dc.contributor.advisor | 傅豐玲 | zh_TW |
dc.contributor.author (Authors) | 洪裕傑 | zh_TW |
dc.contributor.author (Authors) | Hung,Yu-Chieh | en_US |
dc.creator (作者) | 洪裕傑 | zh_TW |
dc.creator (作者) | Hung,Yu-Chieh | en_US |
dc.date (日期) | 2005 | en_US |
dc.date.accessioned | 18-Sep-2009 14:30:25 (UTC+8) | - |
dc.date.available | 18-Sep-2009 14:30:25 (UTC+8) | - |
dc.date.issued (上傳時間) | 18-Sep-2009 14:30:25 (UTC+8) | - |
dc.identifier (Other Identifiers) | G0093356035 | en_US |
dc.identifier.uri (URI) | https://nccur.lib.nccu.edu.tw/handle/140.119/35232 | - |
dc.description (描述) | 碩士 | zh_TW |
dc.description (描述) | 國立政治大學 | zh_TW |
dc.description (描述) | 資訊管理研究所 | zh_TW |
dc.description (描述) | 93356035 | zh_TW |
dc.description (描述) | 94 | zh_TW |
dc.description.abstract (摘要) | 隨著網際網路的快速成長,資訊安全已成為企業最重視的議題之一。企業必須保護自己免於網路威脅(Cyber-Threat),不過防止企業免受網際威脅已非易事,這也為企業資訊安全風險埋下了一顆不定時炸彈。換句話說,資訊安全風險是現今企業所面臨的主要挑戰之一,企業資訊安全防護的好壞將直接反應在企業的盈虧上,甚至可能影響到顧客對該企業產品或服務的滿意度等,對企業的殺傷力是不容忽視的。目前的防毒軟體(Anti-Virus)與威脅管理系統(Threat Management System)所能提供的基本功能都是大同小異,其效能也在伯仲之間,但是企業使用的成效則大不相同。因此如何掌握左右企業資訊安全風險的主要影響因子,並根據該影響因子提供企業一套資訊安全策略以解決其所面臨的風險與使得金錢上的損失降到最低,將是改善企業資訊安全風險的關鍵成功因素。本研究首先透過與五位企業安全維護有實務經驗的專家訪談,了解資訊安全之重要影響因素並不在於投入防毒軟體的預算金額,反而是企業的資訊安全策略類型,如使用者與資訊安全人員關係型態、資訊安全人員的素質、高階主管對資訊安全政策的支持之類因素更重要。接著藉由問卷調查,以國內某著名防毒軟體客戶為樣本,發出1910份郵寄問卷與網路問卷邀請email信,共回收102份有效問卷,回收率5.3%。問卷共分為兩大部份:組織特徵(包括公司背景、過去三年病毒感染情形、防毒系統、資訊安全管理現況)及防毒能力評估(防毒軟體的使用、監控與過濾、追蹤裝置、區隔網路等四類防毒技術的使用,與弱點管理、病毒碼部署、帳號管理、應用程式與網路使用的權限、回應與恢復程序等五類安全程序政策,組織的責任與能力、組織的順從、對教育訓練的重視等三項組織因素)。以「病毒爆發數量」、「病毒爆發影響嚴重性」、「偵測病毒數」與「偵測感染事件事」為應變數,以公司概況及防毒能力評估各變項為自變數進行單因子與多因子變異數分析,分析結果顯示組織大小及防毒軟體的使用、弱點管理、帳號管理等安全程序政策是影響「病毒爆發數量」的重要因素;組織大小、網路管理等組織特徵,防毒軟體的使用、弱點管理、病毒碼部署等安全程序政策及教育訓練等是影響「病毒爆發影響嚴重性」的重要因素;組織大小與防毒軟體的使用、監控與過濾等防毒技術的使用,弱點管理影響「偵測病毒數」的重要因素;組織大小、弱點管理、與教育訓練等是影響「偵測感染事件數」的重要因素。本研究藉由分析企業在資訊安全所面臨到的風險,得以建立並發展相關評量的模型,研究結果除了可以提供廠商與設計人員在開發企業資訊安全風險評量時參考的依據,也為後續的相關實證研究提供一些建議的方向。 | zh_TW |
dc.description.abstract (摘要) | Following the growth of the www internet in the latest years, information security has become the most important topic among all enterprise companies. Enterprise companies have to protect themselves from Cyber-Threat, but this is not an easy job at all. That means a hidden bomb has already been planted inside their information systems. In another words, the information security threat is the main challenge that all enterprise companies are facing right now. The performance of the defensive system that an enterprise company is using directly impacts whether this company can have a profit gain or loss; furthermore, this affects the customers’ satisfaction about the company’s products and services. This threat can harm the company and should not be ignored. Right now the basic service that Anti Virus software and Threat Management System can provide and their performance are functionally the same, but the effective factor of how each different companies use them may yield a big difference. Hence, knowing how to control the main factor of the information security threat of the company and knowing how to provide the best and the most secured strategy according to the threat to solve any possible future threat such that the loss of profit can be