第五章 結論與建議
第四節 未來研究建議
在這次研究的過程中,我們盡可能的考慮各種情況的發生,並且為求嚴謹反 覆地在研究過程進行修正,但有些部份仍然受限於先天上的研究限制,或者隨著 研究進行發現了未來可以改善的部份,雖然無法即時且完善的修正呈現在研究結 果中,但我們在此提出一些未來的研究建議,希望能夠提供對於資安委外議題有 興趣的研究者一些幫助。
在本研究中我們利用了資訊安全委外後各方面成本的增減,來檢視委外對於 降低作業成本的成效,但是由回覆的答案可以看出有些填答者將委外花費的成本 視為作業成本的增加,這與我們原先研究設計的概念有些許的誤差,為了能夠更 加準確的測度委外為企業所帶來的效益,我們也建議往後的研究可以將委外之成 本與沒有委外所需花費之成本作一個比較,如此將能夠更加精確的衡量出資安委 外之效益。
在未來的研究中,也可以更加完整的探討企業在資訊安全方面有委外與沒有 委外之差異,透過兩者的比較可以更清楚的觀察出委外的實際功效,也可以更加 深入的比較兩者的長處及缺失,當然這需要投入較多的研究成本。
隨著研究的過程中與業界的互動以及結果的呈現,我們觀察到在不同的產業 類別中,企業對於資訊安全委外的看法及定位存在著很大的差異,而這也很大程 度的影響到企業委外之意願,往後之研究也可以朝不同產業之間的比較來著手,
探討不同產業間對於資安委外意願存在差異之成因,或者是探討哪些產業更適合 進行資訊安全的委外活動。
而本研究所考慮的模型,主要是觀察委外後所獲得的資安資源以及企業競爭 優勢之關係,但是在業界實際進行資安委外時,涉及許多風險層面的考量,也就 是說委外風險的高低程度對於委外的意願以及競爭優勢的獲取之間的關係可能有 其影響,因此我們也建議未來的研究者能夠將風險列入考量,發展出更完整的研 究模型來探究資安委外的相關議題,相信能夠為實務上帶來更大的助益。
參考文獻
Alpar, P., & Saharia, A. (1995). Outsourcing information system functions: an organization economics perspective. Journal of Organizational Computing,
5(3), 197-217.
Amit, R., & Schoemaker, P. (1993). Strategic assets and organizational rent. Strategic
management journal, 14(1), 33-46.
Anderson, J., & Gerbing, D. (1988). Structural equation modeling in practice: A review and recommended two-step approach. Psychological bulletin, 103(3), 411-423.
Aral, S., & Weill, P. (2007). IT assets, organizational capabilities and firm
performance: How resource allocations and organizational differences explain performance variation. Organization Science, 18(5), 763-780.
Axelrod, C. (2004). Outsourcing information security: Artech House Publishers.
Backhouse, J., & Dhillon, G. (1996). Structures of responsibility and security of information systems. European Journal of Information Systems, 5(1), 2-9.
Barney, J. (1986). Strategic factor markets: expectations, luck, and business strategy.
Management science, 32(10), 1231-1241.
Barney, J. (1991). Firm resources and sustainable competitive advantage. Journal of
management, 17(1), 99-120.
Bentler, P. (1995). EQS structural equations program manual: Multivariate Software.
Bentler, P. (2006). EQS 6 structural equations modeling program manual. Encino, CA:
Multivariate Software: Inc.
Bentler, P., & Bonett, D. (1980). Significance tests and goodness of fit in the analysis
of covariance structures. Psychological bulletin, 88(3), 588-606.
Boukhonine, S., Krotov, V., & Rupert, B. (2005). Future security approaches and biometrics. Communications of the Association for Information Systems 16, 937-966.
Bruder, C. (2006). Outsourcing information security. Smart Business Detroit.
Bussolati, U., & Martella, G. (1981). Treating data privacy in distributed systems.
Information & Management, 4(6), 305-315.
Byrne, B. (2006). Structural equation modeling with EQS: Basic concepts,
applications, and programming: Lawrence Erlbaum.
Carr, N. (2003a). It Doesn t Matter. Harvard Business Review, 81(5), 41-49.
Carr, N. (2003b). Why IT doesn't matter anymore. Harvard Business Review, 81(5).
Cattela, R. (1981). Information as a corporate asset. Information & Management, 4(1), 29-37.
Chan, Y.-C. (2005). A Study of Factors Affecting Information Systems Security
Outsourcing. National Chung Cheng University.
Chang, H. (2002). A model of computerization of manufacturing systems: an international study. Information & Management, 39(7), 605-624.
