The WFE has published a set of best practice guidelines for market infrastructures designed to engender a staff culture of cyber security compliance.
The paper takes a behavioural approach to the issue, as evidence shows that moving away from classroom-based refresher sessions and thinking more creatively about how to get staff to consider cyber defences in everything they do is more effective in creating long-term cyber compliance. Applying behavioural insights and ‘nudge theory’ - brought to prominence by Nobel Economics laureate Dr Richard Thaler with Cass Sunstein - can be useful to change staff security behaviour. Applying small ‘nudges’, or offering incentives regularly to staff, leads to greater discussion and awareness of cyber threats which may result in better cultural outcomes.
The best practice guidelines for WFE members to consider when creating a cyber compliance framework include:
1. Behavioural incentives
These include focusing on cyber security in the home environment; bringing hackers into the workplace to demonstrate to staff how easily devices can be compromised; linking compensation to compliance; rewards programmes; awareness campaigns; and the use of ‘gamification’ - making desired security behaviours fun or competitive.
2. Cultural incentives
These incentives start with creating a culture of personal responsibility and common sense, relating cyber awareness to personal life, family and home. Other incentives include making cyber security awareness and compliance a Key Performance Indicator (KPI); using language that is simple, jargon-free, creative and graphical; and finally, story-telling, using analogies and anecdotes to explain complicated concepts.
3. Operational support
i. Training: Ensure training is regular and accessible, particularly for new joiners; always train technical staff on cyber awareness (often the first group targeted in cyber-attacks); and implement a strong password/locked computer screen policy, to create a sense of personal ownership.
ii. Transparency: Security policies, disaster recovery and post-breach communications plans should be clear and shared with employees; provide a list of approved and restricted websites, services, software and applications.
iii. Technology: Develop ‘bring your own device’ guidelines; and deploy software tools that launch test phishing emails.
These principles were compiled by the WFE’s dedicated cyber security group (GLEX) of more than 30 information security professionals within global exchange and CCP groups, drawing upon their collective experience of what works, and what has proven to be less effective in approaching staff training and behaviour around cyber security.