 conference.
B. C. (2109) International Electrotechnical Commission, www.iecex.com.
Bsi. (2016). Information Security Management Systems Specification with Guidance for Use. British Standards Institution. London.
Bulgurcu B, Cavusoglu H and Benbasat I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly. 34 (3), 523-548.
Charlie C. (2010). Mitigating information security risks by increasing user security awareness: a case study of an information security awareness system. Information Technology Learning and Performance Journal. 24 (1), 1-14.
C. J. (1998). Statistical Power Analysis for the Behavioral Sciences. Hillsdale. New Jersey.
Covaultc. (1997). Cyber threat challenges intelligence capability. Aviation week ＆ space technology. 20-21.
Chin, W.W. (1998). The partial least squares approach to structural equation modeling, In: Marcoulides, G.A. (Ed.), Modern Methods for Business Research. Erlbaum, Mahwah, pp. 295-358.
Chin, W.W., (2000). Frequently Asked Questions – Partial Least Squares and PLS-Graph. Home Page, http://disc-nt.cba.uh.edu/chin/plsfaq/plsfaq.htm. Last retrieved: 10 August 2014.
C. W. (1998). The Partial Least Squares Approach to Structural Equation Modeling. Modern Methods for Business Research. 15(2), 295-336.
E. N. a. I. S. A. (ENISA). (2010). A new users' guide: how to raise information security awareness. European Network and Information Security Agency (ENISA).
Fornell C & Larcker D.F. (1981). Evaluating Structural Equation Models withUnobservable Variables and Measurement Error. Journal of Marketing Research. 18(1), 39-50.
Gefen D, Straub, D.W. & Boudreau, M.C. (2000). Structural Equation Modeling and Regression: Guidelines for Research Practice. Communications of the Association for Information Systems. 4(7), 1-70.
Grewal, D., Krishnan, R., Baker, J. & Borin, N. (1998). “The Effect of Store Name, Brand Name and Price Discounts on Consumers' Evaluations and Purchase Intentions”, Journal of Retailing, 74(3), pp.331-352.
Group N. (2015). 2014 global threat intelligence report,” https://www.us.ntt.com/en/resources/white-papers/global-threat-intelligence-report.html.
Herath T. H.R. Rao. (2009). Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness, Decision Support Systems, 47 (2), pp. 154-165.
Hu Q, Dinev T, Hart P, Cooke D. (2012). Managing employee compliance with information security policies: the critical role of top management and organisational culture. Decision Sciences. 43 (4), 615-660.
Ifinedo P. (2012). Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & Security. 31(1), 83-95.
Ifinedo P. (2014). Information systems security policy compliance: an empirical study of the effects of socialization, influence, and cognition. Information & Management. 51 (1), 69-79.
ISO27001.(2013). ISO27001:2013. https://download.microsoft.com/download/1/2/9/12926039-8F90-4BAF-AC8F-7124D48F400B/ISOIEC_27001_Compliance_Backgrounder.pdf .
iThome. (2019). iThome 企業資訊安全大調查，為何企業資訊安全防護擋不住攻擊. iThome, https://www.ithome.com.tw/article/129627.
Junyou Z. (2019). Ryuk ransomware, which locks in large businesses, made $ 3.7 million for hackers in 5 months. iThome. https://www.ithome.com.tw/news/128232.
Jiajia F. (2016). On Threat Intelligence in the Big Data Era. Library and Information Service.
Johnston A, Warkentin M. (2010). Fear Appeals and Information Security Behaviors: An Empirical Study. Mis Quarterly. 34(3), 549-566.
Jum. Xu. (2019). Study on the Influence of Environmental Factors of Medical Organization on the Competency of Chinese Medical Doctors. Nanjing University of Chinese Medicine.
Karjalainen M and Siponen M. (2011). Toward a new meta-theory for designing information systems (IS) security training approaches. Journal of the Association for Information Systems. 12 (8), 518-555.
Kamins, M.A. & Marks, L.J. (1991) “The Perception of Kosher as a Third Party Certification Claim in Advertising for Familiar and Unfamiliar Brands”,Journal of the Academy of Marketing Science, 19(3), pp.177-185.
