在今日，隨著科技愈加蓬勃發展，科技日新月異的情況下，不論是企業或政府都已漸漸邁入數位化的環境，資訊系統可以說已經是不可或缺的工具，在享用數位化帶來方便的同時，也產生了資訊安全的疑慮，不論是產業界或學術界對於資訊安全方面都越來越加重視，對企業資安預算的投資、資訊安全人才的需求也呈現逐年增加的現象，透過提升機密性、完整性、可用性，不再單純將資訊安全當作防禦的工具，而是作為企業的競爭策略。
電腦濫用所帶來的影響，不論是直接或間接，往往都對企業造成了重大的衝擊，其中，又以內部員工疏失、資安意識不足等原因比例最高，成為組織中最大的威脅，而在早期，企業大多都將資訊安全防禦視為單純的技術問題，大多將重心放在實體安全、系統開發與維護、網路等技術方面的操作、升級，而忽略了管理面的重要性，許多學者皆提出建立資訊安全在管理面相關措施及策略的必要性，讓資訊安全的防範可以更加的全面。
因此，本研究以資訊安全行動週期為基礎背景，從威嚇的階段來探討ISO 27001中政策面、組織面、個人面的要素是否會對組織內部和外部造成作用，並探討各個要素的威嚇結果對驅使內部組織人員進一步做出理性選擇的過程中是否會產生影響，進而對潛在的企業資訊濫用行為能夠達到更佳的防禦效果。

For the past few years, with the rapid development of technology, both enterprises and governments have gradually entered the digital environment. Information systems can be said to be an indispensable tool to facilitate digitalization. At the same time, there have also been concerns about information security. Both the industry and academia have paid more and more attention to information security. The investment in corporate security budgets and the demand for information security personnel have also increased year by year. Promote confidentiality, integrity, and availability, instead of simply using information security as a tool for defense, but as a competitive strategy for enterprises.
The impact of computer abuse, whether direct or indirect, often has a major impact on enterprises. Among them, internal employee negligence and insufficient security awareness have the highest proportion, which has become the biggest threat in the organization. In the early days, most companies regarded information security defense as a purely technical problem. Most of them focused on the operation and upgrade of physical security, system development, maintenance, and network technologies, while ignoring the importance of management. Many scholars all have proposed the necessity of establishing relevant management measures and strategies for information security, so that the prevention of information security can be more comprehensive.
Therefore, this research is based on the information security action cycle. From the perspective of intimidation, we explore whether the elements of policy, organization, and individual will cause intimidation inside and outside the organization. Whether or not the organization personnel will make further choices will have an impact, which can achieve a better defense against potential corporate information abuse.

論文審定書 i
論文摘要 ii
Abstract iii
目錄 iv
圖目錄 v
表目錄 v
第壹章 緒論 1
第一節 研究背景 1
第二節 研究動機與目的 3
第三節 研究流程 5
第貳章 文獻探討 6
第一節 資訊安全 6
第二節 犯罪學理論 11
第三節 心理學理論 15
第參章 研究方法 16
第一節 研究架構 16
第二節 研究假說 17
第三節 構面變項蒐集 23
第四節 研究設計 25
第肆章 資料分析 41
第一節 人口變數統計分析 41
第二節 偏最小平方分析 46
第三節 假說檢定驗證 49
第四節 討論 52
第伍章 結論與建議 53
第一節 結論 53
第二節 研究貢獻 54
第三節 研究限制 55
第四節 未來研究建議 56
參考文獻 57
附錄 63

英文部分
Albrechtsen, E., and Hovden, J. 2010. “Improving Information Security Awareness and Behaviour through Dialogue, Participation and Collective Reflection. An Intervention Study,” Computers and Security (29:4), Elsevier Ltd, pp. 432–445.
Ashraf, K. 2015. “Management Information Security within ISMS via ISO / IEC 27001,” in Science: Fundamental and Applied, pp. 196–200.