Cheon, M., Grover, V., & Teng, J. (1995). Theoretical perspectives on the outsourcing of information systems. Journal of Information Technology, 10(4), 209-219.
Claver, E., Gonzalez, R., Gasco, J., & Llopis, J. (2002). Information systems
outsourcing: reasons, reservations and success factors. Logistics Information
Management, 15(4), 294-308.
Conner, K. (1991). A historical comparison of resource-based theory and five schools of thought within industrial organization economics: do we have a new theory of the firm? Journal of management, 17(1), 121.
Cronk, J., & Sharp, J. (1995). A framework for deciding what to outsource in
information technology. Journal of Information Technology, 10(4), 259-267.
D'Arcy, J., & Hovav, A. (2007). Deterring internal information systems misuse.
Communications of the ACM, 50(10), 117.
Deshpande, D. (2005). Managed security services: an emerging solution to security.
Dewar, R., & Dutton, J. (1986). The adoption of radical and incremental innovations:
an empirical analysis. Management science, 32(11), 1422-1433.
Dierickx, I., & Cool, K. (1989). Asset stock accumulation and sustainability of competitive advantage. Management science, 1504-1511.
Due, R. T. (1992). The Real Costs of Outsourcing. Information Systems Management,
9(1), 78-81.
Duffy, N. (1980). Countdown services: Fire and its aftermath in a computer bureau.
Information & Management, 3(3), 103-111.
Duncan, N. (1998). Beyond opportunism: a resource-based view of outsourcing risk.
E&Y (2009). The Global Information Security Survey: Ernst & Young.
Fornell, C., & Larcker, D. (1981). Evaluating structural equation models with
unobservable variables and measurement error. Journal of marketing research, 39-50.
Gartner (2007). Defining the Security-as-a-Service Market.
Gilbert, F. (1993). Issues to consider before outsourcing. The National Law Journal,
16(11), S7.
Grant, R. (1991). “The Resource-Based Theory of competitive advantage: Implications for strategy formulation.”. California Management Review, 33(3), 114-135.
Grover, V., Cheon, M., & Teng, J. (1996). The effect of service quality and partnership on the outsourcing of information systems functions. Journal of Management
Information Systems, 12(4), 116.
Grover, V., Joong Cheon, M., & Teng, J. (1994). A descriptive study on the
outsourcing of information systems functions. Information & Management,
27(1), 33-44.
Hair, J., Anderson, R., Tatham, R., & Black, W. (1998). Multivariate data analysis.
New Jersey, NJ: Prentice-hall.
Hair Jr, J., Anderson, R., Tatham, R., & Black, W. (1995). Multivariate data analysis:
with readings: Prentice-Hall, Inc. Upper Saddle River, NJ, USA.
Harris, S., & Katz, J. (1991). Firm size and the information technology investment intensity of life insurers. MIS quarterly, 15(3), 333-352.
Hitt, M., & Ireland, R. (1986). Relationships among corporate level distinctive competencies, diversification strategy, corporate structure and performance.
Journal of Managcmmt Studies, 23(4), 0022-2380.
Hoyle, R., & Panter, A. (1995). Writing about structural equation models. Structural
equation modeling: Concepts, issues, and applications, 158-176.
Hunt, S. (2001). Market overview: Managed security services, from
http://bt.counterpane.com/giga3.pdf
IBM (2006). IBM Information Security Reference Model, from
web.esaugumas.lt/.../IBM_ISF%20presentation.%2016-17%20Nov%202006%
20(RRT).pps
Icove, D., Seger, K., & VonStorch, W. (1995). Computer Crime. A Crimefighter's Handbook. No.: ISBN 1-56592-086-4, 455.
IDC (2007). Worldwide IT Security Software, Hardware, and Services 2007-2011
Forecast:The Big Picture
James, L., Mulaik, S., & Brett, J. (1982). Causal analysis: Assumptions, models, and
data: Sage Publications, Inc.
Kankanhalli, A., Teo, H., Tan, B., & Wei, K. (2003). An integrative study of information systems security effectiveness. International Journal of
Information Management, 23(2), 139-154.
Kline, R. (1998). Principles and practice of structural equation modeling New York:
Guilford Press.
Krell, K., & Matook, S. (2009). Competitive advantage from mandatory investments:
An empirical study of Australian firms. Journal of Strategic Information
Systems, 18(1), 31-45.
Lee, J., Huynh, M., Kwok, R., & Pi, S. (2003). IT outsourcing evolution---: past, present, and future.