Keil, M., Tan, B. C., Wei, K. K., Saarinen, T., Tuunainen, V., & Wassenaar, A. (2000). A Cross-Cultural Study on Escalation of Commitment Behavior in Software Projects. Mis Quarterly, 299-325.
Kenton W. (2019). International Organization for Standardization (ISO), Investopedia, https://www.investopedia.com/terms/i/international-organization-for-standardization-iso.asp.
Kitten T. (2011). Citi Card Data Breached Again, bankinfosecurity, https://www.bankinfosecurity.com/citi-card-data-breached-again-a-3933.
Komiak, S.Y.X. & Benbasat, I. (2006). The effects of personalization and familiarity on trust and adoption of recommendation agents. MIS Quarterly. 30(4), 941-960.
Korzyk A. D. (2003). Developing intelligence-based threat definitions for global information security management. Idea Group Inc. USA.
Larose R, Rifon N, Liu S, Lee D. (2005). Understanding Online Safety Behavior: A Multivariate Model. Paper Presented at 55 Annual Conference of the International Communication Association Association. New York.
Liang H, Xue Y. (2009). Avoidance of Information Technology Threats: A Theoretical Perspective. MIS Quarterly. (33)1, 71-90.
Ling Li, Wu He, Li Xu. (2019). Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior. International Journal of Information Management. 45(4), 13-24.
Matzler K, Hinterhuber H. (1998). How to make product development projects more successful by integrating Kano’s model of customer satisfaction into quality function deployment. Technovation. 18(1), pp.25-38.
Mohd F, Osman S. (2005). Towards the future of mobile commerce (m-commerce) in Malaysia. Proceedings of IADIS: IADIS International Conference, Web based Communities 2005, Algarve, Portugal.
Malhotra, N.K., Kim, S.S. & Agarwal, J. (2004). Internet User’s Information Privacy Concerns (IUIPC): The Construct, the Scale, and A Causal Model. Information Systems Research, 15(4), 336-355.
News Q. E. (2015). New breakthroughs in artificial intelligence at Black Hat 2015. http://news.sina.com.cn/o/2015-06-19/155531970205.shtml.
Ng B.Y, Kankanhalli A , Xu Y.C. (2009). Studying Users' Computer Security Behavior: A Health Belief Perspective. Decision Support System. (46) 4, 815-825.
Norshima H, Vimala B. (2015). Leadership Styles and Information Security Compliance Behavior: The Mediator Effect of Information Security Awareness. International Journal of Information and Education Technology. 5(4), 311-318.
Ono A, Nakamura A, Okuno A. (2012). Consumer Motivations in Browsing Online Stores with Mobile Devices. International Journal of Electronic Commerce. 16(4), 153–177.
Pavlou P. A & Fygenson M. (2006). Understanding and Predicting Electronic Commerce Adoption: An Extension of the Theory of Planned Behavior. MIS Quarterly. 30(1), 115-143.
Pavlou, P.A., Liang, H. & Xue, Y. (2007). Understanding and Mitigating Uncertainty in Online Exchange Relationships: A Principal– Agent Perspective. MIS Quarterly. 31(1), 105-136.
Pettigrew A, Whipp R. (1993). Managing Change for Competitive Success. Blackwell. Cambridge.
Posta G V, Kagan A. (2007). Evaluating information security tradeoffs: Restricting access can interfere with user tasks, Computers & Security. 26(3), 229-237.
Power R, Forte D. (2006). Case study: a bold new approach to awareness and education, and how it met an ignoble fate. Computer Fraud & Security. 5, 7-10.
Puhakainen P and Siponen TM. (2010).Improving employees' compliance through information systems security training: an action research study. MIS Quarterly. 2010 34 (4), 757-778.
Richardson. (2010). 2010 CSI/FBI Computer Crime and Security Survey, https://cours.etsmtl.ca/gti619/documents/divers/CSIsurvey2010.pdf.
RW Rogers. (1975). A protection motivation theory of fear appeals and attitudechange. The journal of psycology. 91(1), 93-114.
RW Rogers. (1983). Cognitive and physiological processes in fear appeals and attitude change: A revised theory of protection motivation. In Social psychophysiology. 153-176.
Sean S , Chris W. (2007). An Introduction to Insider Threat Management, Information Systems Security, Vol. 16, Iss. 1, pp. 23-33.