Becker, G. S. 1968. “Crime and Punishment : An Economic Approach,” Journal of Political Economy (76:2), pp. 169–217.
Bequai, A. 1983. How to prevent computer crime: A guide for managers. Wiley.
Boss, S. R., Galletta., D. F., Lowry., P. B., Moody., G. D., and Polak., P. 2015. “WHAT DO SYSTEMS USERS HAVE TO FEAR? USING FEAR APPEALS TO ENGENDER THREATS AND FEAR THAT MOTIVATE PROTECTIVE SECURITY BEHAVIORS,” MIS Quarterly (39:4), pp. 837–864.
Brodin, M. 2015. “Combining Isms with Strategic Management: The Case of BYOD,” Proceedings of the 8th IADIS International Conference Information Systems 2015, pp. 161–168.
Bulgurcu, B., Cavusoglu, H., and Benbasat, I. 2010. “Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness,” MIS Quarterly (34:3), pp. 523–548.
Chen, X., Wu, D., Chen, L., and Teng, J. K. L. 2018. “Sanction Severity and Employees’ Information Security Policy Compliance: Investigating Mediating, Moderating, and Control Variables,” Information and Management (55:8)., pp. 1049–1060.
Clarke, R. V., and Cornish, D. B. 2001. “Rational choice,” Explaining criminals and crime: Essays in contemporary criminological theory, pp.23-42.
Cornish, D. B., and Clarke, R.V. 1987. “Understanding Crime Displacement: An Application of Rational Choice Theory,” Criminology (25:4), pp. 933–948.
Cronbach, L. J. 1951. “Coefficient Alpha and the Internal Structure of Tests,” Psychometrika (16:3), pp. 297–334.
D’Arcy, J., Hovav, A., and Galletta, D. 2009. “User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach,” Information Systems Research (20:1), pp. 79–98.
Deutsch, M., and Gerard, H. B. 1955. “A Study of Normative and Informational Social Influences upon Individual Judgment,” Journal of Abnormal and Social Psychology (51:3), pp. 629–636.
Devaraj, S., and D’Arcy, J. 2012. “Employee Misuse of Information Technology Resources,” Decision Sciences (43:6), pp. 1091–1124.
Disterer, G. 2013. “ISO/IEC 27000, 27001 and 27002 for Information Security Management,” Journal of Information Security, (49:6), pp. 92–100.
Fomin, V.V., Vries, H. J.de, and Barlette, Y. 2008. “ISO/IEC 27001 Information System Management Standard: Exploring The Reasons for Low Adoption,” Proceedings of The Third European Conference on Management of Technology (EUROMOT) (December 2013).
Francis T. Cullen, and Wilcox, P. 2010. (eds.). “Reckless, Walter C.: Containment Theory,” in Encyclopedia of Criminological Theory, SAGE Publications, Inc., pp. 777–782.
Garba, A. B., Armarego, J., and Murray, D. 2015. “A Policy-Based Framework for Managing Information Security and Privacy Risks in BYOD Environments,” International Journal of Emerging Trends and Technology in Computer Science (4:2), pp. 189–198.
Grant, K., Edgar, D., Sukumar, A., and Meyer, M. 2014. “Risky Business: Perceptions of e-Business Risk by UK Small and Medium Sized Enterprises (SMEs),” International Journal of Information Management (34:2), Elsevier Ltd, pp. 99–122.
Guo, K. H., and Yuan, Y. 2012. “The Effects of Multilevel Sanctions on Information Security Violations: A Mediating Model,” Information and Management (49:6), Elsevier B.V., pp. 320–326.
Hagen, J. M., Albrechtsen, E., and Hovden, J. 2008. “Implementation and Effectiveness of Organizational Information Security Measures,” Information Management and Computer Security (16:4), pp. 377–397.
Hair, J. F., Ringle, C. M., and Sarstedt, M. 2011. “PLS-SEM: Indeed a Silver Bullet,” Journal of Marketing Theory and Practice (19:2), pp. 139–152.
