在全球數位化和 COVID-19 疫情期間的快速轉型背景下，隨著線上需求的激
增，企業需要開發和改進資訊系統，以滿足遠程工作和線上服務的需求。因
此，在開發過程中引入資訊安全系統開發生命週期（SSDLC）成為確保系統安全
的關鍵。本研究基於調節焦點理論（Regulatory Focus Theory），分析不同角
色在 SSDLC 實施中的行為反應和衝突管理策略，並探討這些因素如何影響 SSDLC
的導入效率和資訊安全管理的整體成效，顯示在企業資訊系統安全中的重要
性。
研究結果顯示，促進焦點與正向因應策略顯著相關，能有效提升資安順從行
為和建言行為，同時減少資安投機行為。然而，預防焦點與負向因應策略之間
的關係並不顯著。這意味著，促進焦點的個體更傾向於積極應對資訊安全挑
戰，提出建設性的意見和建議，而預防焦點的個體則主要關注於避免風險和損
失，並不一定會採取負面的因應策略。此外，本研究也發現正向因應策略能有
效促進資安順從行為，減少資安投機行為，從而提升組織內部的資訊安全管
理。
透過結構方程模型分析，本研究驗證了調節焦點、因應策略、角色外行為和
資安投機行為之間的關係，並提出了相應的管理建議，旨在減少 SSDLC 導入過
程中的衝突，提高導入效率。本研究首次將調節焦點理論應用於 SSDLC 領域，
為該理論的應用範疇提供了新的實證支持，並為未來的資訊安全管理研究提供
了豐富的理論依據和學術貢獻。

In the context of rapid digital transformation and the COVID-19 pandemic, the
surge in online demand has necessitated the development and improvement of
information systems to support remote work and online services. As a result,
integrating the Secure Software Development Life Cycle (SSDLC) in the development
process has become crucial for ensuring system security. This study, based on
Regulatory Focus Theory (RFT), analyzes the behavioral responses and conflict
management strategies of different roles during SSDLC implementation and examines
how these factors impact SSDLC adoption efficiency and overall information security
management, highlighting their importance in enterprise information system security.
The research findings indicate a significant positive correlation between
promotion focus and positive coping strategies, which effectively enhance security
compliance and voice behaviors while reducing security opportunism. However, the
relationship between prevention focus and negative coping strategies is not significant.
This implies that individuals with a promotion focus are more likely to actively
address information security challenges and offer constructive suggestions, whereas
those with a prevention focus mainly aim to avoid risks and losses and do not
necessarily adopt negative coping strategies. Additionally, positive coping strategies
are found to effectively promote security compliance and reduce security opportunism,
thereby improving internal information security management.
Through Structural Equation Modeling (SEM) analysis, this study validates the
relationships between regulatory focus, coping strategies, extra-role behaviors, and
security opportunism, and provides corresponding management recommendations to
reduce conflicts during SSDLC implementation and enhance adoption efficiency. This
iv
research marks the first application of RFT in the SSDLC domain, offering new
empirical support for the theory’s application scope and providing rich theoretical
insights and academic contributions for future information security management
research.

論文審定書.....................................................................................................................i
誌謝................................................................................................................................ii
摘要...............................................................................................................................iii
Abstract..........................................................................................................................iv
目錄...............................................................................................................................vi
圖目錄..........................................................................................................................vii
表目錄.........................................................................................................................viii
一、 緒論................................................................................................................ 1
第一節 研究背景與動機...................................................................................... 1
第二節 研究目的.................................................................................................. 2
第三節 研究流程.................................................................................................. 4
二、 文獻探討........................................................................................................ 6
第一節 資訊安全系統開發生命週期法(SSDLC)............................................... 6
第二節 調節焦點理論.......................................................................................... 9
第三節 因應理論與衝突因應............................................................................ 11
第四節 管家理論................................................................................................ 13
第五節 資安投機................................................................................................ 15
三、 研究方法...................................................................................................... 17
第一節 研究模型................................................................................................ 17
第二節 研究假說................................................................................................ 18
第三節 操作型定義與問項................................................................................ 22
第四節 研究設計與對象.................................................................................... 27
四、 資料分析...................................................................................................... 29
第一節 樣本敍述與統計.................................................................................... 29
第二節 衡量模型驗證........................................................................................ 31
第三節 結構模型分析與假說驗證.................................................................... 38
五、 結論.............................................................................................................. 40
第一節 研究結論與討論.................................................................................... 40
第二節 研究貢獻................................................................................................ 41
第三節 研究限制與未來方向............................................................................ 43
六、 參考文獻...................................................................................................... 44
附錄 研究問卷............................................................................................................ 51

Aaker, J. L., & Lee, A. Y. (2001). “I” Seek Pleasures and “We” Avoid Pains: The Role of
Self-Regulatory Goals in Information Processing and Persuasion. Journal of
Consumer Research, 28(1), 33-49.
