近年來，在資訊科技及網際網路的不斷蓬勃發展之下，其相關之應用不只遍佈於你我的生活當中，亦對於企業的營運有了突破性的改變；小至日常交易之進行，大至企業整體營運策略之規劃，資訊科技以及網際網路儼然成為了企業整體發展當中不可或缺的一環。但劍能護人，亦能傷人。隨著各大企業對於資訊科技及網際網路的依賴程度愈高，資訊安全也成為了企業必須面對的眾多風險之一。而對於資訊安全的研究早期多著重在技術層面；但在沙賓法案通過之後，近年來對於資訊安全的研究則逐漸著重在管理層面。故本研究欲透過實證分析，探討ISO/IEC 27001認證的取得以及公司治理對於資訊安全管理的有效性。研究結果顯示，ISO/IEC 27001認證之取得對於資訊安全管理無顯著之影響。但當董事會規模愈大且董事出席董事會的出席率愈高時，其對於資訊安全管理有顯著之影響；而董事會之獨立董事比率以及董事會開會次數對於資訊安全管理則無顯著之影響。本研究之結果可供企業評估ISO/IEC 27001認證以及董事會職能對於資訊安全管理之影響。

In recent years, with the continuous development of information technology and Internet, its related applications have not only spread throughout all our life, but also has been a breakthrough change for the operating of enterprises. From daily transactions to the planning of the overall business strategy of the enterprises, information technology and the Internet have become an indispensable part of the overall development of enterprises. The water that bears the boat is the same that swallows it up . With the greater dependence of major enterprises on information technology and internet, they must face more risks of information security. The previous studies on information security focuses on the technical issues. However, after the Sarbanes - Oxley Act passed, the studies on information security in recent years has gradually focused on the management issues. Therefore, this study intends to use empirical analysis to explore information security management effectiveness of the acquisition of ISO/IEC 27001 certification and the corporate governance. The research result shows that the acquisition of ISO/IEC 27001 certification has no significant impact on information security management. However, the larger the board size and the higher the attendance rate of directors attending the board meeting, it has a significant impact on information security management; and the ratio of independent directors and the number of board meetings have no significant impact on information security management. The results of this study allow enterprises to assess the impact of ISO/IEC 27001 certification and board functions on information security management.

壹、緒論 1
第一節 研究背景 1
第二節 研究動機與目的 2
貳、文獻探討 5
第一節 資訊安全 5
第二節 ISO/IEC 27001 10
第三節 公司治理 19
叁、研究設計與方法 27
第一節 研究假說 27
第二節 研究方法 30
第三節 研究資料與期間 31
