資訊科技的發展，改變了人們使用資料的習慣與態度。當人們擁有享受資訊科技之便利與優勢的同時，但也帶來相關的資訊安全問題，例如電腦病毒侵害等。因此，組織內部強化資訊安全管理，是保障資訊安全的根本之道。
在組織內，「人」是重要資產，也是影響資訊安全重要的關鍵因素，倘若成員無法瞭解或遵守資訊安全行為，組織成員即會變成資訊安全防禦的一大威脅與漏洞。因此，本研究以資訊安全控管程度及計畫行為理論作為解釋組織成員遵守資訊安全行為意圖的理論基礎，再藉由組織氣候探討對於計畫行為理論與組織成員遵守資訊安全行為意圖間的調節影響因素，故本研究目的藉由實證方式對資訊安全行為意圖的探討，期盼能對政府機關在資訊安全政策推動與資訊安全管理運作有所助益。
本研究以國內部分法院員工為研究對象，從資訊安全控管程度與計畫行為理論間，找出會影響使用者願意遵守資訊安全之行為意圖，結果顯示：資訊安全控管程度與態度、主觀規範及知覺行為控制三者皆有正向關係，而個人的態度、主觀規範及知覺行為控制三者與資訊安全行為意圖亦為正向關係。其次，在組織氣候調節作用之研究結果亦顯示：員工導向領導、人際關係、程序規範及責任風氣四個構面，對於個人的態度、主觀規範及知覺行為控制與資訊安全行為意圖間，也分別表現出顯著和不顯著的影響效果。因此，本研究結果除了有助於政府機關對資訊安全管理等實務面有所作為外，並能了解組織成員影響資訊安全行為意圖之相關因素，方能避免資安事件所造成的危害。

The development of information technology has changed the habits and attitudes of people using data. While people own and enjoy the convenience and advantage of information technology, but also getting the problem of information security issue, such as computer virus risk. Therefore, the strengthening of information security management within the organization is the basic guarantee of information security.

Within the organization, people are the important asset and also are the key factor of information security. If the members of organization were unable to understand or comply with the information security behavior, then organization member will be the major threat and vulnerability for the defense of information security. Therefore, this research takes the degree of information security control and the theory of planned behavior to explain the theoretical basis of “organization member compliance with the information security behavior intention”, meanwhile, by way of the organizational climate to investigate the influence between “the theory of planned behavior” and “the intention of compliance with information security for organization member”. Therefore, the purpose of this study is to explore the information security behavior intention through the empirical method, hoping to help the government agencies in the Information security policy promotion and information security management operation.

The employees of domestic Section Court as the object of research, from “Degree of Information Security Control” and “Theory of Planned Behavior” to find out the behavior intention which will influence the compliance of information security of user. As the investigation result showed: there is positive relationship for “Degree of Information Security Control” and “Attitude”, ”Subjective Norm” and “Perceived Behavioral Control”. Meanwhile, “Attitude”, “Subjective Norm” and “Perceived Behavior Control” above 3 items are positive relationship with information security behavior intention as well. Secondary, according to the investigation result of the organizational climate regulation, it’s also showed the significant and non-significant effects for “Employee-Oriented Leadership”, “Human Communication”, “Procedure Norm” and “Responsibility Trend" 4 facets of responsibility ethos: “Attitude”, “Subjective Norm” and “Perceived Behavior Control” and “Information Security Behavior Intention”. Therefore, besides the contributing of practical aspects of information security management for government agency, the effect of organization member for information security behavior intention could be understood as well to avoid the hazards which caused by information security events.