Harrington, S. J. 1996. “The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions,” MIS Quarterly: Management Information Systems (20:3), pp. 257–277.
Harris, A. R. 1977. “Sex and Theories of Deviance : Toward a Functional Theory of Deviant Type-Scripts,” American Sociological Review (42:1), pp. 3–16.
Herath, T., and Rao, H. R. 2009. “Encouraging Information Security Behaviors in Organizations: Role of Penalties, Pressures and Perceived Effectiveness,” Decision Support Systems (47:2), Elsevier B.V., pp. 154–165.
Hong, K.-S., Chi, Y.-P., and Louis R. Chao. 2003. “A Study of Hierarchical Structure of Information Security Valuation Criteria,” Journal of Library and Information Science (29:2), pp. 22 – 44.
Hu, Q., Xu, Z., Dinev, T., and Ling, H. 2011. “Does Deterrence Work in Reducing Information Security Policy Abuse by Employees?,” Communications of the ACM (54:6), pp. 54–60.
Johnson, P., Lagerström, R., Närman, P., andSimonsson, M. 2007. “Enterprise Architecture Analysis with Extended Influence Diagrams,” Information Systems Frontiers (9:2), pp. 163–180.
Johnston, A. C., and Warkentin, M. 2010. “Fear Appeals and Information s Ecurity Behaviors: An Empirical Study,” MIS Quarterly (34:3), pp. 549–566.
Johnston, A. C., Warkentin, M., and Siponen, M. 2015. “An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset through Sanctioning Rhetoric,” MIS Quarterly: Management Information Systems (39:1), pp. 113–134.
Kankanhalli, A., Teo, H. H., Tan, B. C. Y., and Wei, K. K. 2003. “An Integrative Study of Information Systems Security Effectiveness,” International Journal of Information Management (23:2), pp. 139–154.
Kenneth C.Laudon, and Jane P. Laudon. 2014. Management Information Systems Managing the Digital Firm 13e, Pearson Higher Education.
Kuhalampi, M. 2017. “Impact of Deterrence Theory Methods on Employees ’ Information Security Behavior,” Psychology.
Lee, J., and Lee, Y. 2002. “A Holistic Model of Computer Abuse within Organizations,” Information Management and Computer Security (10:2), pp. 57–63.
Lehman, D. W., andRamanujam, R. 2009. “Selectivity in Organizational Rule Violations,” Academy of Management Review (34:4), pp. 643–657.
Lowry, P. B., Posey, C., Bennett, R. (Becky) J., and Roberts, T. L. 2015. “Leveraging Fairness and Reactance Theories to Deter Reactive Computer Abuse Following Enhanced Organisational Information Security Policies: An Empirical Study of the Influence of Counterfactual Reasoning and Organisational Trust,” Information Systems Journal (25:3), pp. 193–273.
Martin, A., Dmitriev, D., and Akeroyd, J. 2010. “A Resurgence of Interest in Information Architecture,” International Journal of Information Management (30:1), pp. 6–12.
Mason, R. O. 1986. “Four Ethical Issues of the Information Age,” MIS Quarterly: Management Information Systems (10:1), pp. 5–12.
Mikko Siponen, Mahmood, M. A., and Seppo Pahnila. 2014. “Employees’ Adherence to Information Security Policies: An Exploratory Field Study,” Information and Management (51:2), pp. 217–224.
Moody, G. D., Siponen, M., and Pahnila, S. 2018. “Toward a Unified Model of Information Security Policy Compliance,” MIS Quarterly: Management Information Systems (42:1), pp. 285–311.
Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T., and Vance, A. 2009. “What Levels of Moral Reasoning and Values Explain Adherence to Information Security Rules? An Empirical Study,” European Journal of Information Systems (18:2), pp. 126–139.
Nance, W. D., and Straub, D. W. 1988. An Investigation into the Use and Usefulness of Security Software in Detecting Computer Abuse, University of Minnesota.