第四節 研究變數定義 33
肆、實證結果與分析 37
第一節 敘述性統計及相關性分析 37
第二節 Logistic迴歸模型分析 44
伍、結論與建議 47
第一節 研究結果及貢獻 47
第二節 研究限制與建議 48
參考文獻 51

一、 中文文獻
中時電子報（2016），資安監理勤業眾信籲拉高至董事會，http://www. Chinatimes.com/realtimenews/20160819004397-260410（存取日期2018/03/13）。
中時電子報（2016），資誠：企業防弊首重防制網路犯罪，http://www. chinatimes.com/realtimenews/20160523003411-260410（存取日期2018/03/07）。
公司治理中心（2018），公司治理評鑑指標，http://cgc.twse.com.tw/evaluationCorp/l istCh（存取日期2018/03/30）。
王玉珍（2002），『股權結構、董事會組成、資本結構與企業績效關係之研究』，未出版碩士論文，國立中央大學企業管理研究所，桃園市。
王保進（1999），視窗版SPSS與行為科學研究，心理出版社，台北市。
王瓊徵（2009），『政府機關導入資訊安全管理系統關鍵成功因素之研究』，未出版碩士論文，國立彰化師範大學資訊管理研究所，彰化縣。
江昱其（2012），『董事會組成與資訊安全管理有效性之關聯性研究 - 以管家理論為觀點』，未出版碩士論文，國立台灣大學資訊管理研究所，台北市。
自由時報（2016），出席駭客年會蔡英文：資安就是國安，http://news.ltn.co m.tw/news/focus/paper/1057661（存取日期2018/03/11）。
行政院國家資通安全會報技術服務中心（2001），資訊安全事件，https://www.nccst.nat.gov.tw/Default?lang=zh.（存取日期2017/12/18）。
行政院國家資通會報（2004），政府機關(構)資通安全責任等級分級作業施行計畫，https://www106.nou.edu.tw/~noucc/reg/sec_02_1010105.pdf（存取日期2018/03 / 12）。
余昌霖（2013），『以ISO27001為基礎探討個資法對電信業者的影響 - 以F公司為例』，未出版碩士論文，國立中央大學資訊管理學系在職專班，桃園市。
余孟桓（2014），『董事會結構、股權結構與企業舞弊之關聯性』，未出版碩士論文，長榮大學經營管理研究所，台南市。
吳宗正（1997），實驗設計，台灣復文興業股份有限公司，臺南市。
吳欣玫（2017），『董監事會職能與企業績效關聯性之研究』，未出版碩士論文，國立中央大學人力資源管理研究所，桃園市。
吳當傑（2007），公司治理理論與實務2/E，證期會，台北市。
呂明逸（2018），『導入ISO27001資訊安全管理之可行性研究 - 以國軍某軍事院校為例』，未出版碩士論文，國防大學資訊管理研究所，桃園市。
呂華軒（2010），『2010 IT治理三大機制、公司治理與企業經營績效』，未出版博士論文，國立成功大學會計學系研究所，台南市。
呂鈺萍（2016），『公司股權結構、董事會組成與經營績效關係之研究－以百貨貿易業上市櫃公司為例』未出版碩士論文，國立臺北大學企業管理在職專班，台北市。
李順仁（2003），資訊安全，文魁資訊，台北市。
法務部全國法規資料庫（2000），公司法條文，https://law.moj.gov.tw/Law/LawSearch Result.aspx?p=A&t=A1A2E1F1&k1=%E5%85%AC%E5%8F%B8%E6%B3%95（存取日期2018/03/28）。
金融監督管理委員會（2004），資訊安裁罰案件，https://www.fsc.gov.tw/ch/index.jsp（存取日期2017/12/18）。
洪榮華、陳香如、王玉珍（2005），『公司內部治理機制與公司績效之關係 - 股權結構與董事會特性的觀點』，輔仁管理評論，第三卷，第十二期，頁23-40。
財團法人全國認證基金會（2002），ISO認證資訊https://www.taftw.or g.tw/wSite/mp?mp=1（存取日期2017/12/18）。
財團法人國家實驗研究院科技政策研究與資訊中心（2005），94年度資通安全分析專論彙編，國家實驗研究院科學資料中心，台北市。
國家電腦事件處理中心（2001），資訊安全事件，https://www.twncert.or g.tw/Default?lang=zh（存取日期2017/12/18）。
張勝豐（2014），『ISO27001:2013新版對企業現行資安建置影響之研究』，未出版碩士論文，國立臺灣科技大學管理研究所，台北市。
莊煥銘、韓富州（2008），『資訊安全管理系統之規劃與建置研究-以某大型企業之風險管理為例』， 2008年台灣網際網路研討會，高雄市，台灣，10月20日。頁1275-1276
陳銘文（2007），『台灣地區企業導入資訊安全管理系統因素 - 以鋼鐵金屬與高科技產業為例』，未出版碩士論文，國立高雄第一科技大學風險管理與保險所，高雄市。
黃亮宇（1992），資訊安全規劃與管理，松岡電腦圖書公司，台北市。