Abraham, S., & Chengalur-Smith, I. (2011). The Role of Conflict Resolution in Designing
and Implementing Information Security Policies: An Institutional Perspective.
Alberts, C., Dorofee, A., Stevens, J., & Woody, C. (2003). Introduction to the Octave
Approach. Pittsburgh, PA, Carnegie Mellon University, 72-74.
Ansell, C., & Gash, A. (2012). Stewards, Mediators, and Catalysts: Toward a Model of
Collaborative Leadership1. The Innovation Journal, 17(1), 2.
Beautement, A., Sasse, M. A., & Wonham, M. (2008). The Compliance Budget:
Managing Security Behaviour in Organisations. Proceedings of the 2008 new
security paradigms workshop,
Boehm, B., & Basili, V. R. (2001). Defect Reduction Top 10 List. Computer, 34(1), 135-
137.
Boehm, B. W. (2002). Software Engineering Economics. Springer.
Borman, W. C., & Motowidlo, S. (1993). Expanding the Criterion Domain to Include
Elements of Contextual Performance.
Brenninkmeijer, V., Demerouti, E., le Blanc, P. M., & Hetty van Emmerik, I. J. (2010).
Regulatory Focus at Work. Career Development International, 15(7), 708-728.
https://doi.org/10.1108/13620431011094096
Brockner, J., & Higgins, E. T. (2001). Regulatory Focus Theory: Implications for the
Study of Emotions at Work. Organizational Behavior and Human Decision
Processes, 86(1), 35-66.
Chain, K., Cheng, J.-C., & Kuo, W.-C. (2018). 網路攻防技術-資訊安全滲透測試技術.
Communications of the CCISA, 24(4), 73-82.
Chan, M. O., & Yazid, S. (2024). A Novel Framework for Information Security During
the Sdlc Implementation Stage: A Systematic Literature Review. Jurnal RESTI
(Rekayasa Sistem dan Teknologi Informasi), 8(1), 88-99.
Cochran, W. G. (1977). Sampling Techniques. john wiley & sons.
Cram, W. A., Proudfoot, J. G., & D'Arcy, J. (2020). Maximizing Employee Compliance
with Cybersecurity Policies. MIS Quarterly Executive, 19(3).
Cram, W. A., Wiener, M., Tarafdar, M., & Benlian, A. (2020). Algorithmic Controls and
Their Implications for Gig Worker Well-Being and Behavior. ICIS,
Culot, G., Nassimbeni, G., Podrecca, M., & Sartor, M. (2021). The Iso/Iec 27001
Information Security Management Standard: Literature Review and TheoryBased Research Agenda. The TQM Journal, 33(7), 76-105.
D'arcy, J., & Herath, T. (2011). A Review and Analysis of Deterrence Theory in the Is
Security Literature: Making Sense of the Disparate Findings. European Journal
of Information Systems, 20, 643-658.
D'Arcy, J., Herath, T., & Shoss, M. K. (2014). Understanding Employee Responses to
Stressful Information Security Requirements: A Coping Perspective. Journal of
Management Information Systems, 31(2), 285-318.
De Dreu, C. K., & Beersma, B. (2005). Conflict in Organizations: Beyond Effectiveness
and Performance. European Journal of Work and Organizational Psychology,
14(2), 105-117.
Dinev, T., & Hu, Q. (2007). The Centrality of Awareness in the Formation of User
Behavioral Intention toward Protective Information Technologies. Journal of
the Association for Information Systems, 8(7), 23.
Donaldson, L., & Davis, J. H. (1991). Stewardship Theory or Agency Theory: Ceo
Governance and Shareholder Returns. Australian Journal of Management,
16(1), 49-64.
Fornell, C., & Larcker, D. F. (1981). Evaluating Structural Equation Models with
Unobservable Variables and Measurement Error. Journal of Marketing
Research, 18(1), 39-50.
Garvey, J., Sirr, G., O'Shea, D., & O'Brien, F. (2019). Risk and Planning in Agriculture:
How Planning on Dairy Farms in Ireland Is Affected by Farmers’ Regulatory
Focus. Risk Analysis, 39(7), 1491-1502.
George, J. M., & Bettenhausen, K. (1990). Understanding Prosocial Behavior, Sales
Performance, and Turnover: A Group-Level Analysis in a Service Context.
