隨著資訊科技快速發展，資訊安全（InfoSec）威脅日益嚴峻，銀行業在推動數位創新的同時，也面臨日益複雜的資安挑戰，亟需從傳統的反應式應對轉向更具前瞻性的策略規劃。過去研究多聚焦於資安政策制定或員工遵循行為等管理層面，較少關注資訊安全轉型的整體動態過程與技術—組織之間的互動關係。本研究深入探討資安轉型背後的形成機制與演化脈絡。本研究以 Leonardi（2011）提出的 imbrication theory 為理論基礎，透過個案研究法，深入剖析臺灣一間於重大 ATM 盜領事件後啟動全面資安改革、並最終成為業界資安領航者的銀行。本研究識別出四種具代表性的交織機制：responsive prevision、iterative constitution、assimilative enforcement與agile compliance，分別呈現組織在不同階段所面對的風險情境與應對策略。本研究近一步發現，資安轉型並非線性推進的過程，而是透過人力與科技之間的多向交織，沿著創新的「範疇」與「規模」逐步擴展，形成一條資安擴散路徑（diffusion trajectory）。本研究在理論上延伸了 imbrication theory 的應用，揭示其於真實情境中的多樣性與動態性，並提出整合技術與管理雙維度的資安轉型模型；在實務上，則提供銀行業者策略性思考資安治理的架構，協助規劃長期資安轉型藍圖與因應外部環境快速變動的行動指引。

As information security (InfoSec) risks grow alongside digital innovation, the banking industry must shift from reactive to proactive strategies. Existing studies predominantly emphasize InfoSec management practices but often overlook the dynamic nature of InfoSec transformation. Drawing on imbrication theory (Leonardi, 2011), this study explores how the interaction between IT artifacts and routines drives InfoSec transformation. Through an in-depth of a leading Taiwanese bank that successfully redefined its InfoSec posture following a severe ATM heist, the research identifies four distinct types of imbrication: responsive prevision, iterative constitution, assimilative enforcement, and agile compliance. Each type reflects different patterns of human and material agency. These insights inform the development of a diffusion trajectory model that captures how InfoSec transformation unfolds across varying scopes and scales of innovation. The findings extend imbrication theory into a multi-dimensional context and offer practical guidance for banks seeking to foster resilience through adaptive, context-sensitive strategies.

Anderson, C., Baskerville, R.L., and Kaul, M. (2017). Information security control theory: Achieving a sustainable reconciliation between sharing and protecting the privacy of information. Journal of Management Information Systems, 34(4), 1082-1112. https://doi.org/10.1080/07421222.2017.1394063
Angst, C.M., Block, E.S., D'Arcy, J., and Kelley, K. (2017). When do IT security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches. MIS Quarterly, 41(3), 893-916. https://doi.org/10.25300/misq/2017/41.3.10
Balozian, P., Burns, A.J., and Leidner, D.E. (2023). An adversarial dance: Toward an understanding of insiders' responses to organizational information security measures. Journal of the Association for Information Systems, 24(1), 161-221. https://doi.org/10.17705/1jais.00798
Barratt, M., Choi, T.Y., and Li, M. (2011). Qualitative case studies in operations management: Trends, research outcomes, and future research implications. Journal of Operations Management, 29(4), 329-342. https://doi.org/10.1016/j.jom.2010.06.002
BBC (2016). Taiwan ATMs 'robbed of $2.5m by European hackers'. https://www.bbc.com/news/world-asia-36824507/
Bürger, O., Häckel, B., Karnebogen, P., and Töppel, J. (2019). Estimating the impact of IT security incidents in digitized production environments. Decision Support Systems, 127, 113144. https://doi.org/10.1016/j.dss.2019.113144
Chatterjee, S., Moody, G.D., Lowry, P.B., Chakraborty, S., and Hardin, A. (2020). The nonlinear influence of harmonious information technology affordance on organisational innovation. Information Systems Journal, 31(2), 294-322. https://doi.org/10.1111/isj.12311
Chen, X., Wu, D., Chen, L, and Teng, J.K.L. (2018). Sanction severity and employees' information security policy compliance: Investigating mediating, moderating, and control variables. Information & Management, 55(8), 1049-1060. https://doi.org/10.1016/j.im.2018.05.011