新唐人（2016），駭客最愛？美專家：台灣遭駭全球第一！，http://www.ntdtv.com/xtr/ b5/2016/03/08/a1256474.html（存取日期2018/03/13）。
楊昕（2012），『ISO27001對組織市場價值之影響 - 以台灣市場為例』，未出版碩士論文，國立台灣大學資訊管理研究所，台北市。
楊鯉嘉（2008），『公司治理、CEO輪調與信用評等之關聯性』，未出版碩士論文，國立中正大學會計與資訊科技研究所，嘉義縣。
經濟部標準檢驗局（2006），CNS 27001資訊技術--資訊安全管理系統架構，http:// lms.ctl.cyut.edu.tw/sys/read_attach.php?id=1823136（存取日期2018/03/15）。
葉旻其（2008），『公司治理機制對企業績效與董監薪酬之影響』，未出版碩士論文，國立政治大學會計研究所，台北市。
資安人（2011），資訊安全治理：董事會與高層應全面主導，https:// www.informationsecurity.com.tw/article/article_detail.aspx?aid=6158（存取日期2018/03/28）。
網管人（2009），資訊安全管理導入實務（一）ISO 27001資訊安全管理系統簡介，http://www.netadmin.com.tw/article_content.aspx?sn=0907030010（存取日期2018/03/26）。
網管人（2013），從基本解析企業資安及風險管理，http://www.netadmi n.com.tw/article_content.aspx?sn=1306050004（存取日期2018/03/16）。
聞美晴（2015），資訊安全管理系統ISO27001:2013與ISO27001:2005差異說明，http://www.jcic.org.tw/main_ch/fileRename.aspx?fid=418&kid=1（存取日期2018/ 03/28）。
臺灣證券交易所（1961），臺灣證券交易所股份有限公司有價證券上市審查準則，http://www.selaw.com.tw/LawArticle.aspx?LawID=G0100561（存取日期2018/03/ 29）。
劉坤億、蔡淑美，（2004），『公司治理』，未出版博士論文，國立臺北大學企業管理研究所，台北市。
樊國楨、楊晉寧（1996），『互連網（Internet）電子信息交換安全 - 以電子公文交換作業安全為本』，電腦稽核，第二期，頁14-25。
潘天佑（2012），資訊安全概論與實務（第三版），碁峰資訊股份有限公司，台北市。
潘似琪（2011），『資訊安全管理有效性與董事會架構關聯性探討 - 以台灣上市櫃公司為例』，未出版碩士論文，國立台灣大學資訊管理研究所，台北市。
鄭宇廷（2016），『無線區域網路資訊安全管理之研究 - 以國軍某學術單位為例』，未出版碩士論文，國防大學資訊管理研究所，桃園市。
賴殷珮（2015），『董監事職責與專業度對分析師盈餘預測之影響』，未出版碩士論文，逢甲大學會計學研究所，台中市。
賴溪松、韓亮、張真誠（2004），近代密碼學及其應用，旗標出版股份有限公司，台北市。
聯合知識庫（2001），資訊安全新聞，https://udndata.com/ndapp/Index#fm （存取日期2017/12/11）。
羅英嘉（2008），CISSP與資訊安全基礎技術，財團法人資訊工業策進會數位教育研究所，臺北市。
蘇世豪（2010），『電信業驗證ISO27001關鍵成功因素之研究』，未出版碩士論文，國立台北大學企業管理在職專班，台北市。
Colley, J.L., Doyle, J.L., Logan, G.W. and Stettinius, W. (2012)，公司治理－全面性觀點，許文西（譯），美商麥格羅希爾國際股份有限公司台灣分公司，台北市。
iThome（2009），遠東商銀、第一銀行通過ISO 27001三年重新驗證，https:// www.ithome.com.tw/node/57503（存取日期2018/03/13）。
iThome（2017），蔡英文：資安就是國安，https://www.ithome.com.tw/news/112836（存取日期2018/03/10）。















二、 英文文獻

Abbott, L.J., Parker, S. and Peters, G.F. (2004), ‘Audit committee characteristics and restatements’, Auditing: A Journal of Practice and Theory, Vol. 23, No. 1, pp. 69 - 87.
Ali, M. (2017), ‘Determinants and consequences of board size: conditional indirect effects’, Corporate Governance: The International Journal of Business in Society, Vol. 18, No. 1, pp.165-184.
