政大機構典藏-National Chengchi University Institutional Repository(NCCUR):Item 140.119/35232
English  |  正體中文  |  简体中文  |  Post-Print筆數 : 27 |  Items with full text/Total items : 113318/144297 (79%)
Visitors : 50969946      Online Users : 954
RC Version 6.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
  • Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version
    政大典藏 > College of Commerce > Department of MIS > Theses >  Item 140.119/35232
    Please use this identifier to cite or link to this item: https://nccur.lib.nccu.edu.tw/handle/140.119/35232


    Title: 企業資訊安全風險評估-以電腦病毒為例
    Authors: 洪裕傑
    Hung,Yu-Chieh
    Contributors: 傅豐玲
    洪裕傑
    Hung,Yu-Chieh
    Keywords: 資訊安全
    病毒
    網路威脅
    弱點管理
    Information Security
    Virus
    Cyber-Threat
    Vulnerability Management
    Date: 2005
    Issue Date: 2009-09-18 14:30:25 (UTC+8)
    Abstract: 隨著網際網路的快速成長,資訊安全已成為企業最重視的議題之一。企業必須保護自己免於網路威脅(Cyber-Threat),不過防止企業免受網際威脅已非易事,這也為企業資訊安全風險埋下了一顆不定時炸彈。換句話說,資訊安全風險是現今企業所面臨的主要挑戰之一,企業資訊安全防護的好壞將直接反應在企業的盈虧上,甚至可能影響到顧客對該企業產品或服務的滿意度等,對企業的殺傷力是不容忽視的。目前的防毒軟體(Anti-Virus)與威脅管理系統(Threat Management System)所能提供的基本功能都是大同小異,其效能也在伯仲之間,但是企業使用的成效則大不相同。因此如何掌握左右企業資訊安全風險的主要影響因子,並根據該影響因子提供企業一套資訊安全策略以解決其所面臨的風險與使得金錢上的損失降到最低,將是改善企業資訊安全風險的關鍵成功因素。
    本研究首先透過與五位企業安全維護有實務經驗的專家訪談,了解資訊安全之重要影響因素並不在於投入防毒軟體的預算金額,反而是企業的資訊安全策略類型,如使用者與資訊安全人員關係型態、資訊安全人員的素質、高階主管對資訊安全政策的支持之類因素更重要。
    接著藉由問卷調查,以國內某著名防毒軟體客戶為樣本,發出1910份郵寄問卷與網路問卷邀請email信,共回收102份有效問卷,回收率5.3%。問卷共分為兩大部份:組織特徵(包括公司背景、過去三年病毒感染情形、防毒系統、資訊安全管理現況)及防毒能力評估(防毒軟體的使用、監控與過濾、追蹤裝置、區隔網路等四類防毒技術的使用,與弱點管理、病毒碼部署、帳號管理、應用程式與網路使用的權限、回應與恢復程序等五類安全程序政策,組織的責任與能力、組織的順從、對教育訓練的重視等三項組織因素)。以「病毒爆發數量」、「病毒爆發影響嚴重性」、「偵測病毒數」與「偵測感染事件事」為應變數,以公司概況及防毒能力評估各變項為自變數進行單因子與多因子變異數分析,分析結果顯示組織大小及防毒軟體的使用、弱點管理、帳號管理等安全程序政策是影響「病毒爆發數量」的重要因素;組織大小、網路管理等組織特徵,防毒軟體的使用、弱點管理、病毒碼部署等安全程序政策及教育訓練等是影響「病毒爆發影響嚴重性」的重要因素;組織大小與防毒軟體的使用、監控與過濾等防毒技術的使用,弱點管理影響「偵測病毒數」的重要因素;組織大小、弱點管理、與教育訓練等是影響「偵測感染事件數」的重要因素。
    本研究藉由分析企業在資訊安全所面臨到的風險,得以建立並發展相關評量的模型,研究結果除了可以提供廠商與設計人員在開發企業資訊安全風險評量時參考的依據,也為後續的相關實證研究提供一些建議的方向。
    Following the growth of the www internet in the latest years, information security has become the most important topic among all enterprise companies. Enterprise companies have to protect themselves from Cyber-Threat, but this is not an easy job at all. That means a hidden bomb has already been planted inside their information systems. In another words, the information security threat is the main challenge that all enterprise companies are facing right now. The performance of the defensive system that an enterprise company is using directly impacts whether this company can have a profit gain or loss; furthermore, this affects the customers’ satisfaction about the company’s products and services. This threat can harm the company and should not be ignored. Right now the basic service that Anti Virus software and Threat Management System can provide and their performance are functionally the same, but the effective factor of how each different companies use them may yield a big difference. Hence, knowing how to control the main factor of the information security threat of the company and knowing how to provide the best and the most secured strategy according to the threat to solve any possible future threat such that the loss of profit can be minimized, will be the most important aspect for an enterprise company to be succeeded.
    This research was conducted by interviewing with five experienced enterprise security maintenance experts at first. From the conservation, we have learned that the main factor of the information security is not depending on the amount of budget that the company has spent on anti-virus software. In fact the strategy type that the company uses for information security is the main reason. This includes the relational model between the users and the information security members, the quality of the information security members, the support of information security strategy from the top manager, and etc. These are more important factors.