minimized, will be the most important aspect for an enterprise company to be succeeded. This research was conducted by interviewing with five experienced enterprise security maintenance experts at first. From the conservation, we have learned that the main factor of the information security is not depending on the amount of budget that the company has spent on anti-virus software. In fact the strategy type that the company uses for information security is the main reason. This includes the relational model between the users and the information security members, the quality of the information security members, the support of information security strategy from the top manager, and etc. These are more important factors.We have then conducted a survey among the customers from one of the famous anti virus software in Taiwan. We have sent out 1910 questionnaire mails and online survey invitation emails, we have collected back 102 copies of valid questionnaires (5.3% of the total). The questionnaire contains two parts: the characteristic of the company (including the background of company, the virus infection situation in the past three years, the anti virus system, the present situation of information security management), and the performance evaluation of the anti-virus system (which one(s) out of the four anti-virus techniques that the current company is applying: using anti-virus software, monitoring and filtering, using some tools for tracing, and the separation of local area network. Which one(s) out of five security process strategies that the company is using: weakness management, virus pattern deployment, account management, permission of using application and network, and response and restore process. And the factor of company: the responsibility and ability, the obedient, and the weight that was put for educational training.) Using the infection number of virus, the impact severity of virus spread, the quantity of detectable virus, and the number of detectable infection events as dependent variables, along with using the situation of company and each items in anti-virus ability evaluation as single factor or multiple factor variant analysis, the analyzed result shows that the size of companies and the security process strategies such as the use of anti-virus software, weakness management, and account management, are the main factors of the infection number of virus. The characteristic of the company such as the size of companies and its network management, the security process strategies such as the use of anti-virus, weakness management, and virus pattern deployment, and the educational training are the main reasons of affecting the severity of virus spread. The size of company, the use of anti virus technique such as the use of anti-virus software and the monitoring and filtering, and weakness management are the main factors of the number of detected virus. The size of company, weakness management, and the educational training are the main factor of the number of events of detected infection. According to the analysis of the threat of information security that an enterprise company would face, this research has built and developed a related evaluation model. The result from this research not only can provide a reference for companies and software designers when they evaluate their enterprise information security, but also suggest a new direction for future research. | en_US |