Journal of Applied Psychology, 75(6), 698.
George, J. M., & Brief, A. P. (1992). Feeling Good-Doing Good: A Conceptual Analysis of
the Mood at Work-Organizational Spontaneity Relationship. Psychological
Bulletin, 112(2), 310.
Gino, F., Schweitzer, M. E., Mead, N. L., & Ariely, D. (2011). Unable to Resist
Temptation: How Self-Control Depletion Promotes Unethical Behavior.
Organizational Behavior and Human Decision Processes, 115(2), 191-203.
Gomez, P., Borges, A., & Pechmann, C. C. (2013). Avoiding Poor Health or Approaching
Good Health: Does It Matter? The Conceptualization, Measurement, and
Consequences of Health Regulatory Focus. Journal of Consumer Psychology,
23(4), 451-463.
Grance, T., Hash, J., & Stevens, M. (2004). Security Considerations in the Information
System Development Life Cycle. US Department of Commerce, Technology
Administration, National Institute of ….
Hair, J. F., Anderson, R. E., Babin, B. J., & Black, W. C. (2010). Multivariate Data
Analysis: A Global Perspective (Vol. 7). In: Upper Saddle River, NJ: Pearson.
Hair, J. F., Babin, B. J., Black, W. C., & Anderson, R. E. (2019). Multivariate Data
Analysis. Cengage. https://books.google.com.tw/books?id=0R9ZswEACAAJ
Herath, T., & Rao, H. R. (2009). Encouraging Information Security Behaviors in
Organizations: Role of Penalties, Pressures and Perceived Effectiveness.
Decision Support Systems, 47(2), 154-165.
Higgins, E. T. (1997). Beyond Pleasure and Pain. American Psychologist, 52(12), 1280-
1300. https://doi.org/10.1037/0003-066X.52.12.1280
Higgins, E. T. (2000). Making a Good Decision: Value from Fit. American Psychologist,
55(11), 1217.
Howard, M., & Lipner, S. (2006). The Security Development Lifecycle (Vol. 8). Microsoft
Press Redmond.
Hsu, J. S.-C., Shih, S.-P., Hung, Y. W., & Lowry, P. B. (2015). The Role of Extra-Role
Behaviors and Social Controls in Information Security Policy Effectiveness.
Information Systems Research, 26(2), 282-300.
Huizinga, D., & Kolawa, A. (2007). Automated Defect Prevention: Best Practices in
Software Management. John Wiley & Sons.
Ifinedo, P. (2012). Understanding Information Systems Security Policy Compliance: An
Integration of the Theory of Planned Behavior and the Protection Motivation
Theory. Computers & Security, 31(1), 83-95.
Jehn, K. A., & Mannix, E. A. (2001). The Dynamic Nature of Conflict: A Longitudinal
Study of Intragroup Conflict and Group Performance. Academy of
Management Journal, 44(2), 238-251.
Kang, Y., Peng, J., & Nie, Q. (2023). Peer Reaction to Manager Stewardship Behavior:
Crediting or Stigmatizing the Behavior? Journal of Business Ethics, 183(2), 453-
474.
Kao, T.-C., Mao, C.-H., Chang, C.-Y., & Chang, K.-C. (2012). Cloud Ssdlc: Cloud Security
Governance Deployment Framework in Secure System Development Life Cycle.
2012 IEEE 11th international conference on trust, security and privacy in
computing and communications,
Kapella, V. (2003). A Framework for Incident and Problem Management. International
Network Services whitepaper.
Koole, S. L., & van Knippenberg, A. (2007). Controlling Your Mind without Ironic
Consequences: Self-Affirmation Eliminates Rebound Effects after Thought
Suppression. Journal of Experimental Social Psychology, 43(4), 671-677.
LaBerge, L., O’Toole, C., Schneider, J., & Smaje, K. (2020). How Covid-19 Has Pushed
Companies over the Technology Tipping Point—and Transformed Business
Forever. McKinsey & Company, 5.
Lebek, B., Uffen, J., Neumann, M., Hohler, B., & H. Breitner, M. (2014). Information
Security Awareness and Behavior: A Theory-Based Literature Review.
Management Research Review, 37(12), 1049-1092.
Lockwood, P., Jordan, C. H., & Kunda, Z. (2002). Motivation by Positive or Negative
Role Models: Regulatory Focus Determines Who Will Best Inspire Us. Journal
of Personality and Social Psychology, 83(4), 854.
Lowry, P. B., & Moody, G. D. (2015). Proposing the Control-Reactance Compliance
Model (Crcm) to Explain Opposing Motivations to Comply with Organisational
Information Security Policies. Information Systems Journal, 25(5), 433-463.