第一章 緒論
第一節 研究背景與動機…………………………………………………………1
第二節 研究目的與研究問題……………………………………………………4
第三節 研究流程…………………………………………………………………5
第二章 文獻探討
第一節 資訊安全…………………………………………………………………7
第二節 行為理論模式……..……………………………………………………22
第三節 組織氣候..………………………………………………………………27
第三章 研究方法
第一節 研究對象..………………………………………………………………37
第二節 研究架構..………………………………………………………………39
第三節 研究假設..………………………………………………………………40
第四節 研究變項與操作性定義..………………………………………………44
第五節 測量模式之效度與信度..………………………………………………48
第六節 資料分析方法與工具..…………………………………………………50
第四章 研究結果與分析
第一節 樣本基本資料分析..……………………………………………………53
第二節 信度與效度分析..………………………………………………………61
第三節 整體模式模型檢測..……………………………………………………69
第四節 研究架構調節分析……..………………………………………………74
第五節　研究結果..………………………………………………………………81
第五章 結論與建議
第一節 研究結論..………………………………………………………………87
第二節 研究貢獻與管理意涵..…………………………………………………89
第三節 研究限制..………………………………………………………………93
第四節 研究建議.……………………………………………………………….95
參考文獻
一、中文部分……………………………………………………………………..97
二、英文部分……………………………………………………………………..99
附錄
一、問卷……..……………………………………………………………………103

一、中文部分
王秋慶（2002）。員工的溝通滿足與組織氣候對其工作壓力、組織承諾與離職傾向的影響之研究 - 以嘉義縣市地政事務所為例。國立南華大學管理研究所碩士論文，未出版，嘉義縣。
任金剛（1996）。組織文化、組織氣候及員工效能：一項微觀探討。國立台灣大學商學研究所博士論文，未出版，台北市。
行政院國家資通安全會報（2010）。資通安全政策白皮書。取自：
http://www.nicst.ey.gov.tw/
行政院國家資通安全會報（2016）。國家資通訊安全發展方案。取自：
http://www.nicst.ey.gov.tw/
行政院資通安全辦公室（1999）。行政院及所屬各機關資訊安全管理規範。取自：http://www.nicst.ey.gov.tw/News_Content.aspx?n=626B7A2643794AB0&sms=C43ECA251722A365&s=BEC8EAEEB88E986E
吳萬益、林清河（2001）。企業研究方法。台北市：華泰書局。
李東峰（2003）。企業資訊安全控管決策之研究 - 從組織決策理論觀點探討。國立中央大學資訊管理學系，未出版，桃園縣。
林玫玫（1996）。領導風格對組織承諾之影響 - 以組織氣候及內外控為中介變項。國立中正大學企業管理研究所碩士論文，未出版，嘉義縣。
林營松（1993）。組織承諾及其影響因素對組織後果之研究 - 以楠梓加工出口區員工為例。國立中山大學企業管理研究所碩士論文，未出版，高雄市。
邱台生（2002）。組織氣候與工作投入關係之研究 - 以某醫學中心暨委託經營管理醫院為例。台北醫學院護理學研究所碩士論文，未出版，台北市。
邱皓政（2003）。量化研究與統計分析。台北市：五南圖書出版股份有限公司。
邱皓政（2006）。量化研究法：SPSS中文視窗版操作實務詳析，統計原理與分析技術。台北市：雙葉書廊。
洪祥洋（2000）。網路銀行風險管理。存款保險資訊季刊，第13卷，第3期。
張春興（1993）。現代心理學（二版）。台北市：東華。
張國銘（2004）。薪酬制度、組織氣候對工作績效影響之研究 - 以傳統紡織企業為例。國立中山大學人力資源管理研究所碩士論文，未出版，高雄市。
張瑞春（1998）。組織變革中組織氣候對工作投入、組織承諾及工作滿足影響之研究 - 以中國石油公司高雄營業處為例。國立中山大學人力資源管理研究所碩士論文，未出版，高雄市。

許士軍（1972）。有關黎、史二氏「組織氣候」尺度在我國企業機構之適用性之探討。政治大學學報，6：103-138。
許士軍（1984）。管理學。台北市：東華書局。
郭和杰（2012）。美國網路詐騙投訴案例連續三年超過30 萬件。取自：
http://www.ithome.com.tw/itadm/article.php?c=73673
陳世賢、陳恆鈞（2001）。公共政策。台北市：高鼎文化出版社。