dc.description.tableofcontents | 摘要 IABSTRACT III誌謝 VI第壹章 緒論 1第一節 研究背景與動機 1第二節 研究目的 4第三節 研究方法 5第四節 論文架構 6第貳章 文獻探討 8第一節 資訊安全定義及範圍 8第二節 資訊安全現況 10第三節 影響資訊安全因素 12第四節 有效掌控資訊事故之基礎 14第五節 現有的資訊安全產品種類 17第參章 研究設計 20第一節 研究架構 20第二節 資料蒐集 20第三節 研究假設 21第四節 研究變數定義與問卷設計 22第五節 分析方法 25第肆章 研究分析 27第一節 訪談分析 27第二節 調查樣本分析結果 29第三節 影響資訊安全的關鍵因素分析 39第四節 樣本類型探勘 55第伍章 結論與建議 62第一節 結論與建議 62第二節 研究限制 66 | zh_TW |
dc.format.extent | 75265 bytes | - |
dc.format.extent | 110176 bytes | - |
dc.format.extent | 126182 bytes | - |
dc.format.extent | 89106 bytes | - |
dc.format.extent | 181164 bytes | - |
dc.format.extent | 238743 bytes | - |
dc.format.extent | 185828 bytes | - |
dc.format.extent | 404828 bytes | - |
dc.format.extent | 166478 bytes | - |
dc.format.extent | 63254 bytes | - |
dc.format.extent | 168754 bytes | - |
dc.format.extent | 87713 bytes | - |
dc.format.mimetype | application/pdf | - |
dc.format.mimetype | application/pdf | - |
dc.format.mimetype | application/pdf | - |
dc.format.mimetype | application/pdf | - |
dc.format.mimetype | application/pdf | - |
dc.format.mimetype | application/pdf | - |
dc.format.mimetype | application/pdf | - |
dc.format.mimetype | application/pdf | - |
dc.format.mimetype | application/pdf | - |
dc.format.mimetype | application/pdf | - |
dc.format.mimetype | application/pdf | - |
dc.format.mimetype | application/pdf | - |
dc.language.iso | en_US | - |
dc.source.uri (資料來源) | http://thesis.lib.nccu.edu.tw/record/#G0093356035 | en_US |
dc.subject (關鍵詞) | 資訊安全 | zh_TW |
dc.subject (關鍵詞) | 病毒 | zh_TW |
dc.subject (關鍵詞) | 網路威脅 | zh_TW |
dc.subject (關鍵詞) | 弱點管理 | zh_TW |
dc.subject (關鍵詞) | Information Security | en_US |
dc.subject (關鍵詞) | Virus | en_US |
dc.subject (關鍵詞) | Cyber-Threat | en_US |
dc.subject (關鍵詞) | Vulnerability Management | en_US |
dc.title (題名) | 企業資訊安全風險評估-以電腦病毒為例 | zh_TW |
dc.type (資料類型) | thesis | en |
dc.relation.reference (參考文獻) | 一、中文部分 | zh_TW |
dc.relation.reference (參考文獻) | [1] 李順仁,資訊安全,文魁,2003 | zh_TW |
dc.relation.reference (參考文獻) | [2] “90年度台閩地區電腦應用概論報告”,行政院主計處電子處理資料中心,http://www.dgbas.gov.tw/ct.asp?xItem=1329&ctNode=411,讀取日期:2005/12/31 | zh_TW |
dc.relation.reference (參考文獻) | [3] “93年電腦應用概況報告”,行政院主計處電子處理資料中心,http://www.dgbas.gov.tw/ct.asp?xItem=14284&CtNode=3545,讀取日期:2005/12/31 | zh_TW |
dc.relation.reference (參考文獻) | [4] “疾風病毒餘悸猶存!殺手病毒恐將造成另一波重大災情”,某公司,http://www.trendmicro.com/tw/home/enterprise.htm,讀取日期:2006/01/02 | zh_TW |
dc.relation.reference (參考文獻) | [5]“資訊安全概論”,台灣微軟,http://www.microsoft.com/taiwan/partner/columns/securitysurvey.aspx,讀取日期:2006/01/05 | zh_TW |
dc.relation.reference (參考文獻) | [6] “賽門鐵克公佈全球行動安全調查研究報告”,賽門鐵克,http://www.symantec.com/region/tw/press/tw_060411.html,讀取日期:2006/05/01 | zh_TW |
dc.relation.reference (參考文獻) | 二、英文部分 | zh_TW |
dc.relation.reference (參考文獻) | [7] Andreas E. Fielder, “On the Necessity of Management of Information Security”, Northwest, http://www.noweco.com/wp_iso17799e.htm, Access Date: 2006/05/01 | zh_TW |
