本研究將以ISO27001為基礎，探討金融業在導入資訊安全管理系統後，資訊人員所屬組織性質、職務性質、個人性質對資安政策導入之必要性、工作量增減程度、實際提升資訊安全之看法及影響。本研究透過問卷的形式來蒐集資料，藉由金融專業人士協助二階段的問卷設計及前測作業，並經由敘述性統計、變異數分析 (One-way ANOVA)、平均數分析等統計方法進行分析，研究結果顯示企業導入資訊安全後，資訊人員之所屬「公司產業」、「公司規模」、「學歷」在資安『導入之必要程度』有顯著差異；資訊人員之所屬「公司產業」、「公司是否取得ISO27001」、「工作性質」、「性別」在資安導入後『工作量增減程度』有顯著差異；資訊人員之所屬「公司規模」、「學歷」在『資訊安全提升程度』有顯著差異，且在所有資安條項中，除了「資產管理」以外，資訊人員皆認同資安『導入之必要程度』高於『資訊安全提升程度』，更高於『工作量增減程度』。
Information security is no doubt the most important part of current financial industry. Enterprises are always busy in solving the information security problems with the progress of information technology, the improvement of computer technology, and the quickness of spreading hack skills. Information security is no longer a label that enterprises show their added values, but the basic equipments within the enterprises. The income of the financial industry is impacted by the losses caused by information security problems. Therefore the financial industry increases its proportion of information security expenditures year by year, but more and more information security issues still exist. These information security issues change from the external attacking events to the internal employee thefts. The economic recession caused by financial crisis makes enterprises laying off employees started from last year. It also makes the lacking of information manpower, and even more worse, the leaving employees carry the employer''s confidential information away. Some of the leaving employees then use the stealing data in the new companies. This surely causes huge impacts to the capabilities of enterprises'' competition and operation. So enterprises strength the need of information security. Along with the progress of information technology, the Information Professionals'' workloads and mental pressure increase by times. In the interactions between these two factors, the efficiency of information security jobs is reducing.
This research, based on the ISO27001 standard, discusses the viewpoints and influences of the financial industry about the organizations types, position types, and personal characteristics of Information Professionals to the necessity of information security policies, the extent of increasing workloads, and the level of improving the information security after implementing the information security management systems. The data was collected in the method of questionnaire proposed by this research with aided of 2-phase designing and fore testing by the financial professionals, and was analyzed in the method of statistics such as descriptive statistics, One-way ANOVA, and average analysis. The results of this research show that after implementing the information security policies there exists significant differences in the issues of Information Professionals: the "The Company''s Industry", "The Company''s Size", and "The Educational Background" issues exist significant differences in the "Whether the Company Needs to Implement Information Security Policies Or Not" factor; the "The Company''s Industry", "If the Company Gets a ISO27001 Standard", "The Job Type", and "The Gender" issues exist significant differences in the "The Extent of Increasing Workloads" factor; the "The Company''s Size", and "The Educational Background" issues exist significant differences in the "The Extent of Improvements of Information Security" factor. In addition, Information Professionals commonly agree with that the "Whether the Company Needs to Implement Information Security Policies Or Not" issue is more important than the "The Extent of Improvements of Information Security" one and much more important than the "The Extent of Increasing Workloads" one among all information security items except for the "The Assets Management" issue.
This research expects that the enterprises will consider the results and analysis of this research about the items agreed by the Information Professionals which need to implement and surely can improve the security while implementing the information security policies. Enterprises using the results of this research to figure out their appropriate settings of information security budgets and human resources and to find out the reasons of increasing workloads can improve their operating process and seek the accompanying measures to lighten the burden on related jobs. So that enterprises can implement the policies on information security properly and gain more benefits and rewards.