Siponen M and Vance A. (2010). Neutralization: new insights into the problem of employee information systems security policy violationsMIS Quarterly. MIS Quarterly. 34 (3), 487-502.
Siponena M, Adam M, Pahnila S. (2014). Employees’ adherence to information security policies: An exploratory field study. Information & Management. 51(2), 217-224.
Spears J, Barki H. (2010). User participation in information systems security risk management. MIS Quarterly. 34(3), 503-522.
Symantec. (2019). Symantec 2019 年網路安全威脅研究報告, https://www.symantec.com/zh/tw/security-center/threat-report.
Tsai, H.Y.S., Jiang, M., Alhabash, S., LaRose, R., Rifon, N. & Cotton, S. (2016). “Understanding Online Safety Behaviors: A Protection Motivation Theory Perspective. Computers & Security. 59, 138-150.
Vancea A,Siponenb M,Pahnila S. (2012). Motivating IS security compliance: Insights from Habit and Protection Motivation Theory. Information & Management. 49(3-4), 190-198.
Venkatesh, V. & Agarwal, R. (2006). “Turning visitors into customers: a usability-centric perspective on purchase behavior in electronic channels”, Management Science, 52(3), pp.367–382.
Vinci I. (2019). Still on the GDPR? This article understands how to adjust to the GDPR in line with international regulations. Secbuzzer.
Vijayan J, Target Breach. (2014). Happened Because of a Basic Network Segmentation Error, Computerworld, Computerworld, http://www.computerworld.com/article/2487425/cybercrime-hacking/target-breach-happened-because-of-a-basic-network-segmentation-error.html.
Warkentin M , Willison R. (2009). Behavioral and policy issues in information systems security: the insider threat, European Journal of Information Systems, pp. 101-105, 18.
Woon I, Tan GW, Low R. (2005). A Protection Motivation Theory Approach to Home Wireless Security. ICIS 2005 Proceedings.
Xinzhe Y, Yulun L. (2014). Information security evaluation model and evaluation tool for corporate website design. Information & Management.21(2), 107-138.
Younghwa L. (2011). Understanding anti-plagiarism software adoption: An extended protection motivation theory perspective. Decision Support Systems. 50(2), 361-369.
Yue L, Pin L, Qi L. (2018). Comparison of Standardization Cyber Security Classified Protection with ISO 27001. Information Technology Bureau of China Development Bank.
Yun, H., Han, D. & Lee, C. C. (2013). Understanding the Use of Location-based Service Applications: Do Privacy Concerns Matter? Journal of Electronic Commerce Research, 14(3), 215-230.
Zhang L, McDowell WC. (2009). Am I really at risk? Determinants of online users' intentions to use strong passwords. Journal of Internet Commerce. 8(3-4), 180-197.
Zhongfeng D. (2003). Gender Role、Expectancy、Locus of Control and Stereotype Perception on Achievement Motivation of Female Voluntary Officers of Military Services. National Taiwan Normal University.
Ziting L. (2011). Factors Affecting Public Support for Energy-Saving and Carbon-Reduction Policies. National Sun Yat-sen University.
杜偉欽 (2006)。結合 HIPAA 與 ISO27001 為基礎探討醫療院所資訊安全管。 國立成功大學工程科學研究所碩士論文。
李明澤 (2018)。將威脅情報投入實踐后，能夠解決5種常見安全操作挑戰。 Computer & Network。
邱致穎 (2002)。青少年行為認知與吸菸行為之研究—以臺中市北新國中八年級學生為例。台北。
林麗英 (2010)。資訊安全管理系統績效評估之研究－以檔案管理局為例。朝陽科技大學資訊管理研究所碩士論文。
陳順宇 (2005)。多變量分析。台北：華泰文化。
蕭桐 (2015)。美國成立新網路安全部門。大紀元。 http://www.epochtimes.com/b5/15/2/11/n4364210.htm。
霍明月 (2016)。基於ISO 27001:2013構建高校圖書館信息安全管理體系研究。 東北師范大學。
資訊安全人科技網 (2017). 落實資訊安全教育 別成為勒索病毒下一個受害者,” Information Security, https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=8475.