| 研究生: |
賴重睿 Lai, Chung-Jui |
|---|---|
| 論文名稱: |
探索與實作PCR框架:以政府資安成熟度模型為例 Exploring and Implementing the PCR Framework from Cyber Security Government Maturity Assessment |
| 指導教授: |
左瑞麟
Tso, Ray-Lin |
| 口試委員: |
許見章
Hsu, Chien-Chang 黃正達 Huang, Cheng-Ta 高大宇 Kao, Da-Yu 許建隆 Hsu, Chien-Lung |
| 學位類別: |
碩士
Master |
| 系所名稱: |
資訊學院 - 資訊科學系 Department of Computer Science |
| 論文出版年: | 2026 |
| 畢業學年度: | 114 |
| 語文別: | 英文 |
| 論文頁數: | 72 |
| 中文關鍵詞: | 資通安全 、成熟度模型 、風險管理 、安全態勢 、差距分析 |
| 外文關鍵詞: | Cybersecurity, Maturity model, Risk management, Security posture, Gap analysis |
| 相關次數: | 點閱:35 下載:5 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
近年資訊科技快速發展,加上疫情期間的數位轉型加速,使網路攻擊事件頻率倍增並引發廣泛討論,亦衍生出許多犯罪事件或社會負面新聞。因此,為了能快速檢視公務機關是否有能力有效遏止這類攻擊,臺灣政府自2019年推動資安治理成熟度評估(Cyber Security Governance Maturity Assessment,CSGMA)機制,要求各公務機關依循一致性架構導入並定期檢視其資安治理成熟度。本研究將聚焦在臺灣政府CSGMA評估機制,以此成熟度評估模型及其公務機關適用脈絡為研究基礎,針對臺灣某警察機關之資安治理成熟度進行個案研究與差距分析(Gap Analysis),檢視其資安治理成熟度現況與待改進面向,並提出可改善之提升策略,以強化整體資安態勢(Security Posture)。研究結果顯示,該機關成熟度等級為第3級,與大多數公務機關相同,其主要缺口在於現有資安管理制度運作流程缺乏定性或定量績效指標、管理審查評估與持續改善機制;該機關若要提升等級,應將相關衡量指標正式納入管理循環中,並以高階管理者視角與策略,將資訊安全概念融入組織文化與營運決策的一部分。
基於評估結果,本研究提出「流程分類(Process class)、能力與成熟度評估(Capability and maturity evaluation)、風險導向管理(Risk-oriented management)」(簡稱 PCR)之框架,作為 CSGMA 結構下之評估後改善路徑。PCR以評估結果為依據,透過本研究提出之優先排序公式,呈現機關現況與目標成熟度等級之差距。進一步結合既有合規導向架構與風險導向策略,使機關能依循PCR架構完成評估、差距計算及改善優先順序排序,並在符合合規面架構後,藉由風險管理之角度來制定改善策略,讓機關整體成熟度不僅限於合規,更能靈活且彈性地應對多變的網路生態,同時強化機關整體資安成熟度與組織韌性。本研究將發現結果及改善策略提供各政府機關作為提升資安治理成熟度之參考採行方向。
The rapid evolution of information technology, accelerated by the digital transformation during the pandemic, has led to a significant increase in the frequency and complexity of cyberattacks. This trend presents major threats and has emerged as a crucial societal issue. To address this challenge, the Taiwanese government introduced the Cyber Security Governance Maturity Assessment (CSGMA) in 2019, requiring government agencies to assess their cybersecurity maturity systematically. This study presents a detailed case study of Police Department T in Taiwan, utilizing the CSGMA structure to conduct a gap analysis of its cybersecurity governance maturity. The research aims to identify current cybersecurity maturity levels, pinpoint areas for improvement, and propose enhancement strategies to strengthen the department’s overall security posture. The results indicate that the department achieved overall maturity level 3, which is consistent with the majority of government agencies in Taiwan. The primary gaps identified include a lack of both qualitative and quantitative performance metrics, insufficient management review and evaluation, and an inadequate continuous improvement mechanism within the existing information security management system. To reach a higher maturity level, the department must formalize these metrics within its management lifecycle and embed cybersecurity concepts into its organizational culture and executive decision-making.
Building upon these findings, this study proposes the ‘Process class, Capability and maturity evaluation, and Risk-oriented management’ (PCR) framework as an improvement pathway within the CSGMA. The PCR framework integrates essential compliance requirements with a dynamic, risk-oriented strategy, enabling the department to systematically prioritize its improvement initiatives based on evaluation results and risk exposure, and to formalize measurement, review, and remediation timelines. By adopting this framework, the department can transcend mere compliance, thereby enabling a more adaptable and resilient response to the dynamic cyber landscape and ultimately strengthening organizational resilience. The findings and proposed framework of this research provide a practical and strategic guide for other government agencies working to elevate their cybersecurity maturity level.
