| 摘要: | 隨著全球數位轉型加速,資訊安全已成為企業經營的關鍵課題之一。金融中小企業雖面臨與大型金融機構相似的資安風險,卻因資源與人力有限,在法規合規與資安投資之間經常處於兩難。現有資安治理架構(如 ISO 27001、NIST CSF)雖提供制度化的資安指引,卻多針對大型組織設計,對中小企業而言實務導入困難重重。此外相關研究亦多聚焦於技術實施與法規遵循,對於中小企業在制度壓力下如何演進其決策邏輯,從法規遵循走向策略創新的過程,仍缺乏系統性與理論化的分析,形成學術與實務間的落差。本研究採質性個案研究法,透過文獻整理與深入個案分析,探討一家金融中小企業如何在制度壓力環境下轉變其資安治理邏輯與實踐,並驗證Financial SMEs Cybersecurity Decision Framework (FSCDF)架構的解釋力,並以制度理論為理論基礎,深入分析形塑金融中小企業資訊安全決策行為的三種制度壓力:強制性壓力如何透過法規要求促使企業形成合規導向決策邏輯、規範性壓力如何藉由產業標準與專業實踐引導企業邁向標準化治理邏輯以及模仿性壓力如何激發企業發展自主創新的策略思維。研究進一步歸納出資安決策過程中的五個關鍵構面:風險管理、資安成熟度、資安文化與員工意識、威脅偵測與應變,以及技術防禦策略。透過理論與實務交叉觀察,本研究提出FSCDF中小企業資安決策架構,建立金融中小企業在多元制度壓力下由法規驅動邏輯、產業標準導向邏輯,進而發展至策略創新邏輯的三層次決策轉化模式。本研究研究發現,個案企業面對三種制度壓力時,其各構面資安決策邏輯並非線性反應,而是呈現階段性轉化,從法規導向的被動遵循,逐步邁向標準對齊與策略創新,形成一種結合制度回應與組織學習的演化過程。理論與實務交會視角讓本研究補足金融中小企業資安治理研究中對制度因素之忽視,並提出FSCDF架構作為分析工具。學術上擴展制度理論應用場域,實務上提供中小企業資安規劃參考架構,協助逐步強化其資安治理能力。;As global digital transformation accelerates, information security has become one of the key issues in enterprise operations. While small and medium-sized financial enterprises (SMEs) face cybersecurity risks similar to those of large financial institutions, they often find themselves in a dilemma between regulatory compliance and cybersecurity investment due to limited resources and manpower. Although existing cybersecurity governance frameworks (such as ISO 27001 and NIST CSF) offer institutionalized security guidelines, they are mostly designed for large organizations, making practical implementation extremely challenging for SMEs. Furthermore, current research primarily focuses on technical implementation and reg-ulatory compliance, lacking systematic and theoretical analysis of how SMEs evolve their de-cision-making logic under institutional pressures—from compliance-driven to strategy-driven innovation—thus creating a gap between academic research and practical needs. Grounded in institutional theory, this study investigates how three types of institutional pressure shape the cybersecurity decision-making behaviors of financial SMEs: how coercive pressure promotes compliance-oriented logic through regulatory requirements; how normative pressure leads enterprises toward standardized governance through industry standards and professional prac-tices; and how mimetic pressure inspires firms to develop strategic thinking and autonomous innovation. The study further identifies five key dimensions in the cybersecurity deci-sion-making process: risk management, cybersecurity maturity, security culture and employee awareness, threat detection and response, and technical defense strategies. Through a cross-perspective of theory and practice, this research proposes the FSCDF (Financial SMEs Cybersecurity Decision Framework), which models how financial SMEs navigate a three-phase decision transformation process—moving from regulation-driven logic, through industry standard-aligned logic, to strategic innovation logic under multifaceted institutional pressures. This study adopts a qualitative case study approach, utilizing literature review and in-depth case analysis to explore how a financial SME shifts its cybersecurity governance logic and practices under institutional pressures, and to validate the explanatory power of the FSCDF framework. The findings reveal that the enterprise’s decision logic across the five di-mensions is not a linear response but a phased transformation—from passive compliance with regulations to alignment with standards, and ultimately toward strategic innovation. This pro-cess reflects an evolutionary path that integrates institutional response with organizational learning. By integrating theoretical and practical perspectives, this research addresses the ex-isting gap in cybersecurity governance studies for financial SMEs by incorporating institu-tional factors and introduces the FSCDF framework as an analytical tool. Academically, it ex-tends the application of institutional theory; practically, it offers SMEs a reference model for cybersecurity planning, supporting the gradual enhancement of their cybersecurity governance capabilities. |