Peltier, T. R. 2016. “Overview: Information Protection Fundamentals,” in Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management, USA: CRC Press, Inc. Boca Raton, FL, pp. 1–12.
Rafael, W. 2013. “Rational Choice Theory.,” in Theory in Social and Cultural Anthropology: An Encyclopedia, pp. 688–690.
Reckless, W. C. 1961. “A new theory of crime and delinquency,” Federal Probation (25:4), pp.42-46.
Reckless, W. C. 1973. The Crime Problem.: Pacific Palisades, Goodyear Publishing Company.
Rogers, R.W., and Deckner, C.W. 1975. “Effects of fear appeals and physiological arousal upon emotion, attitudes, and cigarette smoking, ” Journal of Personality and Social Psychology (32), pp.222-230
Sangseo Park, Anthonie B. Ruighaver, Sean B. Maynard, and Atif Ahmad. 2012. “Towards Understanding Deterrence: Information Security Managers’ Perspective,” in Proceedings of the International Conference on IT Convergence and Security, pp. 21–37.
Satz, D., and Ferejohn, J. 1994. “Rational Choice and Social Theory,” Journal of Philosophy (91:2), pp. 71–87.
Shedden, P., Ruighaver, T., and Atif, A. 2010. “Risk Management Standards – the Perception of Ease of Use,” Journal of Information System Security (6:3), pp. 1–13.
Singh, A. N., Picot, A., Kranz, J., Gupta, M. P., and Ojha, A. 2013. “Information Security Management (ISM) Practices: Lessons from Select Cases from India and Germany,” Global Journal of Flexible Systems Management (14:4), pp. 225–239.
Siponen and Vance. 2010. “Employee IS Security Policy Violations,” MIS Quarterly (34:3), pp. 487–502.
Sohrabi Safa, N., VonSolms, R., and Furnell, S. 2016. “Information Security Policy Compliance Model in Organizations,” Computers and Security (56), Elsevier Ltd, pp. 70–82.
Son, J. Y. 2011. “Out of Fear or Desire? Toward a Better Understanding of Employees’ Motivation to Follow IS Security Policies,” Information and Management (48:7), pp. 296–302.
Soomro, Z. A., Shah, M. H., and Ahmed, J. 2016. “Information Security Management Needs More Holistic Approach: A Literature Review,” International Journal of Information Management (36:2), pp. 215–225.
Straub, D. W. 1986. “Computer Abuse and Security: Update on an Empirical Pilot Study,” ACM SIGSAC Review (4:2), pp. 21–31.
Straub, D. W. 1990. “Effective IS Security: An Empirical Study,” Information Systems Research (1:3), pp. 255–276.
Straub, D. W., and Welke, R. J. 1998. “Coping with Systems Risk: Security Planning Models for Management Decision Making,” MIS Quarterly: Management Information Systems (22:4), pp. 441–464.
Straub Jr, D. W., and Nance, W. D. 1990. “Discovering and Disciplining Computer Abuse in Organizations: A Field Study,” MIS Quarterly (14:1), pp. 45–60.
Taiwan Computer Emergency Response Team/Coordination Center. 2018. 2018資安年刊.
Tiganoaia, B. 2015. “Some Aspects Regarding the Information Security Management System within Organizations - Adopting the ISO/IEC 27001:2013 Standard,” Studies in Informatics and Control (24:2), pp. 201–210.
Turskis, Z., Goranin, N., Nurusheva, A., and Boranbayev, S. 2019. “Information Security Risk Assessment in Critical Infrastructure: A Hybrid MCDM Approach,” Informatica (Netherlands) (30:1), pp. 187–211.
Upfold, C. T., and Sewry, D. A. 2005. “An Investigation of Information Security in Small and Medium Enterprises (SMEs) in the Eastern Cape,” Doctoral dissertation, RHODES UNIVERSITY.