陳順宇（2005）。多變量分析。台北市：華泰文化事業股份有限公司。
陳靜怡（2002）。組織氣候認知、員工自我導向學習與工作投入之關係研究 - 以某國際快遞公司為例。國立中山大學人力資源管理研究所碩士論文，未出版，高雄市。
葉盈君（2012）。淺談計畫行為理論。國家教育研究院電子報，第51期。
曾兆堂（2001）。中小企業主管領導型態、組織氣候對員工創造力之研究。國立台北大學企業管理研究所碩士論文，未出版，新北市。
黃承聖（2000）。企業資訊安全的起點-資訊安全政策。網路通訊，第109期，100-103。
黃曬麗、李茂興合譯（1990）。組織行為：管理心理學理論與實務。台北市：揚智出版公司。
彭台光、高月慈、林鉦棽（2006）。管理研究中的共同方法變異：問題本質、影響、測試和補救。管理學報，23(1)：77-98。
楊蓉昌（1989）。企業組織與管理。台北市：五南圖書出版公司。
楊樹昌（1994）。省市立醫院組織氣候員工工作滿意度及士氣之研究。國立台灣大學公共衛生研究所碩士論文，未出版，台北市。
資安人科技網編輯部（2012）。駭客入侵各國銀行帳戶至少已竊取7,500萬美元。資安人科技網。取自：https://www.informationsecurity.com.tw/ article/
article_detail.aspx?aid=6898
劉榮欽（2004）。領導行為、組織氣候及工作投入關係之研究 - 以某地區軍醫院為例。國立中山大學人力資源管理研究所碩士論文，未出版，高雄市。
潘文章（1996）。企業管理。台北市：三民書局。
蔡立旭（2000）。組織氣候、組織學習與自我效能之關係。大葉大學事業經營研究所碩士論文，未出版，彰化縣。
蔣景清（2002）。組織氣候、組織承諾與組織公民行為關係之研究-以C工廠為例。國立中山大學人力資源研究所碩士在職專班論文，未出版，高雄市。
謝安田（1991）。人事管理。台北市：曉園圖書。
欒志宏（2002）。How to develop InformationSecurity Policy講義。
 
二、英文部分
Allen, B. (1968). Danger Ahead! Safeguard Your Computer. Harvard Business Review 46(6), 97-101.
Al-Shammari, M. M. (1992). Organization climate. Leadership and Organizational Development Journal, 13(6), 30-32.
Ajzen, I. (1985). From intention to actions: A theory of planned behavior. In J. Kuhl & J. Beckman (Eds.), Action control: From cognition to behavior. Berlin; New York: Springer-Verlag. 11-39.
Ajzen, I. (1989). Attitude structure and behavior. In A. R. Pratkanis, S. J. Breckler, & A. G. Greenwald (Eds.), Attitude structure and function . Hillsdale, N.J.: L. Erlbaum Associates. 241-274.
BS 7799-1 (2000). Information Security Management - Part 1: Code of Practice for Information Security Management. British Standards Institution, London.
BS 7799-2 (2002). Information Security Management - Part 2: Specification for Information Security Management. British Standards Institution, London.
Carter, D. L. and A. J. Katz (1996). Computer Crime and Security: the Perceptions and Experiences of Corporate Security Directors. Security Journal, 7, 101-108.
Chadha, N. K. (1989). School organizational climate and teacher job satisfaction, Social ScienceInternational. 5(1), 1-20.
Chapman, D.B. and E.D. Zwichy (1995). Building Internet Firewall. California, CA:O’reilly & Associates.
