為了面對網路威脅所產生不易掌控的風險、持續鞏固台灣半導體在全球領先的地位，我們將著手建立有關於我國資訊與科技服務業的資訊安全風險的評估，並量化風險值、計算投保時之保費參考依據，以便於企業組織將風險做適當轉移。
本研究首先會說明資安損失的型態，將各種損失型態做統整及歸納；本篇選擇關注在資料外洩的型態，研究採用Jack Freund & Jack Jones發展之Factor Analysis of Information Risk模型，並結合美國國家標準暨技術研究院(NIST)制定的Cybersecurity Framework作為探討之基礎，經由蒙地卡羅模擬並量化當資訊與科技服務業遭遇網路攻擊時的風險值，後續可以藉此推估出保險公司所需的危險保費。
研究結果發現，當我國資訊與科技服務業遭遇資料外洩時，若是提升了FAIR模型中的抵抗能力，則危險保費也會下降，內文具不同抵抗能力所得之風險平均值、標準差和危險保費。
這些經過蒙地卡羅模擬分析及專家估算所得到的風險值，提供保險公司為資訊與科技服務業計算保費的基準、企業本身風險管理時的良好指標。本研究所提出之流程、架構可以依使用對象的實際資料和參數分析。

In order to face the unmanageable risks arising from cyber threats and continue to consolidate Taiwan's leading position in the world of semiconductors, we establish an assessment of information security risks in Taiwan's information and technology service industry, quantify the risk value. The insurance premium basis is used to facilitate the organization to transfer risks appropriately.
We will first explain the types of information security losses, then integrate and summarize various types of losses; choose to focus on the types of Data breach, and adopts the Factor Analysis of Information Risk model developed by Jack Freund & Jack Jones, and combine with the Cybersecurity Framework established by the National Institute of Standards and Technology (NIST) as the basis for the study. Through Monte Carlo simulation and quantification of the risk value when the information and technology service company encounter a cyber threat, the simulation results can be used to promote estimate the premiums required by the insurance company.
The results of the research finds that when Taiwan's information and technology service industry encounters Data breach, if the resistance in the Factor Analysis of Information Risk model is improved, the risk premium will also decrease accordingly.
These risk values is obtained through Monte Carlo simulation analysis and expert estimation provide insurance companies with a benchmark for calculating premiums for the information and technology service industry and a good indicator for company risk management. However, we suggest that under this process and framework the real parameter analysis can be input according to the actual data of the company considered.

[1] 中華民國經濟部統計處。2022年4月6號。取自https://www.moea.gov.tw/Mns/dos/content/Content.aspx?menu_id=6836。
[2] 中華民國經濟部統計處《401》電腦及資訊服務業營業額 110 年。2022年4月6號。取自https://www.moea.gov.tw/Mns/dos/bulletin/Bulletin.aspx?kind=9&html=1&menu_id=18808&bull_id=9756。
[3] 楊敏生，「模糊理論簡介」，數學傳播期刊，第十八卷第一期，第1至5頁，民國83年3月。
[4] Jack Freund , Jack Jones, Measuring and Managing Information Risk, Elsevier Inc., USA ,2015.
[5] Kaspersky Lab, How Data Breaches Happen.取自:https://www.kaspersky.com/resource-center/definitions/data-breach。
[6] Trend Micro, Data Breaches 101,2018年8月10號。取自: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/data-breach-101。
[7] “Managing Cyber Insurance Accumulation Risk”，Risk Management Solutions, Inc，25~26頁，2016年2月。
[8] 廖述源，李家瑋，「產險巨災損失費率釐訂之探討」，保險經營學報，241~243頁，2013年4月。
[9] Twain Taylor, 7 Biggest Cloud Outages of the Past Year, 2022年2月11日，取自: https://techgenix.com/7-biggest-cloud-outages-services-2021/。
[10] “A Reinsurance Manual of the Non-Life Branches”, Swiss Re, Swiss, 2004.
[11] 孫怡君，「我國產險再保險監理制度之研究」，銘傳大學，碩士論文，民國99年。
[12] Miklos Hajdu & Orsolya Bokor, “The Effects of Different Activity Distributions on Project Duration in PERT Networks”, Procedia,2014.
[13] “Cost of a Data Breach Report 2021”, IBM Security, July 2021.
[14] NIST官網，取自: https://www.nist.gov/。
[15] Watkins Consulting官網，取自:https://watkinsconsulting.com/our-projects/nist-csf-excel-workbook/。
[16] 徐昊宇，“結合FAIR與NIST資安框架分析資安風險:以醫療產業為例”，國立中央大學，碩士論文，民國110年。