歐盟一般資料保護規則法遵投資之探討

陳暉叡; Hui-Jui Chen

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/92562

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	許文馨	zh_TW
dc.contributor.advisor	Wen-Hsin Hsu	en
dc.contributor.author	陳暉叡	zh_TW
dc.contributor.author	Hui-Jui Chen	en
dc.date.accessioned	2024-04-16T16:13:45Z	-
dc.date.available	2024-04-17	-
dc.date.copyright	2024-04-16	-
dc.date.issued	2024	-
dc.date.submitted	2024-04-12	-
dc.identifier.citation	Arkhypov, O., & Skyba, A. (2014). Methods and Approaches to Investigating Information Risks by Means of Economic Cost Models. The Advanced Science Journal, 2(12), 75-82. Baryshnikov, Y. (2012). IT Security Investment and Gordon-Loeb''s 1/e Rule. WEIS. Becker, G. S. (1968). Crime and Punishment: An Economic Approach. Journal of Political Economy, 169-217. Befring, A. (2021). Norwegian Biobanks: Increased Complexity with GDPR and National Law. GDPR and Biobanking: Individual Rights, Public Interest and Research Regulation across Europe, 323-334. Cissé, S. (2023, 11 30). France - Data Protection Overview. Retrieved from OneTrust Data Guidance: https://www.dataguidance.com/notes/france-data-protection-overview Commission Nationale de l’Informatique et des Libertés. (2020, November 18). Délibération SAN-2020-008 du 18 novembre 2020. Retrieved from Légifrance: https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042563756 Cory, N., Elysse, D., & Castro, D. (2020). The role and value of standard contractual clauses in EU-US digital trade. Information Technology and Innovation Foundation. Daigle, B., & Khan, M. (2022). The Changing Tides of Data Protection Regulation and Enforcement in Europe. Office of Industries, US International Trade Commission. Ermicioi, N., & Liu, X. (2021). An Interdisciplinary Study of Cybersecurity Investment in the Nonprofit Sector. American Journal of Management, 21(5), 39-50. European Commission. (2015, December 15). Agreement on Commission''s EU data protection reform will boost Digital Single Market. Brussels, Belgium. Retrieved from https://ec.europa.eu/commission/presscorner/detail/en/IP_15_6321 FAIR Institute. (2024, February). FAIR Risk Management. Retrieved from FAIR Institute: https://www.fairinstitute.org/fair-risk-management Fang, Z., Xu, M., Xu, S., & Hu, T. (2021). A framework for predicting data breach risk: Leveraging dependence to cope with sparsity. IEEE Transactions on Information Forensics and Security. GDPR.EU. (2019). 2019 GDPR Small Business Survey. Proton Technologies AG. Gordon, L., & Loeb, M. (2002). The Economics of Information Security Investment. ACM Transactions on Information and System Security, 5(4), 438–457. Heal, G., & Kunreuther, H. (2003). Interdependent security. Journal of Risk and Uncertainty. Information Commissioner''s Office. (2020, 10 16). PENALTY NOTICE Section 155, Data Protection Act 2018. Retrieved from Information Commissioner''s Office: https://ico.org.uk/media/action-weve-taken/mpns/2618421/ba-penalty-20201016.pdf Invicti Security Corp. (2018, 4 12). Netsparker Surveys US Based C-Levels on GDPR Compliance. Retrieved from Invicti: https://www.invicti.com/blog/web-security/gdpr-compliance-2018-survey-results/ Ke, T., & Sudhir, K. (2023). Privacy rights and data security: Gdpr and personal data markets. Management Science, 4389-4412. Koski, H., & Valmari, N. (2020). Short-term Impacts of the GDPR on Firm Performance. ETLA Working Papers(77). Latham & Watkins LLP. (2023, 12). GDPR Derogations Tracker. Retrieved from GDPR Resource Center: https://gdpr.lw.com/Home/Derogations Linden, T., Khandelwal, R., Harkous, H., & Fawaz, K. (2018). The Privacy Policy Landscape After the GDPR. arXiv preprint arXiv:1809.08396. Mc Cullagh, K., Tambou, O., & Bourton, S. (2019). National Adaptations of the GDPR. Blogdroiteuropéen. Polinsky, A., & Shavell, S. (1979). The Optimal Tradeoff between the Probability and Magnitude of Fines. The American Economic Review, 880-891. Polinsky, A., & Shavell, S. (2000). The Economic Theory of Public Enforcement of Law. Journal of Economic Literature, 45-76. Saxena, A. (2023, 10 4). Budgeting for GDPR: How Much Does a GDPR Compliance Cost? Retrieved from Sprinto: https://sprinto.com/blog/gdpr-compliance-cost/ Seo, J., Kim, K., Park, M., Park, M., & Lee, K. (2018). An analysis of economic impact on IoT industry under GDPR. Mobile Information Systems, 1-6. Shinoda, S., & Matsuura, K. (2016). Empirical investigation of threats to loyalty programs by using models inspired by the Gordon-Loeb formulation of security investment. Journal of Information Security, 7(2), 29-48. Wang, J., Neil, M., & Fenton, N. (2020). A Bayesian network approach for cybersecurity risk assessment implementing and extending the FAIR model. Computers & Security, 89. Willemson, J. (2006). On the Gordon & Loeb model for information security investment. WEIS. Young, D., Lopez, J., Rice, M., Ramsey, B., & McTasney, R. (2016). A framework for incorporating insurance in critical infrastructure cyber risk strategies. International Journal of Critical Infrastructure Protection, 14, 43-57. Zanker, M., Bures, V., Cierniak-Emerych, A., & Nehez, M. (2021). The GDPR at the organizational level: a comparative study of eight European countries. E & M Ekonomie a Management, 207-222.	-