Lee, J., & Kim, Y. (1999). Effect of partnership quality on IS outsourcing success:
conceptual framework and empirical validation. Journal of Management
Information Systems, 15(4), 61.
Lee, S. (2003). Business use of Internet-based information systems: the case of Korea.
European Journal of Information Systems, 12(3), 168-181.
Lockman, A., & Minsky, N. (1984). Designing financial information systems for auditability. Journal of Management Information Systems, 1(1), 50-62.
McFarlan, F., & Nolan, R. (1995). How to manage an IT outsourcing alliance. Sloan
Management Review, 36(2), 9.
Melville, N., Kraemer, K., & Gurbaxani, V. (2004). Review: Information technology and organizational performance: An integrative model of IT business value.
MIS quarterly, 283-322.
Minoli, D. (1995). Analyzing outsourcing: reengineering information and
communication systems: McGraw-Hill, Inc. New York, NY, USA.
Mishra, D. (2006). The role of certification in service relationships: theory and
empirical evidence. Journal of Retailing and Consumer Services, 13(1), 81-96.
Nunnally, J. (1978). Psychometric theory New York: McGrew-Hill
Nunnally, J., Bernstein, I., & Berge, J. (1994). Psychometric theory: McGraw-Hill New York.
Penrose, E. (1959). The Theory of the Growth of the Firm (1995): Oxford: Oxford University Press.
Peteraf, M. (1993). The cornerstones of competitive advantage: a resource-based view.
Strategic management journal, 14(3), 179-191.
Poppo, L., & Zenger, T. (1998). Testing alternative theories of the firm: transaction cost, knowledge-based, and measurement explanations for make-or-buy decisions in information services. Strategic management journal, 19(9), 853-877.
PWC (2008). The Global State of Information Security Survey.
PWC (2010). The Global State of Information Security Survey.
Quinn, J. (1992). Intelligent enterprise: A knowledge and service based paradigm for
industry: Free Pr.
Richardson, R. (2008). CSI Computer Crime and Security Survey: Computer Security Institute.
Richmond, W., & Seidmann, A. (1993). Software development outsourcing contract:
Structure and business value. Journal of Management Information Systems, 10, 57-57.
Roy, V., & Aubert, B. (2000). A resource based view of the information systems
sourcing mode.
Rubin, P. (1973). The expansion of firms. The Journal of Political Economy, 81(4), 936-949.
Rumelt, R. (1974). Strategy, structure, and economic performance: Not Avail.
Sanchez, R., Heene, A., & Thomas, H. (1996). Introduction: Towards the theory and practice of competence-based competition. Dynamics of Competence-Based
Competition. Oxford, UK: Pergamon, 1–35.
Segars, A., & Grover, V. (1993). Re-examining perceived ease of use and usefulness:
A confirmatory factor analysis. MIS quarterly, 17(4), 517-525.
Sethi, V., & King, W. (1994). Development of measures to assess the extent to which an information technology application provides competitive advantage.
Management science, 40(12), 1601-1627.
Shim, J., Varshney, U., Dekleva, S., & Nickerson, R. (2007). Wireless
Telecommunications Issues: Cell Phone TV, Wireless Networks in Disaster Management, Ubiquitous Computing, and Adoption of Future Wireless Applications. Communications of the Association for Information Systems,
20(1), 29.
Siponen, M., Baskerville, R., & Heikka, J. (2006). A Design Theory for Secure Information Systems Design Methods. Journal of the Association for
Information Systems, 7(11), 31.
Siponen, M., & Oinas-Kukkonen, H. (2007). A review of information security issues and respective research contributions. ACM SIGMIS Database, 38(1), 80.
Smith, M. (1989). Computer security- threats, vulnerabilities and countermeasures.
INF. AGE., 11(4), 205-210.
Srivastava, R., Shervani, T., & Fahey, L. (1998). Market-based assets and shareholder value: a framework for analysis. The Journal of Marketing, 62(1), 2-18.
Stevenson, H. (1976). Defining corporate strengths and weaknesses. Sloan
Management Review, 17(3), 51-68.
Straub Jr, D., & Nance, W. (1990). Discovering and disciplining computer abuse in organizations: a field study. MIS quarterly, 14(1), 45-60.
Sumner, M. (1986). An assessment of alternative application development approaches.
Information & Management, 10(4), 197-206.
Tanaka, J. (1993). Multifaceted conceptions of fit in structural equation models.
Testing structural equation models, 10, 39.
Teng, J., Cheon, M., & Grover, V. (1995). Decisions to outsource information systems functions: testing a strategy-theoretic discrepancy model. Decision Sciences,
26(1), 75-103.
