CISO Guide: How to consider age in creating a stronger cyber security culture

In order to build an effective cybersecurity culture, a mix of technical and human aspects need to be considered. One aspect that’s not always taken under consideration is employee age.

Most organisations are staffed by employees drawn from many different demographics and age groups. With a third of senior citizens now planning to continue working past retirement age, we can look forward to greater participation from older citizens in the workplace.

On the part of cybersecurity teams everywhere, and those responsible for communicating safe online practices to their colleagues, this calls for a more inclusive and understanding approach in distributing cybersecurity training and data policies.

Younger and older workers have their strengths and weaknesses when it comes to learning and adapting to change and this contributes to how successful employees will be at taking on board new cybersecurity processes.

Well planned cybersecurity strategies should therefore take this into account when deciding on how best to roll out effective cybersecurity training to both younger and older generations.

This is a key factor to the overall success of your cybersecurity awareness campaign.

Understand and recognise that different age groups may learn differently

One human performance variable that can be impacted by age is the speed at which we learn. Research confirms that we find it harder to digest new information as we get older but the learning age dynamic cuts both ways. Older workers naturally have more experience to draw upon than their younger peers as they’ve been in employment for longer. This type of intelligence, the type that’s won over a lifetime of experience, is known as “crystalised intelligence.” This can be very useful when it comes to adapting to change in work processes.

Cybersecurity is a constantly changing field and hackers are continuously devising new methods to penetrate secure systems. This is why continuously training your staff, preferably with expert input, is essential to keeping ahead of the cyber threat curve.

If you need to roll out staff training to keep employees educated on new threats it’s worth seeing whether you can find a way to discover employees’ level of understanding before you begin. Personality testing or questionnaires are some useful ways to obtain this information.

Some workers will appreciate the opportunity to get to grips with new information, others will be transparent about the fact that they prefer not to be overwhelmed with unfamiliar technical processes. Forcing your employees’ hand isn’t a constructive strategy either. If you can find a way to understand your staff members’ level of learning comfort level, you can deliver training in a way that suits everyone. Depending on the outcome from your internal research, you could decide to put employees into different learning groups which deliver the new information at different paces or in different styles.

Those who love learning and want to really understand the threat landscape facing the business can be offered further training too and those just looking to engage with the information they need to know can do precisely that.

Cybersecurity scepticism and how to deal with it

One quality that tends to vary with age is an individuals’ level of scepticism towards new technology and information in relation to online security.

It’s not necessarily the case that older individuals are more sceptical. Research from Gallup/Knight Foundation found that it’s young people who are more distrusting of information from new or traditional media sources. However, a healthy level of scepticism is beneficial as it provides a key defence against social engineering exploits, including phishing attacks.

If you’re in the process of formulating a cybersecurity policy or thinking of employing the services of a cybersecurity training organisation, then we recommend understanding your staff members’ level of scepticism at a surveying stage which can help to form the aims of the overall campaign.

Questionnaires can be used to assess this with questions like:

• How suspicious are you generally of emails from unknown senders?
• What kind of emails do you tend to automatically trust?
• What type of information are you most likely to automatically consider to be untrustworthy?

As before, it’s important to understand that employee age is only a prediction and not a guarantee. However some findings may show that:

• Younger staff members — digital natives — actually tend to be more trusting of online information and can therefore be more risky from a security perspective.
• Older staff members may have a strong trust towards institutions thought of as traditional. These individuals, for instance, may turn out to be particularly vulnerable to phishing scams that mimic respectable organisations.

Understanding where these biases lie can be hugely valuable in making sure that your ‘human firewall’ is as secure as possible.

Understand that younger employees can be can be more cavalier to cybersecurity risks

Cybersecurity teams responsible for protecting their organisations’ data security can sometimes be described as a frustrating battle, spent trying to convince employees that they should care, while trying to not overload them with constant, new information.

These three points can be communicated to help increase employee buy-in to the cybersecurity training that’s been implemented:

• Understanding that cybersecurity practices will usually induce some level of inconvenience but that’s almost always necessary to employ proper system security processes.
• Employees commonly rebel against two factor authentication but it’s one of the strongest cyber defences for any business.
• Helping them understand that cyber crime is a widespread phenomenon which can target any one at any time and people must be vigilant against it.
• That cybersecurity training will only enhance their workplace skills.

Ultimately, employees need to understand that cybersecurity is a shared responsibility which they have a stake in too. Nobody wants to risk their employment through being accountable for a major breach by their own negligence and employees generally don’t want to see their employers suffer adverse consequences.

Here again, we see that age is far from a negative aspect. In fact, the added experience and scepticism of older employees can be positively advantageous. Those looking to this fact could tailor training to include an assessment of the level of competency with cybersecurity risks. Although those who affirm that it’s an inevitable part of life online may be accurate but that assuredness may also lead to complacency that could put the organisation at risk.

Should you factor age into your cybersecurity strategy?

Employee age is just one of the variables that determines how resilient an organisation’s staff may be to cybersecurity threats from a human standpoint. Age is far from a guarantee and as we can see, thinking older employees have more risk and need more training is inaccurate.

Our key recommendations:

• Realise that learning ability can decline with age but understand that it’s not a rule. When devising cybersecurity training programs try to understand what employees’ comfort level with learning is.
• Consider stratifying your training according to the needs to your demographic. Older employees may prefer a different style of learning to younger employees. Older employees may be particularly vulnerable to social engineering exploits that seek to build trust from traditional institutions. On the other hand, digital millennials may be overly trusting of companies that align with their own personal interests. Therefore, try to make sure your training covers appropriate thought processes.
• Ensure that whatever policies you’re implementing are friendly to the learning abilities and sensitivities of everybody in your company. Be appreciative of different generations’ cultural frames of mind.
• When communicating information, try wherever possible to be generation neutral.

To create an internal cybersecurity training and communications programme, work with us by clicking here or calling 01234 708 456 to discuss your requirements.