資安事件的發生不僅會對企業造成實質的損失更會對商譽造成嚴重的傷害。為了降低資安事件的發生，制定有效的資安政策並加以執行是根本做法。然而，在推動資安政策的過程會對員工造成壓力。這些壓力是否會對員工在遵守資安政策上產生影響是本論文的研究重點。

本研究根據保護動機理論，認為資訊安全壓力會透過保護動機理論中的威脅評估以及應對評估這兩個認知過程進而影響資安政策的遵守。

本研究收集 324 位使用者意見，採實證研究，以十二個研究假設來驗證研究模型，並利用 PLS 統計方法進行檢驗。研究結果發現，在威脅評估與應對評估之 中除了事件發生可能性外，對於資安政策遵從皆有顯著影響。資安任務型與工作型壓力對於資安角色型壓力的形成有顯著的影響。資安角色型壓力對於保護動機理 論中的威脅評估與應對評估具有顯著的影響。資安任務型壓力對應對評估中的反 應功效呈現顯著正相關，其結果與我們所預期的相反。

The occurrence of security incidents will not only cause substantial loss to the enterprise but also serious damage to goodwill. In order to reduce the occurrence of security incidents, it is a fundamental practice to formulate effective security policies and implement them. However, the process of promoting the security policy will put stress on employees. The focus of this paper is whether these pressures will affect staff's compliance with the security policies.

Based on the protection motivation theory, this study considers that information security stress will affect the compliance of security policies through the two cognitive processes of threat appraisal and coping appraisal of protection motivation theory.

In this study, opinions of 324 users were collected and the empirical study was conducted. Twelve research hypotheses were used to validate the study model. The results showed that the threat appraisal and coping appraisal affect security compliance significantly except for vulnerability. Security task and job stress have a significant impact on the formation of security role stress. Security role stress has a significant impact on threat and coping appraisals in the protection motivation theory. Security task stress was significantly positively correlated with response efficacy in coping appraisal, and this result were contrary to our expectation.

論文審定書 i
誌謝 ii
摘要 iii
Abstract iv
List of Figures vii
List of Tables viii
Chpater 1. Introduction 1
1.1 Background 1
1.2 Research Motivation 2
Chpater 2. Literature Reviews 4
2.1 Information Security 4
2.2 Information Security Policy 6
2.3 Information Security Compliance 10
2.4 Stress & Stressor 12
2.5 Security-related Stress 13
2.6 Protection Motivation Theory 15
Chpater 3. Research Methodology 18
3.1 Research Architecture 18
3.2 Research Model 19
3.3 Research Hypothesis 20
3.4 The operational definitions and measurements of variables 25
3.4.1 Security Task Stress 25
3.4.2 Security Job Stress 26
3.4.3 Security Role Stress 27
3.4.4 Coping Appraisal 29
3.4.5 Threat Appraisal 30
3.4.6 Security Compliance 31
3.5 Research Design 32
Chpater 4. Results and Discussion 39
4.1 Descriptive Statistics 39
4.2 Reliability and Validity 44
4.2.1 Reliability 44
4.2.2 Validity 50
4.3 Hypothesis Testing: The Structural Model 60
4.4 Supplementary Examination 66
4.4.1 The examination of direct effects from security stress to security compliance 66
4.4.2 The examination of Inverted-U Shaped Effect 66
4.4.3 The results of path efficiency of structural model by different data groups of industries 67
Chpater 5. Conclusions 73
5.1 Research Results 74
5.2 Academic Implications 75
5.3 Practical Implications 76
5.4 Limitations and Suggestions for Future Study 78
Reference 79
Appendix 83

AbuAlRub, R. F. (2004). Job stress, job performance, and social support among hospital nurses. Journal of nursing scholarship, 36(1), pp. 73-78.

Aiello, J. R., & Kolb, K. J. (1995). Electronic Performance Monitoring and Social Context: Impact on Productivity and Stress. Journal of Applied Psychology, 80(3), pp. 339-353.

Ament, C., & Haag, S. (2016). How Information Security Requirements Stress Employees. International Conference on Information Systems 2016.

Anderson, R. (2001). Security Engineering: A Guide to Building Dependable Distributed Systems. New York, NY: Wiley Computer Publishing.

