探討員工舉發資訊安全違規事件之意圖研究

Abstract

近年來資訊安全事件層出不窮。許多企業組織因資料外洩而蒙受鉅額損失。追究其原因，發現內部人員行為是非常關鍵的一環。現今已有諸多的內部控制制度(例如:資訊存取權限控管、電腦監控、教育訓練等)被廣泛使用來對抗組織內部的員工疏失與惡意犯罪行為。然而，沒有一個對策手段能夠百分之百地防範所有潛藏的違規事件。有的時候，違規事件的發現者會是組織內部的其他成員，因此組織需要倚賴這些人的揭弊才能夠及早修正會侵害到組織資訊安全的不當行為。為了探討影響員工舉發資訊安全違規事件之意圖，本研究以一般計畫行為理論與理性選擇理論為基礎，歸納出組織層次與個人層次上影響舉發態度與意圖之因素。研究結果發現組織與個人層次的利弊考量皆會影響舉發態度的形塑過程，進而提升了我們在應用員工舉發於對抗組織內部資訊安全違規事件上的認知。

Insider abuse has always been a significant threat to information security management in organizations. In order to address this issue, this research proposes whistleblowing as another complementary measure to other existent approaches to strengthen the internal information security management. In particular, we focus on an investigation of employee intention to whistle-blow information security policy (ISP) violation. Drawing on the theory of planned behavior and rational choice theory, we develop a theoretical model to understand the factors at both organizational and individual levels that influence whistleblowing attitude and whistleblowing intention. Through a survey-based empirical test, we discover that both altruistic and egoistic concerns are involved in the development of whistleblowing attitudes. The results not only extend our understanding of whistleblowing motivation but also offer managers directions to promote disclosure of internal security breach.