Thompson, A., & Strickland, A. (1983). Strategy formulation and implementation:
tasks of the general manager: Business Publications.
Von Solms, R., & van der Haar, S. (1994). A framework for information security evaluation. Information & Management, 26(3), 143-153.
Wade, M., & Hulland, J. (2004). Review: T HE Resource-Based View AND Information Systems Research: Review, Extension, AND Suggestions FOR Future Research. MIS quarterly, 28(1), 107-142.
Wernerfelt, B. (1984). A resource-based view of the firm. Strategic management
journal, 171-180.
West, S., Finch, J., & Curran, P. (1995). Structural equation models with nonnormal variables: Problems and remedies. Structural equation modeling: Concepts,
issues, and applications, 56–75.
Yang, S., Chatterjee, S., & Chan, C. (2004). Wireless communications: myths and reality. Communications of the Association for Information Systems, 13(1), 39.
Zafar, H., & Clark, J. G. (2009). Current State of Information Security Research In IS.
Communications of the Association for Information Systems, 24.
Zhou, K., Brown, J., & Dev, C. (2009). Market orientation, competitive advantage, and performance: A demand-based perspective. Journal of business research,
62(11), 1063-1070.
Zviran, M., & Erlich, Z. (2006). Identification and authentication: technology and implementation issues. Communications of the Association for Information
Systems, 17(1), 4.
王義智 (2009). 剖析台灣中小企業資安投資現況: Market Intelligence & Consulting Institute, MIC.
附錄
附錄一 問卷調查表
5資訊安全委外風險及成效調查
各位先生、女士,您好:
本研究主要在探討資訊安全委外,希望藉由此問卷,調查企業採用資訊安全
委外時的風險因子,以及探索採用資訊安全委外的成效。研究結果將可提供企業與 政府機關,作為進行資訊安全服務委外決策參考依據。本問卷內容僅供作學術整體分析之用,絕對不會對外公開個別組織之資料。
懇請您花費約十五分鐘的時間填寫此一問卷,並期待能早日收到您的寶貴回應。
您的每項意見將對本研究有莫大的幫助。為感謝您的協助,我們很樂意將研究成 果與您分享。
敬祝
健康順心
台灣大學資訊管理研究所 指導教授 許瑋元 博士 研究生 詹偉銘 研究生 陳禹帆
此部分旨在了解貴公司在將資訊安全委外之後,在資訊安全方面有何種程度的改變以及影響,請
II.
競爭優勢44. 公司治理(如資訊安全架構、資安政策等方向制定、資安風險管理) 45. 其他
46. 貴公司(機關)的員工總數約為
□100 人以下 □100 人~500 人 □500~1000 人 □1000~ 5000 人 □5000~1 萬人 □1 萬人 以上
75. 貴公司(機關)的 98 年度營業淨額約為(新台幣)
□10 億以下 □10 億~50 億 □50 億~100 億 □100 億~500 億 □500 億~1000 億 □1000 億以 上
76. 貴公司(機關)所屬的產業類別
□政府機關 □金融保險 □電子資訊 □傳統製造
□營建土木 □批發零售 □法律會計 □醫療保健
□物流倉儲 □文教服務 □大眾傳播 □其他(請說明)
77. 貴公司(機關)資訊部門已成立幾年?
□1 年以內 □1~3 年 □4~5 年 □6~9 年 □10 年以上
78. 貴公司(機關)資訊部門(或資訊專業人員)的人數大約:
□10 人以下 □10~50 人 □50 人~100 人 □100~200 人 □200 人~500 人 □500 人以上
79. 貴公司(機關)每年的資訊總預算大約為: (新台幣)
□10 萬以下 □10~100 萬 □100~1000 萬 □1000 萬~1 億 □1000 萬~1 億 □1 億~10 億
□10 億以上
,大約佔公司總預算 % □不清楚
80. 貴公司(機關)每年的資訊安全總預算大約為: (新台幣)
□1 萬以下 □1 萬~10 萬 □10~50 萬 □50 萬~100 萬 □100 萬~1000 萬 □ 1000 萬以上
,大約占資訊總預算 % □不清楚
81. 貴公司(機關)每年的資訊安全委外預算大約為 (無委外者免填答):
第四部分:組織概況
□1 萬以下 □1~5 萬 □5~10 萬 □10 萬~20 萬 □20 萬~50 萬 □50 萬~100 萬 □ 100 萬以上
,大約佔資訊安全總預算 % □不清楚
若您有意了解研究結果,請於填寫完畢後留下連絡的 E-mail Address,我們將為您寄出研究的 結果。
Email:
問卷到此結束, 謝謝您的熱心填 答!