Managing differing attitudes about security

More research finds younger employees engage in riskier behavior. But where do security leaders start in attempting to bring awareness to this among their workforce?

Last month, I wrote in this blog about research that finds younger generation workers tend to engage in less secure behavior with technology than their older peers.

A Web survey of 1,245 people conducted by ZoneAlarm on the topic of personal computer security found only 31 percent of those aged 18-25 ranked security as the most important consideration when making decisions about their computers. That compared to 58 percent of Baby Boomers (those over age 45).

Another poll, this time conducted by Harris Interactive on behalf of security-products vendor ESET, seems to back that up. The poll of 2,129 U.S. adults aged 18 and over asked if the following statement applied to them:

“When creating any personal password (e.g., online accounts, computer networks, device access codes), I use a combination of numbers, letters and symbols.”

The percentage of respondents who said “yes” was 84 percent. However, the 18-34 age group got the lowest score on this question (77 percent) while the highest scoring demographic was the 55+ age group (89 percent).

From ESET Security Evangelist Stephen Cobb’s blog entry on the poll:

Perhaps the most worrying finding was that fewer students created complex passwords (77 percent) compared with individuals whose work status was full-time/self-employed/retired (each of those groups who scored 86 percent). It is not clear whether this represents an easy-going attitude, a lack of awareness of online threats, or simply “password fatigue” (defined as “tired of having to remember all those different and difficult passwords”).

This pattern of younger people and students exhibiting riskier behavior with respect to online security was underlined by the responses to this statement:

“I use the same password for several of my personal online accounts.”

Some 46 percent of respondents admitted to using the same password for multiple accounts, with the group most likely to do this being those age 18-34 (49 percent). The least likely folks to do this were those 55 or older (43 percent). The largest groups of individuals to use the same password were females 18-34 (56 percent), with females 55+ being the least likely (35 percent).

While it’s clear from this poll, and many others, that security attitudes differ, depending on age, the bigger question is: how do security leaders manage that issue?

One place to start could be to conduct awareness testing and training to find out where the true vulnerabilities lie among staff, and address accordingly.

Lance Spitzer, of SANS Institute Securing the Human Program, recently spoke with CSO about the program’s free metric tools designed to give security leaders the ability to track and measure the impact of their own security awareness programs.

According to Lance Spitzner, training director for the program, the tools can be used to improve training, demonstrate return on investment, or compare an organizations human risk to other organizations in an industry. All resources are free, developed by the community for the community, said Spitzer.

Does your organization have a glaring weak point within certain age groups? How do you know the answer? Leave a comment or email me at with your thoughts.

Cybersecurity market research: Top 15 statistics for 2017