近年來各項科技瞬息萬變，讓各產業發生巨大變化，金融創新服務在數位化與商業模式改變中所帶來的影響，各種金融交易都能在行動APP完成，但同時也存在風險，本研究目的係探討金融業APP所面臨的風險，以提供管理團隊建構降低相關風險的管控機制，研究中依據NIST發布網路安全框架(CSF)為核心的設計框架，彙整金融業APP風險項目並對應至各構面下的控管要項，並經由業界專家的問巻結果排序APP風險重要性。本研究得出全體專家都認為重要程度最高之共同項目為「敏感性資料保護」、「傳輸敏感性資料時未加密傳輸」，這個結果顯示出機密資料防護的重要性。本研究共找出51個金融業APP所面臨的相關風險與威脅，使其在開發APP時能了解潛在與容易發生的風險，並透過專家問巻的分析結果得出風險項目重要性的排名，俾使金融業開發APP時能妥適規劃面對風險的因應流程，強化資安機制並有效降低資安事故的發生，並作為落實資通安全檢查機制和內控的參考依據。

In recent years, the rapid changes in various technologies have led to breakthrough growth in the development of information in various industries. Mobile APPs have a strong impact on business digitalization and the changes in the business model. Various banking transactions can be completed in mobile APPs, but it also comes with risks. The purpose of this research is to discuss the risks faced by financial APPs which can assist the management team to construct a control mechanism to reduce related risks. The paper uses the Cyber Security Framework (CSF) released by NIST as the control element of the design structure and summarizes a list of financial APP risk items. Each risk item corresponds to the control and management mechanism under each aspect. Subsequently, the importance of risk items is ranked through expert questionnaires. This study shows that all experts consider "sensitive data protection" and "unencrypted transmission during transmission of sensitive data" to be the two most important risk items. This result shows the importance of confidential data protection. This research suggests that there are 51 relevant risks and threats faced by financial APPs. Banks can understand the potential and easy-to-occur risks when developing APP by obtaining the rank of the importance of risk items through the analysis results of the expert questionnaire. This enables the banks to properly plan the response process to risks when developing APPs, strengthen the information security mechanism and effectively reduce the occurrence of information security accidents. The results can serve as a reference for the implementation of the information security inspection mechanism and internal control.