為了面對網路威脅所產生不易掌控的風險、持續鞏固台灣半導體在全球領先的地位,我們將著手建立有關於我國資訊與科技服務業的資訊安全風險的評估,並量化風險值、計算投保時之保費參考依據,以便於企業組織將風險做適當轉移。 本研究首先會說明資安損失的型態,將各種損失型態做統整及歸納;本篇選擇關注在資料外洩的型態,研究採用Jack Freund & Jack Jones發展之Factor Analysis of Information Risk模型,並結合美國國家標準暨技術研究院(NIST)制定的Cybersecurity Framework作為探討之基礎,經由蒙地卡羅模擬並量化當資訊與科技服務業遭遇網路攻擊時的風險值,後續可以藉此推估出保險公司所需的危險保費。 研究結果發現,當我國資訊與科技服務業遭遇資料外洩時,若是提升了FAIR模型中的抵抗能力,則危險保費也會下降,內文具不同抵抗能力所得之風險平均值、標準差和危險保費。 這些經過蒙地卡羅模擬分析及專家估算所得到的風險值,提供保險公司為資訊與科技服務業計算保費的基準、企業本身風險管理時的良好指標。本研究所提出之流程、架構可以依使用對象的實際資料和參數分析。 ;In order to face the unmanageable risks arising from cyber threats and continue to consolidate Taiwan′s leading position in the world of semiconductors, we establish an assessment of information security risks in Taiwan′s information and technology service industry, quantify the risk value. The insurance premium basis is used to facilitate the organization to transfer risks appropriately. We will first explain the types of information security losses, then integrate and summarize various types of losses; choose to focus on the types of Data breach, and adopts the Factor Analysis of Information Risk model developed by Jack Freund & Jack Jones, and combine with the Cybersecurity Framework established by the National Institute of Standards and Technology (NIST) as the basis for the study. Through Monte Carlo simulation and quantification of the risk value when the information and technology service company encounter a cyber threat, the simulation results can be used to promote estimate the premiums required by the insurance company. The results of the research finds that when Taiwan′s information and technology service industry encounters Data breach, if the resistance in the Factor Analysis of Information Risk model is improved, the risk premium will also decrease accordingly. These risk values is obtained through Monte Carlo simulation analysis and expert estimation provide insurance companies with a benchmark for calculating premiums for the information and technology service industry and a good indicator for company risk management. However, we suggest that under this process and framework the real parameter analysis can be input according to the actual data of the company considered.
