Risk
10/26/2013
10:01 PM
Connect Directly
RSS
E-Mail
50%
50%

Tech Insight: Enterprise Security's Overlooked Factor -- The End User's Age

Depending on their age, end users' attitudes toward security may differ significantly. Here's how

[Todd Fitzgerald is the global director of information security for Grant Thornton International Ltd. His content is contributed through the auspices of the (ISC)2 Executive Writers Bureau.]

When it comes to security policy, most enterprises treat all users the same way. But perhaps this is a mistake. When you take a closer look at the age of your end users -- their "generational identities" -- you may find that users of different generations have very different attitudes and practices with regard to online privacy and security.

Currently, there are four clear-cut generations of end users in the workforce: Traditionalists, Baby Boomers, Generation X, and Gen Y, sometimes called Millennials. A fifth generation -- let's call them Gen Z for now -- is about to enter. Let's look at the profile of each generation of user and discuss how the history and background of each one might shape the group's attitude toward online security. Interestingly, studies have shown that the events that were occurring during the teen years of each generation have the most influence on its attitudes and expectations.

Traditionalists (born 1925 to 1945) are shaped, in part, by the early days of the Cold War, the growth of the suburbs, and rapid economic growth following WWII. This generation generally respects authority, having worked to build many of the hierarchical organization structures today. This is a hard-working generation that tends to obey the rules and behave in a way that is more reserved and cautious.

Baby Boomers (born 1946 to 1964) experienced the assassinations of major political figures, an unpopular Vietnam War televised nightly, and major movements such as civil rights and women's liberation. It is a generation defined by change. Many Boomers are competitive and define themselves by their work. Other generations may view them as workaholics without work/life balance.

Generation X (born 1965 to 1979) grew up with a rising divorce rate, more women entering the workforce, more blended families, and greater autonomy at home. As teenagers, Gen X also witnessed the layoffs of Boomers and Traditionalists due to economic shifts and changes in business practices. As a result, this generation tends to be more skeptical and distrustful about organizations and more focused on independent thinking and skills. Gen X tends to be more adaptable, flexible, and resilient.

Generation Y (born 1980 to 2000) spent its impressionable teenage years watching terrorism, such as the World Trade Center bombing, 9/11, and the Oklahoma City bombing. Many Gen Y members were raised in a pro-child culture that favored "self esteem" and rewarded all children equally. Raised primarily by Boomer parents, many members of Gen Y have been taught that they could do anything they set their minds to and to question authority. Perhaps the largest generation currently in the workforce, Gen Y is also the first generation to grow up on technology, including instant messaging, texting, smartphones, and social media. Gen Y tends to be technically savvy, collaborative, multitaskers, and always connected. Gen Y also tends to be confident, optimistic, and may often take risks to get a job done.

Generation Z (born 2001 to 2013) isn't in the workforce yet, but its attitudes are being shaped as we speak. Time will tell if the impact of political gridlock, difficult recessionary times, and ubiquitous technology will create an entirely new generation of attitudes toward information security.

In our organizations today, we have a tendency to use a one-size-fits-all approach toward security, but the attitudes of the users who must comply with those policies may be very different. What may seem to be a logical security policy for one generation may be met with resistance by another, depending on its unique world view. Your policies and strategies toward enforcing security may have to be tweaked to address these differences. Here are some examples:

1. Information Security Policy. Where Traditionalists generally respect authority, Boomers tend to challenge directives unless they are logical. Gen Xers and Millennials will question the authority of the security policy, particularly if that policy makes it harder for them to do their jobs.

2. Security Awareness Training. Traditionalists tend to learn by rote memorization and extensive study. Boomers learn by classroom lectures, books, and PowerPoints. Gen X learns best through play/games, role playing, e-learning, and videos. Millennials learn through social media, blogs, podcasts, video, mobile technology, and collaboration with others. A dry, 45-minute PowerPoint presentation describing the enterprise's security policy may satisfy a compliance auditor, but it may not actually teach some of your users to comply.

