July 6, 2018 By Joan Goodchild 3 min read

Does your security awareness training program consider the age of the trainees? As more millennials join the workforce, they are approaching security and privacy differently than their older colleagues. This generation grew up with technology and has a contrasting view of what is acceptable to share and risk.

This disconnect can be challenging for employers when it comes to ensuring younger employees adhere to corporate security and privacy policies.

“Millennials are digitally native — they have always known cell phones and the internet in their lives,” said Ted Harrington, a security consultant with Independent Security Evaluators. “Because their ease of use of technology is strong, trust is high among millennials.”

Are Baby Boomers More Secure Than Millennials?

IBM Security’s January 2018 Future of Identity Study found that only 42 percent of millennials use complex passwords combining random capitalizations, numbers and symbols — but this figure increased to 49 percent for people over age 55. Millennials (41 percent) are also much more likely to use the same password across multiple sites or applications compared with people over age 55 (31 percent).

The IBM Security study also revealed that millennials value convenience over security at a much higher rate than baby boomers. Nearly half (47 percent) of those under age 24 said they’d use a less secure method of authentication to save just a few seconds of time. Compare this to just 16 percent of respondents over age 55 who would do the same.

A 2017 survey from financial services company First Data on generational attitudes about security backs up the notion that millennials are slightly less security-focused than their older colleagues.

The First Data survey revealed:

  • Seventy-two percent of baby boomers said they rarely store enterprise data on their personal devices, compared to 69 percent of millennials.
  • Eighty-six percent of baby boomers rarely download free software to their work devices without consulting IT, compared to 75 percent of millennials.
  • Thirty-four percent of baby boomers said they always consider whether their online actions pose a risk to the enterprise, compared to only 21 percent of millennials.
  • Eighty-two percent of millennials reuse passwords on websites and apps, and 42 percent will only change their passwords when forced to do so. But 70 percent of baby boomers reuse passwords on websites and apps, and 32 percent change their password only when prompted.

Boomers Still Have Security Challenges

While these two data sets show that baby boomers have some bragging rights over millennials when it comes to security awareness, that doesn’t mean their behavior is free of risk. According to Harrington, boomers are more susceptible to other kinds of attacks.

“Each of those two groups would be targeted in different ways because of their relationship with technology,” Harrington said.

So, how can companies tailor their security awareness training based on these generational attitudes?

Harrington explained that while awareness programs should be largely age-agnostic, there are some generational distinctions for security managers to consider when trying to reach employees of different age groups.

Listen to the podcast: Millennials, Baby Boomers and the Future of Identity

Addressing Generational Awareness Gaps

Because they were raised around technology and the internet, Harrington noted that millennials are more likely to trust online services and applications, such as electronic signatures and cloud storage, to securely house their data.

“Millennials have a lower inhibition interacting with web forms,” Harrington said.

According to Forbes, millennials are more “aware of the most significant vulnerabilities a company is likely to face and will trust experts in other fields to handle that security.” That means awareness training needs to be geared toward millennials with online and digital mediums in mind.

Boomers, by contrast, sometimes need a different touch when it comes to awareness training due to their relative lack of familiarity with technology.

“Boomers are more skeptical online,” Harrington said. “They’re more hesitant to overshare information with systems, and that is a good thing.”

Despite their hesitation, boomers may be more vulnerable to older cons like phone scams. According to Harrington, senior users might be more prone to the age-old help desk ruse because they are more comfortable sharing information over the phone.

“If they were to receive a phone call, they may be more readily susceptible to a social engineering attack,” Harrington said.

Security Awareness Is Not One-Size-Fits-All

It’s important to remember that not every baby boomer or millennial fits these molds. People are individuals — and their age is only one factor influencing their attitudes about security.

No matter the age of the trainee, the goal of security awareness training should be to increase users’ level of maturity when it comes to online hygiene. This includes a thorough understanding of the company’s assets; the adversaries and their motives; and the attack surface.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today