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/92562	-
dc.description.abstract	一般個人資料保護規則（GDPR）為歐盟針對境內個人資料蒐集、處理之管制規範，並適用於所有歐盟及其他歐洲國家居民之個人資料。GDPR 對於個人資料有相當廣泛的定義，並適用於歐盟境外、有收集境內居民個資的事業。有鑑於違反該規則之單位將面臨至多 4％年營收或二千萬歐元的罰款，企業有必要衡量法遵之成本與效益。然而，罰金之上限無法完全述說 GDPR 對個資管制之影響或投入法遵之考量。本論文參考違反 GDPR 所載之個資所有人權益、資安保護措施不足之相關案例以論述其執法過程與財務影響，並彙整新法上路後前四年（2018～2021 年）之裁罰案件，再使用戈登－洛布模型（Gordon-Loeb model）來估計法遵之成本。戈登－洛布模型為資訊安全投資的一個經濟模型，用於敘述事業平衡與優化其資安風險與投資成本。按照戈登－洛布模型之 37％規則，適用 GDPR 公司未進行資安投資而遭受裁罰的風險可介於 60％～80％，裁罰金額也介於 10 萬（小公司）至 400 萬歐元（大公司），進而顯示 GDPR 之執行環境相對嚴格並為適用之企業所重視。	zh_TW
dc.description.abstract	The General Data Protection Regulation (GDPR) is a European Union regulation that regulates the processing of personal data of residents of the European Union and several other European countries. It features broader definition on personal data and requires compliance from entities regardless of their country of origin as long as they process European personal data. As noncompliant entities can be subject to penalties up to the greater of 20 million Euro or 4% of their annual turnover, assessment of compliance cost is salient to every commercial enterprise that makes direct or indirect use of European personal data. However, the upper limit of the fines does not provide the complete description of the enforcement environment or the risk calculations of investing into GDPR compliance. This thesis makes use of several actual examples of GDPR violations involving insufficient fulfillment of data subject rights and insufficient technical measures of data processing (data breach) in order to illustrate the enforcement process, the nature of the violations, and the financial impacts on the violators. Then it estimates the compliance cost using the Gordon-Loeb model, which is an economic model on firm’s optimization decision on cybersecurity risks and investment. It is determined that under the Gordon-Loeb model’s 37% rule, the compliance spending among the companies would imply a 60% to 80% ex ante vulnerability. The high ex ante vulnerability, coupled with the penalty of around 100,000 Euro for small firms and 4,000,000 Euro for large firms, is indicative of a rigorous enforcement environment that warrants serious attention by companies.	en
dc.description.provenance	Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2024-04-16T16:13:45Z No. of bitstreams: 0	en
dc.description.provenance	Made available in DSpace on 2024-04-16T16:13:45Z (GMT). No. of bitstreams: 0	en
dc.description.tableofcontents	Acknowledgement i 中文摘要 ii Abstract iii Contents iv List of Figures vi List of Table vii Chapter 1 Introduction 1 1.1 Motivation 4 1.2 Research Question 5 1.3 Methodology 5 Chapter 2 Literature Review 6 2.1 Gordon-Loeb Model 7 2.2 Interdependent Security Problem 13 2.3 Modeling of Security Breach Probability 15 2.4 Assessing the Impact of GDPR 17 Chapter 3 Cases 19 3.1 Carrefour France (2020) 19 3.2 British Airways (2020) 22 Chapter 4 Model 27 4.1 Modification of Gordon-Loeb Model 27 4.2 Compliance Cost 31 Chapter 5 Data 33 5.1 GDPR Enforcement Tracker 33 5.2 Summary Statistics 35 5.3 GDPR expenditure 43 Chapter 6 Analysis 46 6.1 Economic Impact 46 6.2 Variation among Countries 49 Chapter 7 Conclusion 51 7.1 Key Findings 51 7.2 Recommendations and Limits 53 References 55 Appendix A GDPR Description 59 A.1 GDPR Articles 59 A.2 GDPR Adoption in European Countries 67	-
dc.language.iso	en	-
dc.subject	戈登-洛布模型	zh_TW
dc.subject	一般個人資料保護規則	zh_TW
dc.subject	法遵	zh_TW
dc.subject	legal compliance	en
dc.subject	GDPR	en
dc.subject	Gordon-Loeb model	en
dc.title	歐盟一般資料保護規則法遵投資之探討	zh_TW
dc.title	Modeling the Investment Decision in the General Data Protection Regulation (GDPR) Compliance	en
dc.type	Thesis	-
dc.date.schoolyear	112-2	-
dc.description.degree	碩士	-
dc.contributor.oralexamcommittee	堯里昂;鄭名道	zh_TW
dc.contributor.oralexamcommittee	Leon van Jaarsveldt;Ming-Daw Cheng	en
dc.subject.keyword	一般個人資料保護規則,戈登-洛布模型,法遵,	zh_TW
dc.subject.keyword	GDPR,Gordon-Loeb model,legal compliance,	en
dc.relation.page	74	-
dc.identifier.doi	10.6342/NTU202400839	-
dc.rights.note	同意授權(限校園內公開)	-
dc.date.accepted	2024-04-15	-
dc.contributor.author-college	管理學院	-
dc.contributor.author-dept	企業管理碩士專班	-
顯示於系所單位：	管理學院企業管理專班(Global MBA)

文件中的檔案：

檔案	大小	格式
ntu-112-2.pdf 授權僅限NTU校內IP使用（校園外請利用VPN校外連線服務）	1.24 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。