致謝 i
摘要 ii
Abstract iii
Contents iv
List of Figures vi
List of Tables vii
1. Introduction 1
2. Background 5
2.1. Cybersecurity Posture 5
2.2. Cybersecurity Maturity Models 6
2.2.1. ISO Standards 8
2.2.2. CERT-RMM 9
2.2.3. CMMI 9
2.2.4. NIST CSF 10
2.3. Taiwan CSGMA 12
2.3.1. Cyber Security Management Act 12
2.3.2. CSGMA Components and Structure 12
2.3.3. Evaluation Matrix: Capability and Maturity 15
2.4. Gap Analysis 16
2.4.1. Establish Current State (As-Is) 16
2.4.2. Define Desired State (To-Be) 17
2.4.3. Conduct Gap Analysis 17
2.4.4. Develop Action Plan 17
2.5. Risk Management 19
3. Research Design 22
3.1. Research Environment: Police Department T 23
3.2. Capability and Maturity Observation 24
3.2.1. Capability Observation 24
3.2.2. Maturity Observation 25
3.2.3. Observation Results 25
3.3. Priority Management 27
3.3.1. Formula Definition 27
3.3.2. Priority Determination 29
4. The Proposed PCR Framework 31
4.1. Key Phases 32
4.1.1. Process Class (Phase 1) 32
4.1.2. Capability and Maturity Evaluation (Phase 2) 33
4.1.3. Risk-Oriented Management (Phase 3) 34
4.2. Cycle Management 36
4.2.1. Initial Implementation (Cycle 1) 38
4.2.2. Intermediate Implementation (Cycle 2) 47
4.2.3. Advanced Implementation (Cycle 3) 53
4.3. Discussions and Findings 58
4.3.1. Key Findings and Implementation Insight 58
4.3.2. Lessons Learned 60
4.3.3. Research Findings 61
5. Conclusions and Future Work 65
5.1. Conclusions 65
5.2. Future Work 66
References 67
Appendix 70
Abohatem, A. Y. and Ba-Alwi, F. M., 'Cybersecurity Maturity Assessment of Information Systems for Yemen Telecoms,' International Journal of Intelligent Systems and Applications in Engineering, Vol. 12, pp. 539-548, 2024.
Administration for Cyber Security, Ministry of Digital Affairs, Taiwan, 'Government cybersecurity protection seminar series,' p. 17, November 2024. Available online: https://www-api.moda.gov.tw/File/Get/acs/zh-tw/hc3vWMoudkChhsr (accessed on 20 April 2026).
Boehm, J., Curcio, N., Merrath, P., Shenton, L., and Stähle, T., 'The risk-based approach to cybersecurity,' New York, NY: McKinsey & Company, 2019.
Bonney, B., Hayslip, G., and Stamper, M., 'CISO desk reference guide: A practical guide for CISOs,' CISO DRG, 2019.
Caralli, R. A., 'Discerning the Intent of Maturity Models from Characterizations of Security Posture,' Software Engineering Institute, Carnegie Mellon University, pp. 2-4, 2012.
Crotty, J. and Daniel, E., 'Cyber threat: its origins and consequence and the use of qualitative and quantitative methods in cyber risk assessment,' Applied Computing and Informatics, Vol. 22, No. 1/2, pp. 198-209, 2026.
Diogenes, Y. and Ozkaya, E., 'Cybersecurity – Attack and Defense Strategies: Improve Your Security Posture to Mitigate Risks and Prevent Attackers from Infiltrating Your System,' Packt Publishing Limited Company, pp. 1-30, 2022.
Duijm, N. J., 'Recommendations on the Use and Design of Risk Matrices,' Safety Science, Vol. 76, pp. 21-31, 2015.
Garba, A. A. and Bade, A. M., 'An Investigation on Recent Cyber Security Frameworks as Guidelines for Organizations Adoption,' International Journal of Innovative Science and Research Technology, Vol. 6, pp. 103-110, 2021.
Garba, A. A., Siraj, M. M., and Othman, S. H., 'An Explanatory Review on Cybersecurity Capability Maturity Models,' Advances in Science Technology and Engineering Systems Journal, Vol. 5, No. 4, pp. 762-769, 2020.