    We have then conducted a survey among the customers from one of the famous anti virus software in Taiwan. We have sent out 1910 questionnaire mails and online survey invitation emails, we have collected back 102 copies of valid questionnaires (5.3% of the total). The questionnaire contains two parts: the characteristic of the company (including the background of company, the virus infection situation in the past three years, the anti virus system, the present situation of information security management), and the performance evaluation of the anti-virus system (which one(s) out of the four anti-virus techniques that the current company is applying: using anti-virus software, monitoring and filtering, using some tools for tracing, and the separation of local area network. Which one(s) out of five security process strategies that the company is using: weakness management, virus pattern deployment, account management, permission of using application and network, and response and restore process. And the factor of company: the responsibility and ability, the obedient, and the weight that was put for educational training.) Using the infection number of virus, the impact severity of virus spread, the quantity of detectable virus, and the number of detectable infection events as dependent variables, along with using the situation of company and each items in anti-virus ability evaluation as single factor or multiple factor variant analysis, the analyzed result shows that the size of companies and the security process strategies such as the use of anti-virus software, weakness management, and account management, are the main factors of the infection number of virus. The characteristic of the company such as the size of companies and its network management, the security process strategies such as the use of anti-virus, weakness management, and virus pattern deployment, and the educational training are the main reasons of affecting the severity of virus spread. The size of company, the use of anti virus technique such as the use of anti-virus software and the monitoring and filtering, and weakness management are the main factors of the number of detected virus. The size of company, weakness management, and the educational training are the main factor of the number of events of detected infection.
    According to the analysis of the threat of information security that an enterprise company would face, this research has built and developed a related evaluation model. The result from this research not only can provide a reference for companies and software designers when they evaluate their enterprise information security, but also suggest a new direction for future research.
    Reference: 一、中文部分
    [1] 李順仁,資訊安全,文魁,2003
    [2] “90年度台閩地區電腦應用概論報告”,行政院主計處電子處理資料中心,http://www.dgbas.gov.tw/ct.asp?xItem=1329&ctNode=411,讀取日期:2005/12/31
    [3] “93年電腦應用概況報告”,行政院主計處電子處理資料中心,http://www.dgbas.gov.tw/ct.asp?xItem=14284&CtNode=3545,讀取日期:2005/12/31
    [4] “疾風病毒餘悸猶存!殺手病毒恐將造成另一波重大災情”,某公司,http://www.trendmicro.com/tw/home/enterprise.htm,讀取日期:2006/01/02
    [5]“資訊安全概論”,台灣微軟,http://www.microsoft.com/taiwan/partner/columns/securitysurvey.aspx,讀取日期:2006/01/05
    [6] “賽門鐵克公佈全球行動安全調查研究報告”,賽門鐵克,http://www.symantec.com/region/tw/press/tw_060411.html,讀取日期:2006/05/01
    二、英文部分
    [7] Andreas E. Fielder, “On the Necessity of Management of Information Security”, Northwest, http://www.noweco.com/wp_iso17799e.htm, Access Date: 2006/05/01
    [8] Anat Hovav and John D’Arcy, “The Impact of Virus Attack Announcements on the Market Value of Firms”, Information Systems Security, May/June 2004, pp32-40
    [9] Austin, R.D. and Darby, C.A.R., “The Myth of Secure Computing”, Harvard Business Review, 81(6), June 2003, pp120-126
    [10] Bruce Schneier, “The Process of Security”, http://infosecuritymag.techtarget.com/articles/april00/columns_cryptorhythms.shtml, Access Date: 2005/12/01
    [11] Charles J. Kolodgy, Brian E. Burke, Christian A. Christiansen, Sally Hudson, Laurie A. Seymour, “IDC’s Enterprise Security Survey, 2004”, IDC, 2004
    [12] Chen, T.M. “Trends in Viruses and Worms”, The Internet Protocol Journal, 6(3), 2003, pp23-33
    [13] Computer Security Update, Internal Attacks Suppassing External Attacks at Firms, Worldwide Videotex, 2005
    [14] Cybertrust Corporation, “Cybertrust Anti-Virus Practice Guide”, Cybertrust Corporation, 2004
    [15] Ettredge, M. and V.J. Richardson, “Assessing the Risk in E-Commerce”, Proceedings of the 22nd International Conferenceon Information Systems, 2001