Cram, W.A., Proudfoot, J.G., and D'Arcy, J. (2020). When enough is enough: Investigating the antecedents and consequences of information security fatigue. Information Systems Journal, 31(4), 521-549. https://doi.org/10.1111/isj.12319
Dhillon, G., Smith, K., and Dissanayaka, I. (2021). Information systems security research agenda: Exploring the gap between research and practice. Journal of Strategic Information Systems, 30(4), 101693. https://doi.org/10.1016/j.jsis.2021.101693
Eisenhardt, K.M., and Graebner, M.E. (2007). Theory building from cases: Opportunities and challenges. The Academy of Management Journal, 50(1), 25-32. https://doi.org/10.5465/AMJ.2007.24160888
Faik, I., Barrett, M., and Oborn, E. (2020). How information technology matters in societal change: An affordance-based institutional logics perspective. MIS Quarterly, 44(3), 1359-1390. https://doi.org/10.25300/MISQ/2020/14193
Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., and Smeraldi, F. (2016). Decision support approaches for cyber security investment. Decision Support Systems, 86, 13-23. https://doi.org/10.1016/j.dss.2016.02.012
Financial Supervisory Commission (2023). FSC imposes administrative penalty on shanghai commercial and savings bank for deficiencies in leaks of customer data. https://www.fsc.gov.tw/en/home.jsp?id=54&parentpath=0&mcustomize=multimessage_view.jsp&dataserno=202312280002&dtable=News
Findikoglu, M., and Watson-Manheim, M.B. (2016). Linking macro-level goals to micro-level routines: EHR-enabled transformation of primary care services. Journal of Information Technology, 31(4), 382-400. https://doi.org/10.1057/s41265-016-0023-5
First Financial Holdings (n.d.). Awards and Recognition. https://www.firstholding.com.tw/sites/firstholding/Touch/1506567958639
Gephart, R.P. (2004). From the editors: Qualitative research and the "Academy of Management Journal". The Academy of Management Journal, 47(4), 454-462. https://doi.org/10.5465/amj.2004.14438580
Gonzalez, E.S., and Deng, X. (2023). Social Inclusion: The use of social media and the impact on first-generation college students. Journal of the Association for Information Systems, 24(5), 1313-1333. https://doi.org/10.17705/1jais.00792
Holeman, I., and Barrett, M. (2017). Insights from an ICT4D initiative in Kenya's immunization program: Designing for the emergence of sociomaterial practices. Journal of the Association for Information Systems, 18(12), 900-930. https://doi.org/10.17705/1jais.00476
Jaeger, L., Eckhardt, A., and Kroenung, J. (2021). The role of deterrability for the effect of multi-level sanctions on information security policy compliance: Results of a multigroup analysis. Information & Management, 58(3), 103318. https://doi.org/10.1016/j.im.2020.103318
Kao, S.C. (2022). Cathay United Bank fined NT$2m over ATM blunder. Taipei Times. https://www.taipeitimes.com/News/biz/archives/2022/04/13/2003776494/
Karjalainen, M., Sarker, S., and Siponen, M. (2019). Toward a theory of information systems security behaviors of organizational employees: A dialectical process perspective. Information Systems Research, 30(2), 687-704. https://doi.org/10.1287/isre.2018.0827
Klein, H.K., and Myers, M.D. (1999). A set of principles for conducting and evaluating interpretive field studies in information systems. MIS Quarterly, 23(1), 67-93. https://doi.org/10.2307/249410
Kolkowska, E., Karlsson, F., and Hedström, K. (2017). Towards analysing the rationale of information security non-compliance: Devising a value-based compliance analysis method. Journal of Strategic Information Systems, 26(1), 39-57. https://doi.org/10.1016/j.jsis.2016.08.005
Kottasova, I. (2016). Hackers steal millions from ATMs without using a card. CNN. https://edition.cnn.com/2016/07/14/news/bank-atm-heist-taiwan/index.html