Magendans, J., Gutteling, J. M., & Zebel, S. (2017). Psychological Determinants of
Financial Buffer Saving: The Influence of Financial Risk Tolerance and
Regulatory Focus. Journal of Risk Research, 20(8), 1076-1093.
Marks, M. (2022). Walking the Line: Gitops and Shift Left Security Scalable, DeveloperCentric Supply Chain Security Solutions.
https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/ESGdeveloper-security-synopsys.pdf
Minson, J. A., Bendersky, C., de Dreu, C., Halperin, E., & Schroeder, J. (2023).
Experimental Studies of Conflict: Challenges, Solutions, and Advice to Junior
Scholars. Organizational Behavior and Human Decision Processes, 177,
104257.
Morrison, E. W. (2014). Employee Voice and Silence. Annu. Rev. Organ. Psychol. Organ.
Behav., 1(1), 173-197.
Morrison, E. W., & Milliken, F. J. (2000). Organizational Silence: A Barrier to Change
and Development in a Pluralistic World. Academy of Management Review,
25(4), 706-725.
Neubert, M. J., Kacmar, K. M., Carlson, D. S., Chonko, L. B., & Roberts, J. A. (2008).
Regulatory Focus as a Mediator of the Influence of Initiating Structure and
Servant Leadership on Employee Behavior. Journal of Applied Psychology,
93(6), 1220.
Nunnally, J. C., & Bernstein, I. H. (1994). Psychological Theory. In: New York: McGrawHill.
O'Brien, T. B., & DeLongis, A. (1996). The Interactional Context of Problem-, Emotion-,
and Relationship-Focused Coping: The Role of the Big Five Personality Factors.
Journal of Personality, 64(4), 775-813.
Organ, D. W. (1988). Organizational Citizenship Behavior: The Good Soldier Syndrome.
Lexington books/DC heath and com.
Orr, S. G., Bonyadi, C. J., Golaszewski, E., Sherman, A. T., Peterson, P. A., Forno, R.,
Johns, S., & Rodriguez, J. (2024). Shadow It in Higher Education: Survey and
Case Study for Cybersecurity. Cryptologia, 48(1), 26-90.
Oyserman, D., Bybee, D., & Terry, K. (2006). Possible Selves and Academic Outcomes:
How and When Possible Selves Impel Action. Journal of Personality and Social
Psychology, 91(1), 188.
Pahnila, S., Siponen, M., & Mahmood, A. (2007). Employees' Behavior Towards Is
Security Policy Compliance. 2007 40th Annual Hawaii International Conference
on System Sciences (HICSS'07),
Podsakoff, P. M., MacKenzie, S. B., Paine, J. B., & Bachrach, D. G. (2000). Organizational
Citizenship Behaviors: A Critical Review of the Theoretical and Empirical
Literature and Suggestions for Future Research. Journal of Management,
26(3), 513-563.
Podsakoff, P. M., & Organ, D. W. (1986). Self-Reports in Organizational Research:
Problems and Prospects. Journal of Management, 12(4), 531-544.
Posey, C., Bennett, B., Roberts, T., & Lowry, P. B. (2011). When Computer Monitoring
Backfires: Invasion of Privacy and Organizational Injustice as Precursors to
Computer Abuse. Journal of Information System Security, 7(1), 24-47.
Posey, C., Roberts, T. L., Lowry, P. B., & Hightower, R. T. (2014). Bridging the Divide: A
Qualitative Comparison of Information Security Thought Patterns between
Information Security Professionals and Ordinary Organizational Insiders.
Information & Management, 51(5), 551-567.
Rahim, M. A., & Magner, N. R. (1995). Confirmatory Factor Analysis of the Styles of
Handling Interpersonal Conflict: First-Order Factor Model and Its Invariance
across Groups. Journal of Applied Psychology, 80(1), 122.
Rajesh, M. (2017). A Systematic Review of Cloud Security Challenges in Higher
Education. The Online Journal of Distance Education and e-Learning, 5(1), 1-10.
Ringle, C. M., Wende, S., and Becker, J.-M. (2024). Smartpls 4. Bönningstedt: Smartpls.
Retrieved from Https://Www.Smartpls.Com. https://www.smartpls.com
Schaubroeck, J., & Ganster, D. C. (1991). Beyond the Call of Duty: A Field Study of
Extra-Role Behavior in Voluntary Organizations. Human Relations, 44(6), 569-
582.
Schiller, S., Merhout, J., & Sandlin, R. (2016). Enterprise It Asset Disposition: An
Overview and Tutorial. Journal of the Midwest Association for Information
Systems (JMWAIS), 2016(2), 3.
