本研究目的是以NIST(美國國家標準技術學會) Special Publication 800-16所提出「ABC’s of Information Technology Security」的26項概念來作為發展資訊安全認知評量表之基礎，衡量受訪者是否有資訊安全各項概念之基本意義與內涵的認知。經過問卷設計、德菲法發展問項主體、建立評量表初稿、國內專家調查與訪談等一連串的評量表設計步驟後，與四個不同單位實施量測以進行分析探討，了解其資訊安全認知差異程度，驗證此評量表之適用性。本研究經驗證有以下幾項結果顯示： (1)人員有無受過資訊安全相關訓練，其資訊安全認知水準會有一定程度的差距；且不同的資訊安全訓練也會有成效上的差異，組織高層必須重視；(2)將認知程度區分成低、中、高三個不同的等級，組織可針對中低程度的認知概念進行另一階段的宣導與加強，或作為訓練教材的內容；(3)分析評量表問項的難易度高低，未來要以此評量表施測時，可選擇不同難易度的問項來做量測；而專家個別訪談中增列的問項，大部分難易度適中，符合適用性。目前國內外的學術文獻少有此方面的研究，因此本研究可作為衡量單位人員的資訊安全認知的水平，提供未來資訊安全訓練導入參考的依據，並可驗證人員在受過資訊安全訓練後，認知成效高低之評量。
Today enterprises and organizations in the world depend on Information Technology more and more, which arouses managers thinking highly of the issues on Information Security. Presently, more and more enterprises and organizations start to bring in some standards or systems of Information Security. No matter of BS7799, COBIT and so on, are based on “organization” to examine the Confidentiality, Integrity, and Availability of Information Security. However, many Information Security incidents still emerge in an endless stream, most of which result from the internal staffs’ intentional or unintentional actions. References for Information Security nowadays are deficient of the notion taking “people” as a threshold into consideration, and few are researching the level of Information Security Awareness of the personnel in the enterprise the scale and improve it.
Regarding twenty-six concepts of “ABC’s of Information Technology Security” of NIST Special Publication 800-16 as the basis of the development of Information Security Awareness Scale, it measures them whether people have the knowledge of basic significance of the concepts of Information Security, and meanwhile verifies the applicability of this scale. After a series of steps in designing the scale such as questionnaires design, Delphi Method development, first-edition of the scale establishment, and domestic experts survey and interview, we, together with four different units, proceed to analyze and probe, verifying the scale’s availability from the testes’ reaction to understand his or her discrepancy on Information Security knowledge. After verify, this research reveals as follows. (1) Were the staff taking training on Information Security related, his or her Information Security knowledge level would have difference to some extent, and different trainings would have different influence on the staff. Therefore, the high-ranking managers must take his or her subordinates’ knowledge level on this aspect seriously. (2) Mark off the level to three diverse ranks, low, middle, and high. The organization could be aimed at the middle-below grades to go forward another phase of advocacy and reinforcement, or being as the training materials. (3) Analyze the degree of difficulty of the scale. Were we in the future testing based on this scale, we could also choose different level questionnaire to make tests. And most of the supplementary questions on individual interview with experts are in the middle level which conforms to the availability. Since being lack of references in this aspect, the scale is used to measure staffs in the department the level of Information Security Awareness and supports the basis to do Information Security Training in the future. And it is able to verify people the degree of effects after they have taken some training of Information Security.