    [16] Frank Cervone, “Understand the Big Picture so You Can Plan for Network Security”, Computers in Libraries, 25(3), 2005, pp10-14
    [17] Glover, S., S. Liddle, et al. Electronic Commerce: Security, Risk Management, and Control. Prentice-Hall.
    [18] Gokhan Gercek, Ph.D. and Naveed Saleem , Ph.D. “Securing Small Business Computer Networks: An Examination of Primary Security Threat and Their Solutions”, Telecommunications, Network, and Internet Security, July/August 2005, pp18-28
    [19] Gordon, L.A., M.P. Loeb, et al. “A Framework for Using Insurance for Cyber-Risk Management.” Communications of the ACM , 46(3), 2003, pp81-85
    [20] Gordon, L.A. and M.P. Loeb, “The Economics of Information Security Investment”, ACM Transactions on Information and System Security, 5(4), pp438-457, 2002
    [21] Harold F. Tipton, Micki Krause, Information Security Management Handbook 5th Edition, Auerbach publications, 2004
    [22] Hindocha, N., “Threats to Instant Messaging”, Symantec White Paper, 2002
    [23] Hovav, A. and J. D’Arcy, “The Impact of Denial-of-Service Announcement on the Market Value of Firms”, Risk Management and Insurance Review, 6(2), 2003, pp97-121
    [24] Joe Licari, “Securing the Information Workplace: Managing Threats to Enterprise E-Mail, IM, and Document Sharing Environments”, Telecommunications, Network, and Internet Security, September/October 2005, pp45-49
    [25] Kelly, B.J., “Preserve, Protect, and Defend”, Journal of Business Strategy, Sep-Oct, 1999, pp22-26
    [26] Ken Dunham, “Battling the Bots”, Information System Security, May-June, 2005, pp6-9
    [27] Kimball Fisher, Mareen Duncan Fisher, The Distributed Mind: Achieving High Performance Through the Collective Intelligence of Knowledge Work Team, AMACOM, 1997
    [28] Larry Bridwell, “Computer Virus Prevalence Survey”, ICSA Lab, 2004
    [29] Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn and Robert Richardson, “CSI/FBI Computer Crime and Security Survey”, Computer Security Institute, 2004
    [30] Lemos, R., “The Computer Virus – No Cures to be Found”, CNET News.com, November 25, 2003, http://zdnet.com.com/2100-1105-5111442.html, Access Date: 2006/01/09
    [31] Matunda Nyanchama and Marc Stefaniu, “Analyzing Enterprise Network Vulnerabilities”, Information Systems Security, 12(2), 2003, pp44-49
    [32] Montana, J.C., “Viruses and the Law: Why the Law is Ineffective”, The Information Management Journal, 34(4), 2000, pp57-60
    [33] Power R., “CSI/FBI Computer Crime and Security Survey”, Computer Security Issues and Trends, 7(1), 2001, pp1-18
    [34] Power R., “CSI/FBI Computer Crime and Security Survey”, Computer Security Issues and Trends, 9(1), 2003, pp1-20
    [35] Salierno, D. “Manager Fail to Address E-Risk”, The Internal Auditor, April 2001
    [36] Salkever, A. “Who Pays When Business Is Hacked?”, Business Week, http://www.businessweek.com/bwdaily/dnflash/may2000/nf00523d.htm, Access Date: 2005/12/10
    [37] Steven Drew, “Reducing Enterprise Risk with Effective Threat Management”, Information Security Management, January/February 2005, pp37-42
    [38] Stone, J. and Merrion, S., “Features: Instant Messaging or Instant Headache?”, ACM Queue, 2(2), April, 2004
    [39] Tim Grance, Joan Hash, and Marc Stevens, “Security Considerations in the Information System Development Life Cycle”, NIST Special Publication 800-64, Oct., 2003
    [40] “CERT/CC Statistics 1988-2005”, CERT/CC, http://www.cert.org/stats/cert_stats.html, Access Date: 2005/12/05
    [41] “Control Management”, Trend Micro, http://www.trendmicro.com/en/products/management/tmcm/evaluate/overview.htm, Access Date: 2006/04/30
    [42] “Managing Collective Intelligence – Toward a New Corporate Governance”, Axioplole, http://www.axiopole.com/en/index_en.html, Access Date: 2006/04/15
    [43] “People, Process and Technology: Foundation for Effective Incident Handling”, LURHQ, http://www.lurhq.com, Access Date: 2005/07/08
    Description: 碩士
    國立政治大學
    資訊管理研究所
    93356035
    94
    Source URI: http://thesis.lib.nccu.edu.tw/record/#G0093356035
    Data Type: thesis
    Appears in Collections:[Department of MIS] Theses