Brod, C. (1984). Technostress: The human cost of the computer revolution. Addison Wesley Publishing Company.

Brouwers, M. C., & Sorrentino, R. M. (1993). Uncertainty orientation and protection motivation theory: The role of individual differences in health compliance. Journal of Personality and Social Psychology, 65(1), p. 102.

Cherdantseva, Y., & Hilton, J. (2013). Understanding Information Assurance and Security.

D'Arcy, J.; Hearath, T.; Shoss, K. M. (2014). Understanding Employee Responses to Stressful Information Security Requirements: A Coping Perspective. Journal of Management Information Systems, 31(2), pp. 285-318.

Dlamini, M. T., Eloff, J. H., & Eloff, M. M. (2009). Information security: The moving target. Computers & Security, 3(28), pp. 189-198.

Fernandes, C., & Tewari, K. (2012). Organizational Role Stress: Impact of Manager and Peer Support. Journal of knowledge Globalization, 5(1).

Fornell, C., & Larcker, D. F. (1981). Structural equation models with unobservable variables and measurement error: Algebra and statistics. Journal of marketing research, pp. 382-388.

Fruin, D. J., Pratt, C., & Owen, N. (1992). Protection Motivation Theory and Adolescents' Perceptions of Exercise. Journal of Applied Social Psychology, 22(1), pp. 55-69.

Fulford, H., & Doherty, N. F. (2003). The application of information security policies in large UK-based organizations. Information Management and Computer Security, 11(3), pp. 106-114.

Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), pp. 106-125.

Higgins, H. (1999). Corporate system security: towards an integrated management approach. Information Management and computer Security, 7(5), pp. 217-222.

Ifinedo, P. (2012). Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & Security, 31(1), pp. 83-95.

Im, G., & Baskerville, R. (2005). A longitudinal study of information systems threat categories: the enduring problem of human error. The DATA BASE for Advances in Information Systems, 36(4), pp. 68-79.

ISO/IEC. (2005). ISO/IEC 17799 Information technology - Security techniques - Code of practice for information security management. Gevena, Switzerland: ISO/IEC.

ISO/IEC. (2009). ISO/IEC 27000:2009 Information technology - Security techniques - Information security management systems - Overview and vocabulary. Geneva, Switzerland: ISO/IEC.

Jenkins, J. L., Grimes, M., Proudfoot, J. G., & Lowry, P. B. (2014). Improving password cybersecurity through inexpensive and minimally invasive means: Detecting and deterring password reuse through keystroke-dynamics monitoring and just-in-time fear appeals. Information Technology for Development, 20(2), 192-213.

Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information security behaviors: an empirical study. MIS quarterly, pp. 549-566.

Lacey, D. (2009). Managing the Human factor in information security. J. Wiley and Sons Ltd.

Lazarus, R. S., & Folkman, S. (1984). Stress, appraisal, and coping. Springer publishing company.

Lee, C., Lee, C. C., & Kim, S. (2016). Understanding Information Security Stress: Focusing on the Type of. Computers & Security(59), pp. 60-70.

Lee, D., Larose, R., & Rifon, N. (2008). Keeping our network safe: a model of online protection behaviour. Behaviour & Information Technology, 27(5), 445-454.

Lee, S. M., Lee, S. G., & Yoo, S. (2003). An Integrative Model of Computer Abuse based on Social Control and General Deterrence Theories. Information and Management, 41(6), pp. 707-718.

Pahnila, S., Siponen, M., & Mahmood, A. (2007). Employees’ Behavior towards IS Security Policy Compliance. Proceedings of the 40th Hawaii International Conference on System Sciences (pp. 155-166). Los Alamitos: IEEE Computer Society Press.

Parker, D. (1998). Fighting Computer Crime. New York, NY: John Wiley and Sons.

Posey, C., Roberts, T. L., & Lowry, P. B. (2015). The Impact of Organizational Commitment on Insiders’ Motivation to Protect Organizational Information Assets. Journal of Management Information Systems, 32(4), pp. 179-214.

Posey, C., Roberts, T., Lowry, P. B., Courtney, J., & Bennett, B. (2011). Motivating the insider to protect organizational information assets: evidence from protection motivation theory and rival explanations. In The Dewald Roode workshop in information systems security (pp. 22-23).

