- CISO Guides
- 13 min read
In order to build an effective cybersecurity culture, a mix of technical and human aspects need to be considered. One aspect that’s not always taken under consideration is employee age.
Most organisations are staffed by employees drawn from many different demographics and age groups. With a third of senior citizens now planning to continue working past retirement age, we can look forward to greater participation from older citizens in the workplace.
On the part of cybersecurity teams everywhere, and those responsible for communicating safe online practices to their colleagues, this calls for a more inclusive and understanding approach in distributing cybersecurity training and data policies.
Younger and older workers have their strengths and weaknesses when it comes to learning and adapting to change and this contributes to how successful employees will be at taking on board new cybersecurity processes.
Well planned cybersecurity strategies should therefore take this into account when deciding on how best to roll out effective cybersecurity training to both younger and older generations.
This is a key factor to the overall success of your cybersecurity awareness campaign.
One human performance variable that can be impacted by age is the speed at which we learn. Research confirms that we find it harder to digest new information as we get older but the learning age dynamic cuts both ways. Older workers naturally have more experience to draw upon than their younger peers as they’ve been in employment for longer. This type of intelligence, the type that’s won over a lifetime of experience, is known as “crystalised intelligence.” This can be very useful when it comes to adapting to change in work processes.
Cybersecurity is a constantly changing field and hackers are continuously devising new methods to penetrate secure systems. This is why continuously training your staff, preferably with expert input, is essential to keeping ahead of the cyber threat curve.
If you need to roll out staff training to keep employees educated on new threats it’s worth seeing whether you can find a way to discover employees’ level of understanding before you begin. Personality testing or questionnaires are some useful ways to obtain this information.
Some workers will appreciate the opportunity to get to grips with new information, others will be transparent about the fact that they prefer not to be overwhelmed with unfamiliar technical processes. Forcing your employees’ hand isn’t a constructive strategy either. If you can find a way to understand your staff members’ level of learning comfort level, you can deliver training in a way that suits everyone. Depending on the outcome from your internal research, you could decide to put employees into different learning groups which deliver the new information at different paces or in different styles.
Those who love learning and want to really understand the threat landscape facing the business can be offered further training too and those just looking to engage with the information they need to know can do precisely that.
One quality that tends to vary with age is an individuals’ level of scepticism towards new technology and information in relation to online security.
It’s not necessarily the case that older individuals are more sceptical. Research from Gallup/Knight Foundation found that it’s young people who are more distrusting of information from new or traditional media sources. However, a healthy level of scepticism is beneficial as it provides a key defence against social engineering exploits, including phishing attacks.
If you’re in the process of formulating a cybersecurity policy or thinking of employing the services of a cybersecurity training organisation, then we recommend understanding your staff members’ level of scepticism at a surveying stage which can help to form the aims of the overall campaign.
Questionnaires can be used to assess this with questions like:
As before, it’s important to understand that employee age is only a prediction and not a guarantee. However some findings may show that:
Understanding where these biases lie can be hugely valuable in making sure that your ‘human firewall’ is as secure as possible.
Cybersecurity teams responsible for protecting their organisations’ data security can sometimes be described as a frustrating battle, spent trying to convince employees that they should care, while trying to not overload them with constant, new information.
These three points can be communicated to help increase employee buy-in to the cybersecurity training that’s been implemented:
Ultimately, employees need to understand that cybersecurity is a shared responsibility which they have a stake in too. Nobody wants to risk their employment through being accountable for a major breach by their own negligence and employees generally don’t want to see their employers suffer adverse consequences.
Here again, we see that age is far from a negative aspect. In fact, the added experience and scepticism of older employees can be positively advantageous. Those looking to this fact could tailor training to include an assessment of the level of competency with cybersecurity risks. Although those who affirm that it’s an inevitable part of life online may be accurate but that assuredness may also lead to complacency that could put the organisation at risk.
Employee age is just one of the variables that determines how resilient an organisation’s staff may be to cybersecurity threats from a human standpoint. Age is far from a guarantee and as we can see, thinking older employees have more risk and need more training is inaccurate.
Our key recommendations:
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51