Anderson, J.M. (2003), ‘Why we need a new definition of information security’, Computers and Security, Vol. 22, No. 4, pp. 308-313.
Arcy, J., Hovav, A. and Galletta, D. (2009), ‘User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach’, Information Systems Research, Vol. 20, No. 1, pp. 79-98.
Bacon, J. (1973), Corporate directorship practices：Membership and committees of board, the conference board, New York, US.
Beaver, W. H. (1966), ‘Financial ratios as predictors of failure’, Journal of Accounting Research, Vol. 4, pp. 7-111.
Benaroch, M.A. and Goldstein, J. (2012), ‘An internal control perspective on the market value consequences of IT operational risk events’, International Journal of Accounting Information Systems’, Vol. 13, No. 4, pp. 357-381.
Besnard, D. and Arief, B. (2004), ‘Computer security impaired by legitimate users’, Computers and Security, Vol. 23, No. 3, pp. 253-264.
Bhojraj, S. and Sengupta, P. ( 2003), ‘Effect of corporate governance on bond ratings and yields: The role of institutional investors and outside directors’, The Journal of Business, Vol. 76, No. 3, pp. 455-475.
Bojanc, R. and Borka, J. (2008), ‘ An economic modelling approach to information security risk management’, International Journal of Information Management, Vol. 28, No. 5, pp. 413-422.
Brotby, W.K. (2001), Information Security Governance: Guidance for Boards of Directors and Executive Management 2nd Ed, ISACA, US.
Campbell, K., Gordon, L.A., Loeb, M.P. and Zhou, L. (2003), ‘ The economic cost of publicly announced information security breaches: Empirical evidence from the stock market,’ Journal of Computer Security, Vol. 11, No. 3, pp. 431-448.
Chai, S., Kim, M. and Rao, H.R. (2011), ‘ Firms information security investment decisions: stock market evidence of investors’ behavior’, Decision Support System, Vol. 50, No. 4, pp. 651-661.
Cohen, J. (1988), Statistical power analysis for the behavioral sciences(2nd ed.), Lawrence Erlbaum Associates, US.
Conger, J., Finegold, D. and Lawler, E. (1998), ‘Appraising boardroom performance’, Harvard Business Review, Vol. 76, No. 1, pp. 136-148.
Conti, M., Dehghantanha, A., Franke, K., and Watson, S. (2018), ‘Internet of things security and forensics: Challenges and opportunities’, Future Generation Computer Systems, Vol. 78, No. 2, pp. 544-546.
Dalton, D.R., Daily, C.M., Ellstrand, A.E. and Johnson,J.L. (1998), ‘Meta-Analytic reviews of board composition, leadership structure, and financial performance’, Strategic Management Journal, Vol. 19, No. 3, pp. 269-290.
Damianides, M. (2005), ‘Sarbanes-Oxley and IT governance: New guidance on IT control and compliance’, Information Systems Management, Vol. 22, No. 1, pp. 77-85.
Davis, J.H., Schoorman, F.D. and Donaldson, L. (1997), ‘Toward a stewardship theory of management’, Academy of Management Review, Vol. 22, No. 1, pp. 20-47.
Dzazali, S., Sulaiman, A. and Zolait, A. H. (2009), ‘ Information security landscape and maturity level: Case study of Malaysian public service (MPS) organizations’, Government Information Quarterly, Vol. 26, No. 4, pp. 584-593.
Eisenhardt, K.M. (1989), ‘Agency theory: An assessment and review’, Academy of Management Review, Vol. 14, No. 1, pp. 57-74.
Eloff, M.M. and Von Solms, S.H. (2000), ‘Information security management: a hierarchical framework for various approaches’, Computers and Security, Vol. 19, No. 3, pp. 243-256.
Fama, E.F. and Jensen, M.C. (1983), ‘Agency problems and residual claims’, Journal of Law and Economics, Vol. 26, No. 2, pp. 327-349.
Finne, T. (2000),‘Information systems risk management: Key concepts and business processes’, Computers and Security, Vol. 19, No. 3, pp. 234-242.
