1

Information Security Awareness資訊安全認知Ruey-shiang Shaw 蕭瑞祥General Secretary, CSIM

Chairman, IM, Tamkang University2006.09.29

22

Elicitation of Research Topics

Information SecurityAwareness

National InformationSecurity Project

ING InformationSecurity Project

33

Information Security Platform

Information Technology, Learning, and Performance Journal

44

Problems

• Why ING needs the information security platform ?

• What are the differences between e-learning and information security platform ?

55

Systems Development inInformation Systems Research

JAY F. NUNAMAKER, JR., MINDER CHEN, and TITUS D. M. PURDINJournal of Management Information Systems I Winter 1990-91, Vol. 7, No, 3, pp. 89-106.

66

The Integrated Framework of Information Security Awareness

Information Security Awareness Platform

Evaluation of OrganizationalInformation Security Awareness

Materials and Methods for Information Security Awareness

77

Situation Awareness

決策 行為成效情 境 認 知 未來預測

Level 3 現況了解

Level 2元素知覺

Level 1

系統功能介面設計壓力 /工作負荷複雜度自動化

目標預期

環境狀況

能力 經驗 訓練

個人因素

作業或系統 因素

長期記憶 自動性

資訊處理機制

Endsley, M.R. and Garland D.J (Eds.) (2000)Situation Awareness Analysis and Measurement. Mahwah , NJ ： Lawrence Erlbaum Associates,

88

Research Design

What is your opinion?

99

The Evaluation Form of Information Security Awareness

PART I: Laws and Regulations1.1 Laws and Regulations 1.1.1 I understand the meaning of ‘the basic policy structure for IT security in the Federal government’ in the concept of ‘Laws and Regulations.’1.2 Policies and Procedures1.2.1 I understand the meaning of ‘IT security safeguards are intended to achieve specific control objectives’ in the concept of ‘Policies and Procedures.’1.2.2 I understand the meaning of ‘procedures define the technical and procedural safeguards that have been implemented to enforce the specified policies’ in the concept of ‘Policies and Procedures.’

1010

NIST SP800-16

ABC’s OF INFORMATION TECHNOLOGY SECURITY

A Assets – Something of value requiring protection (hardware, software, data, reputation)

B Backup – The three most important safeguards – backup, backup, backupC Countermeasures and Controls – Prevent, detect, and recover from security

incidentsD DAA and Other Officials – Manage and accept risk and authorize the system

to operateE Ethics – The body of rules that governs an individual’s behavior.F Firewalls and Separation of Duties – Minimize the potential for “incident

encroachment”G Goals – Confidentiality, Integrity, and Availability (CIA)

1111

Research Design

What is your opinion?

1212

Conclusion

• Research topics elicited from projects.• Extended to a integrated framework.• Referred to other research fields.• Be skillful at research methodologies.