PricewaterhouseCoopers(PwC). (2013). Key findings from The Global State of Information Security® Survey 2013: Turnaround and transformation in cybersecurity.

PricewaterhouseCoopers(PwC). (2015). 2015 Information Security Breaches Survey: Technical Report.

Rippetoe, P. A., & Rogers, R. W. (1987). Effects of components of protection-motivation theory on adaptive and maladaptive coping with a health threat. Journal of personality and social psychology, 52(3), p. 596.

Rogers, W. R. (1975). A protection motivation theory of fear appeals and attitude change. The journal of psycology, 91(1), pp. 93-114.

Rogers, W. R. (1983). Cognitive and physiological processes in fear appeals and attitude change: A revised theory of protection motivation. In Social psychophysiology (pp. 153-176).

SchneierB. (2008). Schneier on Security. New York, NY: Wiley Publishing.

Selye, H. (1975). Implications of stress concept. New York state journal of medicine,
75, pp. 2139-2145.

Stainback, R. D., & Rogers, R. W. (1983). Identifying effective components of alcohol abuse prevention programs: Effects of fear appeals, message style, and source expertise. International Journal of the Addictions, 3, pp. 393-405.

Stajkovic, A. D., & Luthans, F. (1997). A Meta-Analysis of the Effects of Organizational Behavior Modification on Task Performance, 1975-95. Academy of Management Journal, 40(5), pp. 1122-1149.

Stanley, M. A., & Maddux, J. E. (1983). Cognitive processes in health enhancement: Investigation of a combined protection motivation and self-efficacy model. Basic and Applied Social Psychology, 7(2), pp. 101-113.

Stanton, J. M., Stam, K. R., Mastrangelo, P., & Jolton, J. (2005). Analysis of End User Security Behaviors. Computers and, 24(2), pp. 124-133.

Straub, D. W., & Nance, W. D. (1990). Discovering and Disciplining Computer Abuse in Organizations: A Field Study. MIS Quarterly, 14(1), pp. 45-60.

Su, W. J. (2014). The impacts of safety climate and computer self-efficacy on near-miss incident reporting intentions. In Proceedings of PICMET'14 Conference: Portland International Center for Management of Engineering and Technology; Infrastructure and Service Integration (pp. 1738-1745). IEEE.

Sutherland, V., & Cooper, C. (2000). Strategic stress management: An organizational approach. Springer.

Symantec. (2016). Information Security Threat Report. Symantec.

Tarafdar, M., Ragu-Nathan, T., Ragu-Nathan, B., & Tu, Q. (2007). The Impact of Technostress on Productivity. Journal of Management Information Systems.

Van der Velde, W. F., & Van der Pligt, J. (1991). AIDS-related health behavior: Coping, protection motivation, and previous behavior. Journal of behavioral medicine, 14(5), pp. 429-451.

Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: insights from habit and protection motivation theory. Information & Management, 49(3), pp. 190-198.

Vanishree, P. (2014). Impact of role ambiguity, role conflict and role overload on job stress in small and medium scale industries. Research Journal of Management Sciences, 3(1), pp. 10-13.

Whitman, M. E., & Mattord, H. J. (2011). Principles of information security. Cengage Learning.

Williams, L. J., & Anderson, S. E. (1991). Job satisfaction and organizational commitment as predictors of organizational citizenship and in-role behaviors. Journal of management, 3, pp. 601-617.

Willison, R. (2006). Understanding the Perpetration of Employee Computer Crime in the Organisational Context. Information and, 16(4), pp. 304-324.

Workman, M., Bommer, W., & Straub, D. (2008). Security Lapses and the Omission of Information Security Measures: A Threat Control Model and Empirical Test. Computers in Human Behavior, 24(6), pp. 2799-2816.

Yerkes, R. M., & Dodson, J. D. (1908). The relation of strength of stimulus to rapidity of habit‐formation. Journal of comparative neurology and psychology, 18(5), pp. 459-482.

Young, K. (2010). Policies and Procedures to Manage Employee Internet Abuse.
Computers in Human Behavior, 26(6), pp. 1467–1471.