Gollmann,D. (1999), ‘Computer security’, John Wiley & Sons, Inc., New York, USA.
Gordon, L.A., Loeb, M.P. and Zhou, L. (2011), ‘The impact of information security breaches: Has there been a downward shift in costs?’, Journal of Computer Security, Vol. 19, No. 1, pp. 33-56.
Gritzalis, S., Lambrinoudakis, C., Lekkas, D. and Deftereos, S. (2005), ‘Technical guidelines for enhancing privacy and data protection in modern electronic medical environments’, IEEE Transactions on Information Technology in Biomedicine, Vol. 9, No. 3, pp. 413-423.
Guo, L. and Masulis, R.W. (2015), ‘Board structure and monitoring: New evidence from CEO turnovers’, The Review of Financial Studies, Vol. 28, No. 10, pp. 2770-2811.
Hair, J.F., Anderson, R.E., Tatham, R.L. and Black, W.C. (1998) Multivariate Data Analysis. 5th ed., Prentice Hall, US.
Herath, T. and Rao, H.R. (2009), ‘ Encouraging information security behavior in organizations: Role of penalties, pressures and perceived effectiveness’, Decision Support Systems, Vol. 47, No. 2, pp. 154-165.
Hlača, B. (2008), ‘Influence of ISO 27001:2005 on the port of Rijeka security’, Pomorstvo, Vol. 22, No. 2, pp. 245-258.
Höone, K. and Eloff, J.H.P. (2002), ‘ What makes an effective information security policy?’, Network Security, Vol. 6, No. 1, pp. 14-16.
Höone, K. and Eloff, J.H.P. (2002), ‘Information security policy-what do international information security standards say?’, Computers and Security, Vol. 21, No. 5, pp. 402-409.
Hsu, C., Wang, T. and Lu, A. (2016), ‘The impact of ISO 27001 certification on firm performance’, System Sciences (HICSS), 2016 49th Hawaii International Conference, Koloa, HI, USA, Jan 5-8, pp.1530-1605.
IC3 (2017), ‘2017 Internet Crime Report’, available athttps://pdf.ic3.gov/2017_IC3 Re port .pdf (accessed 05 March 2018).
ISO (2005), ‘ISO/IEC 17799:2005(E)-information technology-security techniques- code of practice for information security management’ , available at https:// www.iso.org/home.html(accessed 17 March 2018).
ISO (2005), ‘ISO/IEC 27001:2005(E)-information technology - security techniques - information security management systems–requirements’ , available at https:// www.iso.org/home.html(accessed 17 March 2018).
ISO (2009), ‘ISO/IEC 27000-information technology-security techniques-information security management systems-overview and vocabulary’ , available at https:// www.iso.org/home.html(accessed 17 March 2018).
ISO (2013), ‘ISO/IEC 27001:2013(E)-information technology - security techniques -information security management systems–requirements’ , available at https:// www.iso.org/home.html(accessed 17 March 2018).
ISO (2013), ‘ISO/IEC 27002:2013(E)-information technology - security techniques - information security management systems–requirements’ , available at https:// www.iso.org/home.html(accessed 17 March 2018).
ISO (2017), ‘ISO survey’, available at https://www.iso.org/the-iso-survey.html(accessed 25 March 2018).
ISO (2017), ‘ISO/IEC 27001：2005 ISMS requirement’, available at http:// bcc.portal.gov.bd/sites/default/files/files/bcc.portal.gov.bd/page/adeaf3e5_cc55_4222_8767_f26bcaec3f70/ISO_IEC_27001.pdf (accessed 25 March 2018).
Jensen, M. and Meckling, W. (1976), ‘Theory of the firm: managerial behavior, agency costs and ownership structure’, Journal of Financial Economics, Vol. 3, No. 4, pp. 305-360.
Jensen, M.C. (1993), ‘The modern industrial revolution, exit, and the failure of internal control systems’, Journal of Finance, Vol. 48, No. 3, pp. 831-880.