dc.relation.reference (參考文獻) | [8] Anat Hovav and John D’Arcy, “The Impact of Virus Attack Announcements on the Market Value of Firms”, Information Systems Security, May/June 2004, pp32-40 | zh_TW |
dc.relation.reference (參考文獻) | [9] Austin, R.D. and Darby, C.A.R., “The Myth of Secure Computing”, Harvard Business Review, 81(6), June 2003, pp120-126 | zh_TW |
dc.relation.reference (參考文獻) | [10] Bruce Schneier, “The Process of Security”, http://infosecuritymag.techtarget.com/articles/april00/columns_cryptorhythms.shtml, Access Date: 2005/12/01 | zh_TW |
dc.relation.reference (參考文獻) | [11] Charles J. Kolodgy, Brian E. Burke, Christian A. Christiansen, Sally Hudson, Laurie A. Seymour, “IDC’s Enterprise Security Survey, 2004”, IDC, 2004 | zh_TW |
dc.relation.reference (參考文獻) | [12] Chen, T.M. “Trends in Viruses and Worms”, The Internet Protocol Journal, 6(3), 2003, pp23-33 | zh_TW |
dc.relation.reference (參考文獻) | [13] Computer Security Update, Internal Attacks Suppassing External Attacks at Firms, Worldwide Videotex, 2005 | zh_TW |
dc.relation.reference (參考文獻) | [14] Cybertrust Corporation, “Cybertrust Anti-Virus Practice Guide”, Cybertrust Corporation, 2004 | zh_TW |
dc.relation.reference (參考文獻) | [15] Ettredge, M. and V.J. Richardson, “Assessing the Risk in E-Commerce”, Proceedings of the 22nd International Conferenceon Information Systems, 2001 | zh_TW |
dc.relation.reference (參考文獻) | [16] Frank Cervone, “Understand the Big Picture so You Can Plan for Network Security”, Computers in Libraries, 25(3), 2005, pp10-14 | zh_TW |
dc.relation.reference (參考文獻) | [17] Glover, S., S. Liddle, et al. Electronic Commerce: Security, Risk Management, and Control. Prentice-Hall. | zh_TW |
dc.relation.reference (參考文獻) | [18] Gokhan Gercek, Ph.D. and Naveed Saleem , Ph.D. “Securing Small Business Computer Networks: An Examination of Primary Security Threat and Their Solutions”, Telecommunications, Network, and Internet Security, July/August 2005, pp18-28 | zh_TW |
dc.relation.reference (參考文獻) | [19] Gordon, L.A., M.P. Loeb, et al. “A Framework for Using Insurance for Cyber-Risk Management.” Communications of the ACM , 46(3), 2003, pp81-85 | zh_TW |
dc.relation.reference (參考文獻) | [20] Gordon, L.A. and M.P. Loeb, “The Economics of Information Security Investment”, ACM Transactions on Information and System Security, 5(4), pp438-457, 2002 | zh_TW |
dc.relation.reference (參考文獻) | [21] Harold F. Tipton, Micki Krause, Information Security Management Handbook 5th Edition, Auerbach publications, 2004 | zh_TW |
dc.relation.reference (參考文獻) | [22] Hindocha, N., “Threats to Instant Messaging”, Symantec White Paper, 2002 | zh_TW |
dc.relation.reference (參考文獻) | [23] Hovav, A. and J. D’Arcy, “The Impact of Denial-of-Service Announcement on the Market Value of Firms”, Risk Management and Insurance Review, 6(2), 2003, pp97-121 | zh_TW |
dc.relation.reference (參考文獻) | [24] Joe Licari, “Securing the Information Workplace: Managing Threats to Enterprise E-Mail, IM, and Document Sharing Environments”, Telecommunications, Network, and Internet Security, September/October 2005, pp45-49 | zh_TW |