3. Logon IDs and Passwords. With almost as many smartphones as people on the planet, the idea of using such a device for two-factor, near-field authentication may now become a valid alternative to the password. Which generation will drive this integration? Most likely the Millennials, who have a greater need for flexibility and to save time for other activities.

4. Secure File Transfer/Sharing. Boomers are more likely to stay at the office and work on their deliverables or use the company-issued laptop at home. Gen X is adaptable and resilient, and would not hesitate to transfer files to a USB drive or cloud storage solution and then to the home computer. Millennials may transfer work files to the latest technology they just purchased -- or access that data via their smartphones or tablets at 3 a.m.

5. Social Media. Traditionalists and Boomers are the predominant users of LinkedIn -- they are proud of their histories and have a tendency to reveal more than they should. Gen X and Gen Y users tend to use Facebook, and Gen Y tends to post frequent updates, illustrating a significantly lower regard for privacy. Collaborative Millennials may inadvertently share company information while asking a friend about a project.

6. Bring Your Own Device (BYOD). All generations appear to want the flexibility of having the newest equipment and carrying one phone, but the Millennials are the primary driver behind this trend. Millennials come from a consumer-driven economy and believe that the employer should provide these devices for them -- or they will bring their own. For Gen Y, there is a "cool factor" behind having the latest devices and the most current applications.

7. Cloud Applications. Boomers are adapting to cloud models as a way to reduce costs. Gen X may worry that moving all applications to the cloud will also move the work offshore. Millennials appreciate the flexibility of being able to access their work from anywhere via the cloud. Millennials are likely to "just try it" and put data in the cloud, even if there is no policy. Boomers often want some assurance as to where the data is and whether it can be recovered if lost.

8. Security As a Career. Millennials who are working in information security today may not stay there indefinitely. Millennials embrace multiple career paths and may hold more than one job at the same time. To retain these individuals, enterprises must provide a work environment that is challenging, provides meaning and frequent feedback, and is socially responsible.

With each generation, technology opportunities increase and new uses are created. This article outlines some tendencies, but we must be careful not to pigeonhole or stereotype users based on the generation in which they were born. A Boomer might be quite technically savvy and behave like a Gen Xer in the field. A Millennial may adopt the values of a Boomer and use the Web primarily to Google information, rather than for socializing with others.

It's worth considering whether your security policies, training programs, and other security initiatives are well-tuned for the users they are intended for. Consider generational and attitude factors when developing your programs, and do the best you can to match your priorities and capabilities with those who are most likely to use them.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Martine
50%
50%
Martine,
User Rank: Apprentice
10/31/2013 | 4:21:57 PM
re: Tech Insight: Enterprise Security's Overlooked Factor -- The End User's Age
I think you missed an important trait for Generation Y: a sense of entitlement. We baby boomers, unfortunately, raised our kids to have a high level of expectation from others, coupled with a low level of expectation from themselves. We did for them what they should've been doing for themselves, and bred children who are boundaryless. Thus Generation Y tends to interpret concepts such as "data ownership" and "responsibility" quite loosely.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0640
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote authenticated users to bypass intended restrictions on resource access via unspecified vectors.

CVE-2014-0641
Published: 2014-08-20
Cross-site request forgery (CSRF) vulnerability in EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to hijack the authentication of arbitrary users.

CVE-2014-2505
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to trigger the download of arbitrary code, and consequently change the product's functionality, via unspecified vectors.

CVE-2014-2511
Published: 2014-08-20
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop before 6.7 SP1 P28 and 6.7 SP2 before P14 allow remote attackers to inject arbitrary web script or HTML via the (1) startat or (2) entryId parameter.

CVE-2014-2515
Published: 2014-08-20
EMC Documentum D2 3.1 before P24, 3.1SP1 before P02, 4.0 before P11, 4.1 before P16, and 4.2 before P05 does not properly restrict tickets provided by D2GetAdminTicketMethod and D2RefreshCacheMethod, which allows remote authenticated users to gain privileges via a request for a superuser ticket.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.