    Files in This Item:

    File Description SizeFormat
    35603501.pdf73KbAdobe PDF2743View/Open
    35603502.pdf107KbAdobe PDF2747View/Open
    35603503.pdf123KbAdobe PDF2819View/Open
    35603504.pdf87KbAdobe PDF2838View/Open
    35603505.pdf176KbAdobe PDF2985View/Open
    35603506.pdf233KbAdobe PDF22022View/Open
    35603507.pdf181KbAdobe PDF2952View/Open
    35603508.pdf395KbAdobe PDF2807View/Open
    35603509.pdf162KbAdobe PDF2907View/Open
    35603510.pdf61KbAdobe PDF2878View/Open
    35603511.pdf164KbAdobe PDF2935View/Open
    35603512.pdf85KbAdobe PDF2802View/Open


    All items in 政大典藏 are protected by copyright, with all rights reserved.


    社群 sharing

    著作權政策宣告 Copyright Announcement
    1.本網站之數位內容為國立政治大學所收錄之機構典藏,無償提供學術研究與公眾教育等公益性使用,惟仍請適度,合理使用本網站之內容,以尊重著作權人之權益。商業上之利用,則請先取得著作權人之授權。
    The digital content of this website is part of National Chengchi University Institutional Repository. It provides free access to academic research and public education for non-commercial use. Please utilize it in a proper and reasonable manner and respect the rights of copyright owners. For commercial use, please obtain authorization from the copyright owner in advance.

    2.本網站之製作,已盡力防止侵害著作權人之權益,如仍發現本網站之數位內容有侵害著作權人權益情事者,請權利人通知本網站維護人員(nccur@nccu.edu.tw),維護人員將立即採取移除該數位著作等補救措施。
    NCCU Institutional Repository is made to protect the interests of copyright owners. If you believe that any material on the website infringes copyright, please contact our staff(nccur@nccu.edu.tw). We will remove the work from the repository and investigate your claim.
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - Feedback