Kannan, K., Rees, J. and Sridhar, S. (2007), ‘Market reactions to information security breach announcements: an empirical analysis’, International Journal of Electronic Commerce, Vol. 12, No. 1, pp. 69-91.
Kenneth, C.L. (1995), Management Information Systems, Pearson Education, US.
Kiel, G.C. and Nicholson, G.J. (2003), ‘Board composition and corporate performance: How the Australian experience informs contrasting theories of corporate governance’, Corporate Governance: An International Review, Vol. 11, No. 3, pp. 189-205.
Kosnik, R.D. (1987), ‘Greenmail: A study of board performance in corporate governance’, Administrative Science Quarterly, Vol. 32, No. 2, pp. 163-185.
Lee, W.S. and Jang, S.S.( 2009), ‘A study on information security management system model for small and medium enterprises’, Proceedings of the 8th WSEAS International Conference on E-Activities and information security and privacy, Puerto De La Cruz, Tenerife, Canary Islands, Spain, December 14-16, pp. 84-87.
Lehman, A., O’Rourke, N., Hatcher, L. and Stepanski, E.J. (2005), ‘Jmp For Basic Univariate And Multivariate Statistics: A Step-by-step Guide’, SAS Institute, US.
Mishra, S. (2014), ‘Corporate governance as a value driver for firm performance: evidence from India’, Corporate Governance: The International Journal of Business in Society, Vol. 14, No. 2, pp. 265-280.
Montesdioca, G.P.Z. and Maçada, A.C.G. (2015), ‘Measuring user satisfaction with information security practices’, Computers and Security, Vol. 48, pp. 267-280.
Nazareth, D.L. and Choi, J. (2014), ‘A system dynamics model for information security management’, Information and Management, Vol. 52, No. 1, pp. 123-134.
OECD (1999), ‘Principle of corporate governance’, available athttps://www. oecd.org/daf/ca/Corporate-Governance-Principles-ENG.pdf (accessed 28 March 2018).
OECD (2001), ‘OECD Guidelines for the security of information systems, Information Security Objective ‘, available athttp://www.oecd.org/sti/ieconomy/oecdguidelines forthesecurityofinformationsystemsandnetworkstowardsacultureofsecurity.htm(accessed 16 March 2018).
Park, C., Jang, S., Park, Y.T. (2010), ‘A study of effect of information security management system[ISMS] certification on organization performance’, International Journal of Computer Science and Network Security, Vol. 10, No. 3, pp. 10-21.
Parker, D.B., (1997), ‘The strategic values of information security in business’, Computers and Security, Vol. 16, No. 7, pp. 572-582.
Peltier, T.R. (2016), Information security policies, procedures, and standards: guidelines for effective information security management, Taylor and Francis Group, Oxfordshire, UK.
Petter, S., Straub, D. and Rai, A. (2007), ‘Specifying formative constructs in information systems research’, MIS Quarterly, Vol. 31, No. 4, pp. 623-656.
Pfeffer, J. and Salancik, G.R. (1978), The External Control of Organizations:A Resource Dependence Perspective, Harper and Row, New York, US.
Ransbotham, S. and Mitra, S. (2009), ‘Choice and chance: A conceptual model of paths to information security compromise’, Information Systems Research, Vol. 20, No. 1, pp. 121-139.
Rosenstein, S. and Wyatt, J.G. (1990), ‘Outside directors, board independence, and shareholder wealth’, Journal of Financial Economics, Vol. 26, No. 2, pp. 175-191.
Safa, N.S. and Ismail, M.A. (2013), ‘A customer loyalty formation model in electronic commerce’, Economic Modeling, Vol. 35, pp. 559-564
Safa, N.S., Von Solms, R. and Futcher, L. (2016), ‘Human aspects of information security in organizations’, Computer Fraud and Security, Vol. 2016, No. 2, pp. 15-18.
Sascha, O.B. and Andrea, I. (2002), ‘ Estimation of average treatment effects based on propensity scores’, The Stata Journal, Vol. 2, No.4, pp. 358-37.
