各種調查或研究均顯示，資訊安全事故的發生比例與其所造成的財務損失均不斷上升。美國911事件、台灣納莉颱風的水災、財金公司的舞弊案等，均顯示隨著資訊科技的快速發展，資訊系統使用者的範圍不斷擴大，組織對資訊系統依賴程度的提高，資訊安全因而日愈重要。但組織資訊安全如何評估？應考慮那些評估準則？尚乏實証研究。本研究以資訊安全管理「整合系統理論」（Integrated System Theory）為基礎，經由因素分析、名目群組技術（Nominal Group Technique）的程序，匯集專家意見，建構「資訊安全評估準則層級結構」，共有9 個評估構面，37 項評估準則，可作為組織規劃資訊安全策略之參考，亦可作為繼續發展「資訊安全多準則評估模式」（Information Security Multiple Criteria Valuation Model）的基礎，實為資訊安全管理實証研究的重要里程碑。 Most results of various investigations and studies have shown that the percentage of information security accidents occurred and the financial losses caused are increasing continuously. September 11 attacks in the U.S.A., floods of Nari typhoon and malfeasant cases of Financial Information Service Co., Ltd. in Taiwan all indicate that information security has being more important day by day as a result of fast development of information technology, increasing range of users and dependence of an organization on information system. How to evaluate information security of an organization and what valuation criteria should be considered still lack of empirical studies. On the basis of “Integrated System Theory” of information security management, the study applies factor analysis and nominal group technique and collects opinions from experts to construct “Hierarchical Structure of Information Security Valuation Criteria”, which totally includes 9 valuation dimensions and 37 valuation criteria. The result may not only be a reference for the organization to make information security policies but also the foundation to further develop “Information Security Multiple Criteria Valuation Model”. It is obviously a key milestone of empirical studies of information security management.