Churchill, J. G. A., Ford, N. M., & Walker, J. O. C. (1976). The psychological consequences of role conflict and ambiguity in the industrial sales force In K.L. Bernhardt (Ed.), Marketing (pp.1776-1976). Chicago: American Marketing Association.
Davidson, M. C. G. (2003). Does organizational climate add to service quality in hotels? International Journal of Contemporary Hospitality Management. 15(4/5): 206-214.
Davis, F. D., Bagozzi, R. P., & Warshaw, P. R. (1989). User acceptance of computer technology: A comparison of two theoretical models. Management Science, 35(8), 982-1003.
Dessler, G. (1976). Organizational and Management: A contingency approach. Englewood Geiffs, N.Y., Prentice-Hall, 63-69.
Fishbein, M., & Ajzen, I. (1975). Belief, attitude, intentions and behavior: an introduction to theory and research. Boston: Addison-Wesley.
Flynn, N. L. (2001). The E-Policy Handbook: Designing and Implementing Effective E-Mail, Internet, and Software Policies. American Management Association, New York.
Ford, R. C., and Richardson, W. D. (1994). Ethical Decision Making: A Review of the Empirical Literature. Journal of business ethics (13:3), 205-221.
Fornell, C., and Larcker, D. F. (1981). Evaluating structural equation models withunobservable variables andmeasurement error. Journal of Marketing Research, 18(1), 39-50.
Fung, A. R. W., K. J. Farn, and A. C. Lin (2003). Paper: a study on the certification of the information security management systems. Computer Standards and Interfaces, 25, 447-461.
Gaunt, N. (1998). Installing an Appropriate Information Security Policy. International Journal of Medical Informatics (49:1), 131-134.
Glendon, A. I., and Litherland, D. K. (2001). Safety Climate Factors, Group Differences and Safety Behavior in Road Construction. Safety Science (39:3), 157-188.
Glendon, A. I., and Stanton, N. A. (2000). Perspectives on Safety Culture. Safety Science (34:13), 193-214.
Gupta, Y. P. (1991). The Chief Executive Officer and the Chief Information Officer: The Strategic Partnership. Journal of Information Technology (6:3-4), 128-139.
Hair, J. F., Jr., Anderson, R. E., Thatam, R. L,. and Black, W. C. (1998). Multivariate Data Analysis, 5th ed. Prentice-Hall International, Inc.
Hair, J. F. Jr., Black, W. C., Babin, B. J. and Anderson, R. E. (2010). Multivariate Data Analysis (7th Ed.). Prentice-Hall, Upper Saddle River, NJ.
Halpin, A. W., & Croft, D. B. (1973). The organizational climate of school. Washington D.C.: U.S. Office of Education.
Harrington, S. J. (1996). The Effects of Codes of Ethics and Personal Denials ofResponsibility on Computer Abuse Judgments and Intentions. MIS Quarterly, 20(3), 257-278.
Hoffer, J. A., & Straub, D.W.Jr. (1989). The 9 to 5 Underground: Are You Policing Computer Crimes?. Sloan Management Review, 35-43.
Höne, K., and Eloff, J. H. P. (2002). Information Security Policy - What Do International Information Security Standards Say?. Computers & Security (21:5), 402-409.
Höne, K. & Eloff, J.H.P. (2002a). Information Security Policy - What do International Information Security Standards Say? . Computers & Security (21:5), 402-409.
Hong, K. S., Y. P. Chi, L. R. Chao, and J. H. Tang (2003). An integrated system theory of information security management. Information Management and Computer Security, 11(5), 243-248.
Hong, K.S., Chi, Y.P., Chao, L.R., and Tang, J.H. (2006). An Empirical Study of Information Security Policy on Information Security Elevation in Taiwan. Information Management& Computer Security (14:2), 104-115.
Horrocks, I. (2001). Security Training: Education for an Emerging Profession? Computers &Security (20:3), 219-226.