Seacord, R. C. (2013). Secure Coding in C and C++. Addison-Wesley.
Shih, H.-P., Lai, K.-h., Guo, X., & Cheng, T. (2021). Believe It or Not: Employees Intend to
Comply with Information Security Policy Because of the Desire for Trade-Offs.
Journal of Global Information Management (JGIM), 29(6), 1-20.
Siponen, M., Pahnila, S., & Mahmood, M. A. (2010). Compliance with Information
Security Policies: An Empirical Investigation. Computer, 43(2), 64-71.
Siponen, M., & Vance, A. (2010). Neutralization: New Insights into the Problem of
Employee Information Systems Security Policy Violations. MIS Quarterly, 487-
502.
Sneader, K., & Singhal, S. (2021). The Next Normal Arrives: Trends That Will Define
2021--and Beyond. McKinsey New York, NY, USA.
Straub, D. W., & Welke, R. J. (1998). Coping with Systems Risk: Security Planning
Models for Management Decision Making. MIS Quarterly, 441-469.
Tamir, M. (2005). Don't Worry, Be Happy? Neuroticism, Trait-Consistent Affect
Regulation, and Performance. Journal of Personality and Social Psychology,
89(3), 449.
Thomas, K. W. (1992). Conflict and Conflict Management: Reflections and Update.
Journal of Organizational Behavior, 265-274.
Tjosvold, D. (2008). The Conflict-Positive Organization: It Depends Upon Us. Journal of
Organizational Behavior: The International Journal of Industrial, Occupational
and Organizational Psychology and Behavior, 29(1), 19-28.
Tung, Y.-H., Lo, S.-C., Shih, J.-F., & Lin, H.-F. (2016). An Integrated Security Testing
Framework for Secure Software Development Life Cycle. 2016 18th Asia-Pacific
Network Operations and Management Symposium (APNOMS),
Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating Is Security Compliance:
Insights from Habit and Protection Motivation Theory. Information &
Management, 49(3-4), 190-198.
Vandewalle, D., Van Dyne, L., & Kostova, T. (1995). Psychological Ownership: An
Empirical Examination of Its Consequences. Group & Organization
Management, 20(2), 210-226. https://doi.org/10.1177/1059601195202008
Viega, J., & McGraw, G. R. (2001). Building Secure Software: How to Avoid Security
Problems the Right Way. Pearson Education.
Vroom, C., & Von Solms, R. (2004). Towards Information Security Behavioural
Compliance. Computers & Security, 23(3), 191-198.
Wichers, D., & Williams, J. (2017). Owasp Top-10 2017. OWASP Foundation, 3, 4.
Williams, L. J., & Anderson, S. E. (1991). Job Satisfaction and Organizational
Commitment as Predictors of Organizational Citizenship and in-Role Behaviors.
Journal of Management, 17(3), 601-617.
Williamson, O. E. (1975). Markets and Hierarchies: Analysis and Antitrust Implications:
A Study in the Economics of Internal Organization. University of Illinois at
Urbana-Champaign's Academy for Entrepreneurial Leadership Historical
Research Reference in Entrepreneurship.
Winterheld, H. A., & Simpson, J. A. (2011). Seeking Security or Growth: A Regulatory
Focus Perspective on Motivations in Romantic Relationships. Journal of
Personality and Social Psychology, 101(5), 935.
Workman, M., Bommer, W. H., & Straub, D. (2008). Security Lapses and the Omission
of Information Security Measures: A Threat Control Model and Empirical Test.
Computers in Human Behavior, 24(6), 2799-2816.
何昇龍. (2016). 科技部推動 ssdlc 經驗分享. Retrieved from
https://www.isac.org.tw/spaw2/uploads/files/20161202/科技部推動 SSDLC
經驗分享簡報.pdf
李相臣. (2008). 如何避免資安危機. 財團法人國家實驗研究院科技政策研究與資
訊中心.
林宜隆, & 楊書豪. (2019). 行政院資通安全管理法六大子法介紹及適法機關落實
法遵之探討. TANET2019 臺灣網際網路研討會, 2019, 883-886.
詹婷怡. (2021). 化被動為主動， 疫情加速臺灣數位轉型之發展. 指南新政, 28.
https://css.nccu.edu.tw/wp-content/uploads/2021/07/3_詹婷怡_化被動為主
動，疫情加速臺灣數位轉型之發展.pdf
鄭雅芬, & 丁一顧. (2023). 高級中等學校學生學習歷程檔案推動實務與省思. 臺
灣教育評論月刊, 12(4), 14-20.