Krancher, O., Luther, P., and Jost, M. (2018). Key affordances of Platform-as-a-Service: Self-organization and continuous feedback. Journal of Management Information Systems, 35(3), 776-812. https://doi.org/10.1080/07421222.2016.1205934
Lee, C.H., Geng, X., and Raghunathan, S. (2016). Mandatory standards and organizational information security. Information Systems Research, 27(1), 70-86. https://doi.org/10.1287/isre.2015.0607
Lehrer, C., Wieneke, A., Brocke, J.V., Jung, R., and Seidel, S. (2018). How big data analytics enables service innovation: Materiality, affordances, and the individualization of service. Journal of Management Information Systems, 35(2), 424-460. https://doi.org/10.1080/07421222.2018.1451953
Leonardi, P.M. (2011). When flexible routines meet flexible technologies: Affordance, constraint, and the imbrication of human and material agencies. MIS Quarterly, 35(1), 147-167. https://doi.org/10.2307/23043493
Leonardi, P.M. (2023). Guest editorial: Affordances and agency: A clarification and integration of fractured concepts. MIS Quarterly, 47(4), ix-xx.
Li, H., Kettinger, W.J., and Yoo, S. (2024). Dark clouds on the horizon? Effects of cloud storage on security breaches. Journal of Management Information Systems, 41(1), 206-235. https://doi.org/10.1080/07421222.2023.2301177
Li, H., Yoo, S., and Kettinger, W.J. (2021). The roles of IT strategies and security investments in reducing organizational security breaches. Journal of Management Information Systems, 38(1), 222-245. https://doi.org/10.1080/07421222.2021.1870390
Li, X., Rai, A., and Ganapathy, K. (2020). Designing cost-effective telemedicine camps for underprivileged individuals in less developed countries: A decomposed affordance-effectivity framework. Journal of the Association for Information Systems, 21(5), 1279-1312. https://doi.org/10.17705/1jais.00637
Liu, C.-W., Huang, P., and Lucas, H.C. (2020). Centralized information technology decision making and cybersecurity breaches: Evidence from U.S. higher education institutions. Journal of Management Information Systems, 37(3), 758-787. https://doi.org/10.1080/07421222.2020.1790190
Markus, M.L., and Silver, M.S. (2008). A foundation for the study of IT effects: A new look at DeSanctis and Poole’s concepts of structural features and spirit. Journal of the Association for Information Systems, 9(10), 609-632. https://doi.org/10.17705/1jais.00176
Mettler, T., Spreger, M., and Winter, R. (2017). Service robots in hospitals: New perspectives on niche evolution and technology affordances. European Journal of Information Systems, 26(5), 451-468. https://doi.org/10.1057/s41303-017-0046-1
Nevo, S., Nevo, D., and Pinsonneault, A. (2021). Personal achievement goals, learning strategies, and perceived IT affordances. Information Systems Research, 32(4), 1298-1322. https://doi.org/10.1287/isre.2021.1025
Niemimaa, E., and Niemimaa, M. (2017). Information systems security policy implementation in practice: From best practices to situated practices. European Journal of Information Systems, 26(1), 1-20. https://doi.org/10.1057/s41303-016-0025-y
Pang, M.-S., and Tanriverdi, H. (2022). Strategic roles of IT modernization and cloud migration in reducing cybersecurity risks of organizations: the case of U.S. federal government. Journal of Strategic Information Systems, 31(1), 101707. https://doi.org/10.1016/j.jsis.2022.101707
Piccoli, G. (2016). Triggered essential reviewing: The effect of technology affordances on service experience evaluations. European Journal of Information Systems, 25(6), 477-492. https://doi.org/10.1057/s41303-016-0019-9