Hu, L. T. and Bentler, P. M. (1999). Cutoff criteria for fit indexes in covariance structure analysis: Conventional criteria versus new alternatives. Structural Equation Modeling: A Multidisciplinary Journal, 6(1), 1-55.
ISO/IEC 17799 (2000). Information technology - Code of practice for information security management. First edition 2000/12/01.
ISO/IEC 27001 (2005). International Organization for Standardization. Switzerland.
Karyda, M., Kiountouzis, E., and Kokolakis, S. (2005). Information Systems Security Policies: A Contextual Perspective. Computers & Security (24:3), 246-260.
Knapp, K. J. (2005). A Model of Managerial Effectiveness in Information Security: From Grounded Theory to Empirical Test. Doctoral Dissertation, Auburn University.
Knapp, K. J., Marshall, T. E., Rainer, R. K., and Ford, F. N. (2006). Information Security: Management's Effect on Culture and Policy. Information Management & Computer Security (14:1), 24-36.
Lee, J., & Lee, Y. (2002). A holistic model of computer abuse within organizations. Information Management & Computer Security, 10(2), 57-63.
Lewin, K. (1951). Field theory in social science. New York: Harper and Bros. Co.
Litwin, G. H., & Stringer, R. A. (1968). Motivation and organization climate. Boston: Harvard University Press.Word-of-mouth: The Adoption of Online Opinions in Online Customer Communities. Internet Research, 18(3), 229-247.
Loe, T. W., Ferrell, L., and Mansfield, P. (2000). A Review of Empirical Studies Assessing Ethical Decision Making in Business. Journal of business ethics (25:3), 185-204.
Masterson, S. S., & Stamper, C. L. (2003). Perceived organizational membership: An aggregate framework representing the employee organization relationship. Journal of Organizational Behavior, 24(5), 473-490.
McDonald, R. P. and Ho, M. R. (2002). Principles and practice in reporting structural equation analysis. Psychological Methods, 7(1), 64-82.
McMillan, D. W., & Chavis, D. M. (1986). Sense of community-A definition and a theory. Journal of Community Psychology, 14:6-23.
Neter, J., Kutner, M.H., Nachtsheim, C.J. and Wasserman, W. (1996). Applied Linear Statistical Models. 4th Edition, WCB McGraw-Hill, New York.
Neumann, P. G. (1995). Computer Related Risks. New York: ACM Press.
Palvia, P. C. (1996). A model and instrument for measuring small business user satisfaction with information technology. Information & Management, 31, 151-163.
Pfleeger C. P. (1996). Security in Computing, 2nd Eds. New Jersey: Prentice Hall PTR.
Rees, J. Bandyopadhyay, S., and Spafford, E. H. (2003). PFIRES: A Policy Framework for Information Security. Communications of the ACM (46:7), 101-106.
Robbins, S. P. (2001). Management (9th ed.). Englewood Cliffs, NJ:Prentice-Hall.
Robinson, J. P., & Shaver, P. R. (1973). Measures of Social Psychological Attitudes (Rev. ed.). Ann Arbor, MI: Institute for Social Research.
Simson, G. and Gene, S. (1991). Practical UNIX Security. O’Reilly & Associates, California.
Siponen, M. T. (2000). A Conceptual Foundation for Organizational Information Security Awareness. Information Management & Computer Security (8:1), 31-41.
Starling, G. (1998). Strategies for Policy Marking. Homewood. IL: The Dorsey Press.
Straub, D. W. (1990). Effective IS Security: An Empirical Study. Information Systems Research(1:3) , 255-276.
Thomson, K. L., and Von Solms, R. (2005). Information Security Obedience: A Definition. Computer & Security (24:1), 69-75.
Tudor, J. K. (2001). Information Security Architecture: An Integrated Approach to Security in the Organization. CRC Press, Boca Raton.
Wood, C. C. (1995). Writing InfoSec Policies. Computers & Security (14:8), 667-674.