隨著資訊安全管理觀念的逐漸受到重視,資訊安全風險評鑑已成為推動資安管理的初步重要工作。如何最有效益的利用資源來進行資安控制措施的建置以達到企業組織存在於一個可承受的資安風險損失水準環境,在策略決策上是一個重要的議題,但相關研究卻較為缺乏,因此本研究藉由探討風險分析管理等相關文獻,將量化風險分析的觀念導入資訊安全策略決策中,提出一套資安控制措施規畫決策模式,利用Uryasev(2000)提出的條件風險概念,應用於資安策略決策模式的建構上,使用此方法使企業在做損失評估時,能有更明確的決策選擇,以減少企業的損失,協助各企業在資訊安全管理中做適當的管理決策。在未來希望可以把此模式應用在現實的企業資安控制措施規畫決策過程中,增加該模式的可行性。 Information security management has become an important issue in many various organizations. The fundamental work for information security management is how to assess the security risk and implement the information security controls to reach an acceptable information security level. However, only few related researches have been done so far. In this thesis, we apply the concept of conditional value of risk proposed by Uryasev (2000) to create a quantitative decision model for the selection of information security controls. In the decision process, the acceptable risk and security cost are considered. Using the model, the decision makers can make a more appropriate decision to minimize their information security cost according to the risk or loss they can bear. Our case study demonstrates the proposed model with the potential of becoming very useful in practice and of leading to further generalization of information security decision analysis.