Wall, J. D., Lowry, P. B., and Barlow, J. B. 2016. “Organizational Violations of Externally Governed Privacy and Security Rules: Explaining and Predicting Selective Violations under Conditions of Strain and Excess,” Journal of the Association for Information Systems (17:1), pp. 39–76.
Webb, J., Ahmad, A., Maynard, S. B., and Shanks, G. 2014. “A Situation Awareness Model for Information Security Risk Management,” Computers and Security (44), pp. 1–15.
Whitman, M. E., Townsend, A. M., and Alberts, R. J. 2001. Information Systems Security and the Need for Policy. M. Khosrowpour, Ed. Information Security Management: Global Challenges in the New Millennium., Idea Group Publishing.
Whitman, M. E. 2003. “Enemy at the Gate: Threats to Information Security,” Communications of the ACM (46:8), pp. 91–95.
Whitman, M. E. 2004. “In Defense of the Realm: Understanding the Threats to Information Security,” International Journal of Information Management (24:1), pp. 43–57.
Willison, R., Warkentin, M., and Johnston, A. C. 2018. “Examining Employee Computer Abuse Intentions: Insights from Justice, Deterrence and Neutralization Perspectives,” Information Systems Journal (28:2), pp. 266–293.
Witte, K. 1992. “Putting the Fear Back into Fear Appeals: The Extended Parallel Process Model,” Communication Monographs (59:4), pp. 329–349.
Yeniman Yildirim, E., Akalp, G., Aytac, S., and Bayram, N. 2011. “Factors Influencing Information Security Management in Small- and Medium-Sized Enterprises: A Case Study from Turkey,” International Journal of Information Management (31:4), pp. 360–365.
Zimring, F. E., Hawkins, G., and Vorenberg, J. 1973. Deterrence: The legal threat in crime control.
 
中文部分
吳統雄. 2018. “態度與行為研究的信度與效度：理論、應用、反省,” 民意學術專刊, pp. 29–53.
張紹勳、林秀娟. 2018. 多變量統計之線性代數基礎：應用SPSS分析, 五南.
施柔帆. 2014. “影響使用者網路去抑制化行為之研究－以網際網路的心 理特性、社會影響及遏止理論探討,” 碩士論文,國立中山大學.
林宜隆、賴槿峰、林昱良、羅尹伶. 2013. “整合 ISMS 與個資法應用於公務機關之初探,” 第一屆春季資訊管理學報工作坊, pp. 1–17.
楊超倫. 2006. “犯罪與刑事司法研究,” Crime and Criminal Justice International (6), pp. 1–64.
洪國興、季延平、趙榮耀. 2006. “影響資訊安全關鍵因素之研究,” 資訊管理研究 (6), pp. 1–29.
王貴英、施柔帆. 2016. “整合使用者心理特性、SIDE及遏止理論探討網路使用者去抑制化行為,” 中山管理評論 (24:1), pp. 41–75.
王霏. 2016. 3Q犯罪學-破題書-2017司法三四等.警察三等, 保成出版社, pp. 145–149.
范惟翔. 2011. “客觀抽樣方法,” in 市場調查與專題研究實務, 京峯數位.
蕭文龍. 2016. 統計分析入門與應用:SPSS(中文版)+ SmartPLS 3(PLS SEM), 台北: 碁峰.
陳寬裕. 2017. 應用統計分析：SPSS的運用, 五南.
陳志誠、林淑瓊, 李興漢, and許派立. 2002. “資訊資產分類與風險評鑑之研究— 以銀行業為例,” 資訊管理學報 (16:3), pp. 55–84.
iThome企業資安大調查 2018。檢自 https://www.ithome.com.tw/news/121685 (Oct,22,2019)
iThome企業資安大調查 2019。檢自https://www.ithome.com.tw/voice/129723
(Oct,23,2019)
THE ISO SURVEY 2018。檢自https://www.iso.org/the-iso-survey.html (Jun,22,2020)