Does your security awareness training program consider the age of the trainees? As more millennials join the workforce, they are approaching security and privacy differently than their older colleagues. This generation grew up with technology and has a contrasting view of what is acceptable to share and risk.

This disconnect can be challenging for employers when it comes to ensuring younger employees adhere to corporate security and privacy policies.

“Millennials are digitally native — they have always known cell phones and the internet in their lives,” said Ted Harrington, a security consultant with Independent Security Evaluators. “Because their ease of use of technology is strong, trust is high among millennials.”

Are Baby Boomers More Secure Than Millennials?

IBM Security’s January 2018 Future of Identity Study found that only 42 percent of millennials use complex passwords combining random capitalizations, numbers and symbols — but this figure increased to 49 percent for people over age 55. Millennials (41 percent) are also much more likely to use the same password across multiple sites or applications compared with people over age 55 (31 percent).

The IBM Security study also revealed that millennials value convenience over security at a much higher rate than baby boomers. Nearly half (47 percent) of those under age 24 said they’d use a less secure method of authentication to save just a few seconds of time. Compare this to just 16 percent of respondents over age 55 who would do the same.

A 2017 survey from financial services company First Data on generational attitudes about security backs up the notion that millennials are slightly less security-focused than their older colleagues.

The First Data survey revealed:

  • Seventy-two percent of baby boomers said they rarely store enterprise data on their personal devices, compared to 69 percent of millennials.
  • Eighty-six percent of baby boomers rarely download free software to their work devices without consulting IT, compared to 75 percent of millennials.
  • Thirty-four percent of baby boomers said they always consider whether their online actions pose a risk to the enterprise, compared to only 21 percent of millennials.
  • Eighty-two percent of millennials reuse passwords on websites and apps, and 42 percent will only change their passwords when forced to do so. But 70 percent of baby boomers reuse passwords on websites and apps, and 32 percent change their password only when prompted.

Boomers Still Have Security Challenges

While these two data sets show that baby boomers have some bragging rights over millennials when it comes to security awareness, that doesn’t mean their behavior is free of risk. According to Harrington, boomers are more susceptible to other kinds of attacks.

“Each of those two groups would be targeted in different ways because of their relationship with technology,” Harrington said.

So, how can companies tailor their security awareness training based on these generational attitudes?

Harrington explained that while awareness programs should be largely age-agnostic, there are some generational distinctions for security managers to consider when trying to reach employees of different age groups.

Listen to the podcast: Millennials, Baby Boomers and the Future of Identity

Addressing Generational Awareness Gaps

Because they were raised around technology and the internet, Harrington noted that millennials are more likely to trust online services and applications, such as electronic signatures and cloud storage, to securely house their data.

“Millennials have a lower inhibition interacting with web forms,” Harrington said.

According to Forbes, millennials are more “aware of the most significant vulnerabilities a company is likely to face and will trust experts in other fields to handle that security.” That means awareness training needs to be geared toward millennials with online and digital mediums in mind.

Boomers, by contrast, sometimes need a different touch when it comes to awareness training due to their relative lack of familiarity with technology.

“Boomers are more skeptical online,” Harrington said. “They’re more hesitant to overshare information with systems, and that is a good thing.”

Despite their hesitation, boomers may be more vulnerable to older cons like phone scams. According to Harrington, senior users might be more prone to the age-old help desk ruse because they are more comfortable sharing information over the phone.

“If they were to receive a phone call, they may be more readily susceptible to a social engineering attack,” Harrington said.

Security Awareness Is Not One-Size-Fits-All

It’s important to remember that not every baby boomer or millennial fits these molds. People are individuals — and their age is only one factor influencing their attitudes about security.

No matter the age of the trainee, the goal of security awareness training should be to increase users’ level of maturity when it comes to online hygiene. This includes a thorough understanding of the company’s assets; the adversaries and their motives; and the attack surface.

More from CISO

Bridging the 3.4 Million Workforce Gap in Cybersecurity

As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen.Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper risk…

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…