資訊主管對企業資訊安全之風險控管決策

CIO's Risk Control Decision-making for Business Information Security

資訊科技使企業的管理資訊順暢的穿流過其組織邊際。但是，隨著企業對資訊科技依賴程度的提高，資訊安全也成為企業經營的新興風險。儘管理論模式與最佳實務，普遍建議企業決策者以理性決策模式來進行企業的資訊安全控管決策。但是本研究對於資訊主管訪談的結果，卻發現我國企業的決策者，很少採用機率估計及成本效益分析的方式來進行決策，而常依賴決策者的主觀認知，來進行企業的資訊安全風險控管決策。綜合文獻探討與探索性研究的結果，本文以行為決策理論做為基礎，提出決策者認知對於企業資訊安全風險控管決策影響之研究模式，俾供後續研究的參考。由於行為決策研究的結果，一致指出決策者的認知偏誤，會對決策的有效性產生負面的影響。因此，本文也提醒管理實務工作者，注意依賴決策者認知來進行企業資訊安全風險控管決策的可能隱憂。

Information technologies have enabled the business to streamline their management information flow through their organizational boundaries. However, the ever-increasing dependency on IT also made information security an emerging risk. Theoretical model suggests that rational decision-making paradigm should be followed in order to deal with such problems. However, this study interviewed nine high-level MIS managers in five Taiwanese publicly-listed companies and found otherwise. When those CIOs deal with management problems related to information security risk, they seemed rarely make decisions based on probability estimation of risks or cost-benefit-analysis of security control alternatives. Rather, they relied on subjective perception and decision shortcuts. Based on the results of literature review and this exploratory research, we propose a research model for the relationship between CIO’s risk perception and business information security risk management. To prevent insidious impact of information security risk control decisions based on personal cognitive biases and errors, we would like to bring attentions to CIOs.