July 6, 2018 By Joan Goodchild 3 min read

Does your security awareness training program consider the age of the trainees? As more millennials join the workforce, they are approaching security and privacy differently than their older colleagues. This generation grew up with technology and has a contrasting view of what is acceptable to share and risk.

This disconnect can be challenging for employers when it comes to ensuring younger employees adhere to corporate security and privacy policies.

“Millennials are digitally native — they have always known cell phones and the internet in their lives,” said Ted Harrington, a security consultant with Independent Security Evaluators. “Because their ease of use of technology is strong, trust is high among millennials.”

Are Baby Boomers More Secure Than Millennials?

IBM Security’s January 2018 Future of Identity Study found that only 42 percent of millennials use complex passwords combining random capitalizations, numbers and symbols — but this figure increased to 49 percent for people over age 55. Millennials (41 percent) are also much more likely to use the same password across multiple sites or applications compared with people over age 55 (31 percent).

The IBM Security study also revealed that millennials value convenience over security at a much higher rate than baby boomers. Nearly half (47 percent) of those under age 24 said they’d use a less secure method of authentication to save just a few seconds of time. Compare this to just 16 percent of respondents over age 55 who would do the same.

A 2017 survey from financial services company First Data on generational attitudes about security backs up the notion that millennials are slightly less security-focused than their older colleagues.

The First Data survey revealed:

  • Seventy-two percent of baby boomers said they rarely store enterprise data on their personal devices, compared to 69 percent of millennials.
  • Eighty-six percent of baby boomers rarely download free software to their work devices without consulting IT, compared to 75 percent of millennials.
  • Thirty-four percent of baby boomers said they always consider whether their online actions pose a risk to the enterprise, compared to only 21 percent of millennials.
  • Eighty-two percent of millennials reuse passwords on websites and apps, and 42 percent will only change their passwords when forced to do so. But 70 percent of baby boomers reuse passwords on websites and apps, and 32 percent change their password only when prompted.

Boomers Still Have Security Challenges

While these two data sets show that baby boomers have some bragging rights over millennials when it comes to security awareness, that doesn’t mean their behavior is free of risk. According to Harrington, boomers are more susceptible to other kinds of attacks.

“Each of those two groups would be targeted in different ways because of their relationship with technology,” Harrington said.

So, how can companies tailor their security awareness training based on these generational attitudes?

Harrington explained that while awareness programs should be largely age-agnostic, there are some generational distinctions for security managers to consider when trying to reach employees of different age groups.

Listen to the podcast: Millennials, Baby Boomers and the Future of Identity

Addressing Generational Awareness Gaps

Because they were raised around technology and the internet, Harrington noted that millennials are more likely to trust online services and applications, such as electronic signatures and cloud storage, to securely house their data.

“Millennials have a lower inhibition interacting with web forms,” Harrington said.

According to Forbes, millennials are more “aware of the most significant vulnerabilities a company is likely to face and will trust experts in other fields to handle that security.” That means awareness training needs to be geared toward millennials with online and digital mediums in mind.

Boomers, by contrast, sometimes need a different touch when it comes to awareness training due to their relative lack of familiarity with technology.

“Boomers are more skeptical online,” Harrington said. “They’re more hesitant to overshare information with systems, and that is a good thing.”

Despite their hesitation, boomers may be more vulnerable to older cons like phone scams. According to Harrington, senior users might be more prone to the age-old help desk ruse because they are more comfortable sharing information over the phone.

“If they were to receive a phone call, they may be more readily susceptible to a social engineering attack,” Harrington said.

Security Awareness Is Not One-Size-Fits-All

It’s important to remember that not every baby boomer or millennial fits these molds. People are individuals — and their age is only one factor influencing their attitudes about security.

No matter the age of the trainee, the goal of security awareness training should be to increase users’ level of maturity when it comes to online hygiene. This includes a thorough understanding of the company’s assets; the adversaries and their motives; and the attack surface.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today