Humphrey, W. S., 'Characterizing the Software Process: A Maturity framework,' IEEE Software, Vol. 5, No. 2, pp. 73-79, 1988.
Idi, M. and Aliyu, M. B., 'Cybersecurity Capability Maturity Model for Network System,' International Journal of Development Research, Vol. 9, pp. 28637-28641, 2019.
ISACA, 'CMMI Model Quick Reference Guide,' 2024. Available online: https://www.isaca.org/resources/reference-guide/cmmi-model-quick-reference-guide (accessed on 18 December 2025).
International Organization for Standardization (ISO), 'ISO/IEC 27001: Information security, cybersecurity and privacy protection — Information security management systems — Requirements,' 2022.
Law and Regulations Database, Ministry of Justice, R.O.C., 'Cyber Security Management Act,' June 6, 2018. Available online: https://law.moj.gov.tw/ENG/LawClass/LawAll.aspx?pcode=A0030297 (accessed on 20 April 2024).
Liu, P. Y., 'Exploratory Study on Maturity Assessment Model for Government Information Security Governance,' Department of Computer Science, National Taipei University of Education, July 2019. Available online: https://hdl.handle.net/11296/naxrck (accessed on 4 December 2025).
Marican, M. N. Y., Razak, S. A., Selamat, A., and Othman, S. H., 'Cyber Security Maturity Assessment Framework for Technology Startups: A Systematic Literature Review,' IEEE Access, Vol. 11, pp. 5442-5452, 2023.
Möller, D. P. F., 'Cybersecurity Maturity Models and SWOT Analysis. In: Guide to Cybersecurity in Digital Transformation. Advances in Information Security,' Springer, Vol. 103, pp. 305-346, 2023.
National Institute of Cyber Security, Taiwan, 'Information Security Governance Maturity Assessment Reference Guide,' August 29, 2022. Available online: https://www.nics.nat.gov.tw/cybersecurity_resources/reference_guide/Common_Standards/ (accessed on 20 April 2024).
National Institute of Standards and Technology, 'Guide for Conducting Risk Assessments,' NIST Special Publication 800-30, Rev.1, Gaithersburg, 2012. Available online: https://doi.org/10.6028/NIST.SP.800-30r1 (accessed on 7 October 2025).
National Institute of Standards and Technology, Gaithersburg, MD, 'The NIST Cybersecurity Framework (CSF) 2.0,' NIST Cybersecurity White Paper (CSWP) NIST CSWP 29, 2024. Available online: https://doi.org/10.6028/NIST.CSWP.29 (accessed on 20 February 2025).
NCSC, 'The fundamentals of risk. London: National Cyber Security Centre,' 2018.
Putra, A. and Soewito, B., 'Integrated Methodology for Information Security Risk Management using ISO 27005:2018 and NIST SP 800-30 for Insurance Sector,' International Journal of Advanced Computer Science and Applications (IJACSA), Vol. 14, No. 4, 2023.
Rabii, A., Assoul, S., Touhami, K. O., and Roudies, O., 'Information and Cyber Security Maturity Models: A Systematic Literature Review,' Information & Computer Security, Vol. 28, No. 4, pp. 627-644, 2020.
Radanliev, P., De Roure, D., Burnap, P., and Santos, O., 'Epistemological Equation for Analysing Uncontrollable States in Complex Systems: Quantifying Cyber Risks from the Internet of Things,' The Review of Socionetwork Strategies, Vol. 15, No. 2, pp. 381-411, 2021.
Sánchez-García, I. D., Mejía, J., and San Feliu Gilabert, T., 'Cybersecurity Risk Assessment: A Systematic Mapping Review, Proposal, and Validation,' Applied Sciences, Vol. 13, No. 1, 395, 2023.
Schroeder, K., Trinh, H., and Pillitteri, V. Y., 'Measurement Guide for Information Security: Volume 1 — Identifying and Selecting Measures,' National Institute of Standards and Technology, NIST Special Publication 800-55v1, Gaithersburg, 2024. Available online: https://doi.org/10.6028/NIST.SP.800-55v1 (accessed on 7 October 2025).
Shabdin, N. I. and Yaacob, S., 'Gap analysis process for digital transformation in public sector organization,' Journal of Electrical Systems, Vol. 20, pp. 8131-8140, 2024.
Siponen, M. and Willison, R., 'Information Security Management Standards: Problems and Solutions,' Information & Management, Vol. 46, pp. 267-270, 2009.
White, G. B., 'The Community Cyber Security Maturity Model,' 40th Hawaii International Conference on System Sciences (HICSS), p. 99, 2007.