Salo, M., Pirkkalainen, H., Chua, C.E.H., and Koskelainen, T. (2022). Formation and mitigation of technostress in the personal use of IT. MIS Quarterly, 46(2), 1073-1107. https://doi.org/10.25300/MISQ/2022/14950
Sarkar, S., Vance, A., Ramesh, B., Demestihas, M., and Wu, D.T. (2020). The influence of professional subculture on information security policy violations: A field study in a healthcare context. Information Systems Research, 31(4), 1240-1259. https://doi.org/10.1287/isre.2020.0941
Sarker, S., Xiao, X., Beaulieu, T., and Lee, A.S. (2018). Learning from first-generation qualitative approaches in the IS discipline: An evolutionary view and some implications for authors and evaluators (part 1/2). Journal of the Association for Information Systems, 19(8), 752-774. https://doi.org/10.17705/1jais.00508
Shiau, W.-L., Wang, X., and Zheng, F. (2023). What are the trend and core knowledge of information security? A citation and co-citation analysis. Information & Management, 60(3), 103774. https://doi.org/10.1016/j.im.2023.103774
Steffen, J.H., Gaskin, J.E., Meservy, T.O., Jenkins, J.L., and Wolman, I. (2019). Framework of affordances for virtual reality and augmented reality. Journal of Management Information Systems, 36(3), 683-729. https://doi.org/10.1080/07421222.2019.1628877
Strauss, A.L., and Corbin, J.M. (1998). Basics of qualitative research: Techniques and procedures for developing grounded theory. Sage Publications.
Thapa, D., and Sein, M.K. (2017). Trajectory of affordances: Insights from a case of telemedicine in Nepal. Information Systems Journal, 28(5), 796-817. https://doi.org/10.1111/isj.12160
Tong, Y., Tan, C.-H., Sia, C.L., Shi, Y., and Teo, H.-H. (2022). Rural-urban healthcare access inequality challenge: Transformative roles of information technology. MIS Quarterly, 46(4), 1937-2163. https://doi.org/10.25300/MISQ/2022/14789
Tsohou, A., Karyda, M., Kokolakis, S., and Kiountouzis, E. (2015). Managing the introduction of information security awareness programmes in organisations. European Journal of Information Systems, 24(1), 38-58. https://doi.org/10.1057/ejis.2013.27
Vance, A., Lowry, P.B., and Eggett, D. (2015). Increasing accountability through user-interface design artifacts: A new approach to addressing the problem of access-policy violations. MIS Quarterly, 39(2), 345-366. https://doi.org/10.25300/MISQ/2015/39.2.04
Vedadi, A., Warkentin, M., Straub, D.W., and Shropshire, J. (2024). Fostering information security compliance as organizational citizenship behavior. Information & Management, 61(5), 103968. https://doi.org/10.1016/j.im.2024.103968
Wang, J., Shan, Z., Gupta, M., and Rao, H.R. (2019). A longitudinal study of unauthorized access attempts on information systems: The role of opportunity contexts. MIS Quarterly, 43(2), 601-622. https://doi.org/10.25300/MISQ/2019/14751
Wright, R.T., Johnson, S.L., and Kitchens, B. (2023). Phishing susceptibility in context: A multilevel information processing perspective on deception detection. MIS Quarterly, 47(2), 803-832. https://doi.org/10.25300/MISQ/2022/16625
Yang, S.O., Hsu, C., Sarker, S., and Lee, A.S. (2017). Enabling effective operational risk management in a financial institutional: An action research study. Journal of Management Information Systems, 34(3), 727-753. https://doi.org/10.1080/07421222.2017.1373006
Yoo, C.W., Goo, J., and Rao, H.R. (2020). Is cybersecurity a team sport? A multilevel examination of workgroup information security effectiveness. MIS Quarterly, 44(2), 907-931. https://doi.org/10.25300/MISQ/2020/15477
Zhang, L., Wattal, S., and Pang, M.-S. (2024). Does sharing make my data more insecure? An empirical study on health information exchange and data breaches. MIS Quarterly, 48(3), 873-898. https://doi.org/10.25300/misq/2023/17479