Cyber Policy Implications on the Financial Service Industry

The financial services sector (FSS) is a constant target for malicious actors looking to exploit its cyber vulnerabilities. Individuals—specifically employees and customers—are the largest attack surface facing FSS firms. Companies can elevate literacy and drive good hygiene to reduce risks posed by employee and customer behavior. The policy proposals recommended in this Capstone project aims to mitigate vulnerabilities by incentivizing individuals to understand and exercise security best practices. Effective incentives can change cyber behavior by appealing to an individual’s self-interest, and ensuring that interest aligns with a firm’s cybersecurity.

The capstone project outlined schemes of rewards- and privilege-based approaches that are intended to motivate employees and customers to improve their cyberhygiene through heightened cyberliteracy. The rewards-based approach evaluates employees’ and customers’ conduct on an ongoing basis and rewards them for completing cyberliteracy training and for practicing sustained good cyberhygiene. In the privilege-based approach, employees gain flexibility to utilize additional devices, applications or online resources as a reward for completing cybersecurity training and practicing good cyberhygiene.

A framework is proposed to measure where an individual is placed in the privilege-based approach and the incentives received in the rewards-based approach. To measure an individual’s cyberhygiene, the framework leverages a cyberhygiene effectiveness (CHE) score. Modeled after the FICO score measuring individual credit worthiness, the CHE score measures an individual’s relative cyberhygiene and risk profile. Finally, the paper identified areas for further research, testing, and application of the proposals and framework