dc.relation.reference (參考文獻) | [25] Kelly, B.J., “Preserve, Protect, and Defend”, Journal of Business Strategy, Sep-Oct, 1999, pp22-26 | zh_TW |
dc.relation.reference (參考文獻) | [26] Ken Dunham, “Battling the Bots”, Information System Security, May-June, 2005, pp6-9 | zh_TW |
dc.relation.reference (參考文獻) | [27] Kimball Fisher, Mareen Duncan Fisher, The Distributed Mind: Achieving High Performance Through the Collective Intelligence of Knowledge Work Team, AMACOM, 1997 | zh_TW |
dc.relation.reference (參考文獻) | [28] Larry Bridwell, “Computer Virus Prevalence Survey”, ICSA Lab, 2004 | zh_TW |
dc.relation.reference (參考文獻) | [29] Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn and Robert Richardson, “CSI/FBI Computer Crime and Security Survey”, Computer Security Institute, 2004 | zh_TW |
dc.relation.reference (參考文獻) | [30] Lemos, R., “The Computer Virus – No Cures to be Found”, CNET News.com, November 25, 2003, http://zdnet.com.com/2100-1105-5111442.html, Access Date: 2006/01/09 | zh_TW |
dc.relation.reference (參考文獻) | [31] Matunda Nyanchama and Marc Stefaniu, “Analyzing Enterprise Network Vulnerabilities”, Information Systems Security, 12(2), 2003, pp44-49 | zh_TW |
dc.relation.reference (參考文獻) | [32] Montana, J.C., “Viruses and the Law: Why the Law is Ineffective”, The Information Management Journal, 34(4), 2000, pp57-60 | zh_TW |
dc.relation.reference (參考文獻) | [33] Power R., “CSI/FBI Computer Crime and Security Survey”, Computer Security Issues and Trends, 7(1), 2001, pp1-18 | zh_TW |
dc.relation.reference (參考文獻) | [34] Power R., “CSI/FBI Computer Crime and Security Survey”, Computer Security Issues and Trends, 9(1), 2003, pp1-20 | zh_TW |
dc.relation.reference (參考文獻) | [35] Salierno, D. “Manager Fail to Address E-Risk”, The Internal Auditor, April 2001 | zh_TW |
dc.relation.reference (參考文獻) | [36] Salkever, A. “Who Pays When Business Is Hacked?”, Business Week, http://www.businessweek.com/bwdaily/dnflash/may2000/nf00523d.htm, Access Date: 2005/12/10 | zh_TW |
dc.relation.reference (參考文獻) | [37] Steven Drew, “Reducing Enterprise Risk with Effective Threat Management”, Information Security Management, January/February 2005, pp37-42 | zh_TW |
dc.relation.reference (參考文獻) | [38] Stone, J. and Merrion, S., “Features: Instant Messaging or Instant Headache?”, ACM Queue, 2(2), April, 2004 | zh_TW |
dc.relation.reference (參考文獻) | [39] Tim Grance, Joan Hash, and Marc Stevens, “Security Considerations in the Information System Development Life Cycle”, NIST Special Publication 800-64, Oct., 2003 | zh_TW |
dc.relation.reference (參考文獻) | [40] “CERT/CC Statistics 1988-2005”, CERT/CC, http://www.cert.org/stats/cert_stats.html, Access Date: 2005/12/05 | zh_TW |
dc.relation.reference (參考文獻) | [41] “Control Management”, Trend Micro, http://www.trendmicro.com/en/products/management/tmcm/evaluate/overview.htm, Access Date: 2006/04/30 | zh_TW |
dc.relation.reference (參考文獻) | [42] “Managing Collective Intelligence – Toward a New Corporate Governance”, Axioplole, http://www.axiopole.com/en/index_en.html, Access Date: 2006/04/15 | zh_TW |
dc.relation.reference (參考文獻) | [43] “People, Process and Technology: Foundation for Effective Incident Handling”, LURHQ, http://www.lurhq.com, Access Date: 2005/07/08 | zh_TW |