Schultz, E.E. and Lien, M.C. (2001), ‘Usability and sec appraisal of usability issues in information security methods’, Computer and Security, Vol. 20, No. 7, pp. 620-634.
Siponen, M. and Vance, A. (2010), ‘ Neutralization: new insights into the problem of employee information systems security policy violations’, MIS Quarterly, Vol. 34, No. 3, pp. 487-502.
Siponen, M. and Willison, R. (2007), ‘A critical assessment of IS security research between 1990-2004’, Proceedings of 15th European Conference on Iss (ECIS 2007), St. Gallen, Switzerland, June 7-9, pp. 1551-1559.
Siponen, M., Mahmood, M.A. and Pahnila, S. (2014), ‘Employees’ adherence to information security policies: An exploratory field study’, Information and Management, Vol. 51, No. 2, pp. 217-224.
Soomro, Z.A., Shah, M.H. and Ahmed, J. (2016), ‘Information security management needs more holistic approach: A literature review’, Information Journal of Information Management, Vol. 36, No. 2, pp. 215-225.
Statista (2018), ‘IC3: total damage caused by reported cyber crime 2001-2016’, available at https://www.statista.com/statistics/267132/total-damage-caused-by-by -cyber-crime-in-the-us/ (accessed 03 March 2018).
Summers, R.C. (1984), ‘An overview of computer security’, IBM Systems Journal, Vol. 23, No. 4, pp. 309-325
Tang, M., Li, M. and Zhang, T. (2016), ‘ The impacts of organizational culture on information security culture: a case study’, Information Technology and Management, Vol. 17, No. 2, pp. 179-186.
Trček, D. (2003), ‘An integral security for information systems security management’, Computers and Security, Vol. 22, No. 4, pp. 337-360.
Tulung, J.E. and Ramdani, D. (2018), ‘Independence, size and performance of the board: An emerging market research’, Corporate Ownership & Control, Vol. 15, No. 2, pp.201-208.
Vafeas, N. (1999), ‘Board meeting frequency and firm performance’, Journal of Financial Economics, Vol. 53, No. 1, pp. 113-142.
Vance, S.C. (1983), Corporate leadership: Boards, directors, and strategy, McGraw Hill, New York, US.
Von Solms, R. (2004), ‘From policies to culture’, Computers and Security, Vol. 23, No. 3, pp. 275-279.
Von Solms, R. and Von Solms, S.H.B. (2006), ‘Information security governance: a model based on the direct–control cycle’, Computers and Security,Vol. 25, No. 6, pp. 408-412.
Von Solms, R. (1996), ‘Information security management: The second generation’, Computers & Security,Vol. 15, No. 4, pp. 281-288
Von Solms, S.H. and Von Solms, R. (2008), ‘Information security governance’, Springer Science & Business Media, US.
Wang, T., Rees, J. and Kannan, K. (2009), ‘ The association between the disclosure and the realization of information security risk factors’, Information Systems Research, Vol. 24, No. 2, pp. 201-218.
Wold Bank (1999), ‘Corporate Governance: A framework for implementation - overview’, available at http://documents.shihang.org/curated/zh/83165146878181 8619/pdf/30446.pdf(accessed 28 March 2018).
Wright, M. (1999), ‘Third generation risk management practices’, Computer Fraud and Security, Vol. 1999, No. 2, pp. 9-12.
Xie, B., Davidson, W.N. and DaDalt, P.J. (2003), ‘Earnings management and corporate governance: the role of the board and the audit committee’, Journal of corporate Finance, Vol. 9, No. 3, pp.295-316.
Yatim, P. (2010), ‘Board structures and the establishment of a risk management committee by Malaysian listed firms’, Journal of Management and Governance, Vol. 14, No. 1, pp. 17-36.
Zurich Insurance Company (2015), ‘Overcome by cyber risks? Economic benefits and costs of alternate cyber futures’, available at http://publications.atlanticcouncil. org/cyberrisks//risk-nexus-september-2015-overcome-by-cyber-risks.pdf (accessed 10 March 2018).