I would say that I'm the only member of the post 1980 category that the IT department at my company concerns themselves with. I have a unique perspective in that prior to workng in the credit department, I worked in the infrastructure department. As a result, I not only grew up knowing where I could find "rogue apps" that were safe, and useful for use, but also fought to make them acceptable solutions. It actually took a surprising amount of convincing to get bean counters to agree to use a free solution instead of one they had to pay for. So I lend credence all the concerns the infrastructure arm of the IT department has that were cited in the article.
As far as my company's solution to the problem, a strict security policy with issued. Basically the edicts were set by people who have been around the block, and only trust in house solutions, IBM, and Microsoft. No one is allowed to download an exe or zip from the web unless they are part of the infrastructure department. We use websense to block and track web usage. Occasionally checking the news or a personal email isn't seen as a big deal. When it gets to be habitual, then diciplinary ation becomes necesary. Despite my past in infrastructure, the fact that I no longer occupy a position(My infrastructure experience was at a different company) in IT strips any privledge I may have experienced prior to the policy going in place. I find it as a hinderance to my work. I feel like I could be much more effective if I didn't have to wait for another department to research, download, and install something I already knew was safe. But, that's the same scenario as a subordinate who's annoyed that they have to run big decisions by their boss. Annoying as a subordinate, useful as a boss. Afterall, if I download an app that destroys an important server, the first question is why didn't IT prevent me from doing so.

posted 6 months ago

Sure; I think a lot of people consider this, both in IT security and physical security circles. Different generations are more typically associated with different behaviors. Workers under 35, for example, are much more prone to criminal activity - theft, workplace violence, and so on. They're also more prone to IT certain IT no-nos such as figuring out how to bypass IT security requirements just so that they can get to their facebook account or gamble online during work. Older workers are more often associated with major corporate embezzlement, writing down passwords on sticky notes that go on their computer screen, and so on.

posted 6 months ago

We have been working on this issue as part of our threat modeling tool, especially in light of the entrance of the millenial generation into the workforce. Since the success of any secure implementation requires a cultural change far more than technology, it is critical to understand what motivates members of the workforce, and how to get them on board. This is very different when dealing with pre-millenials compared to millenials. Millenials are not as willing to, for example, accept a policy that forbids the use of cell phones, text messaging, or web-based messaging and social networking. Millenials grew up with this as an extension of their lives, and to take this away is quite disconcerting. Pre-millenials, on the other hand, may enjoy the convenience of such tools, but their identities are not as deeply rooted in them (if at all). Not understanding this before trying to implement any security changes in an organization can lead to a failure. What is even worse is the quiet rebellion that can happen right under the noses of upper level management as the FAR more computer literate younger generation finds ways to sneak in their toys. It then becomes a cat and mouse game. This may be something any organization is prepared to deal with when the hostile entities are outside of the organization, but trying to fight it inside the organization is a losing battle.

Mike A also suggests this expert on this topic:

• Mark S

posted 6 months ago

Robert:

Now, that's really interesting ...

I've been talking to executives for a couple of years now about the different habits of senior/junior employees -- specifically the influx on consumer technologies in the workplace. Corporate IT standards are out the window at a lot of companies, as personal laptops, thumb drives, PDA's, etc. take over.

No question, the younger generation is a lot more tech-savvy, and they're apt to take more risks w/technology. But I think they're also more security-savvy, too. I'm impressed with the identity theft awareness I see, for instance, from younger employees. They know way more than their older counterparts. That encourages me that maybe the security message is taking root with the younger generation, and that should only help you do your job even better.

best,

Tom

posted 6 months ago

If one would dare stereotype any generation I think on average you find three groups out there that fall in to age related security groups. I have worked with large non-profit service centers that have older volunteers, middle-aged and younger employees, and tons of college and high school aged summer help.

So here is my take. PLEASE do not shoot me for generalizing, I know there are exceptions to every group this is just what I have seen. Starting with the oldest workers:

1) Older folks can be a little scared of technology and afraid to make mistakes. Security breaches are typically caused by accident. These people can be targets of social engineering because they are more likely to accept “help” from someone else.

2) Middle aged folks tend to have a computer at home but see their computer at work as a necessary evil. They obey the rules somewhat begrudgingly and typically do not do anything to flaunt them. However, they are likely to have a Gmail or Yahoo account (bypassing the corporate email scanner) to talk to their kids at college or friends and even open videos or pictures sent to them outside the corporate email if “they” think it is safe.

Their children are pushing them into the fascinating world or technology. Many have found mp3 music on the internet or have loaded music on their hard drives. Now you have the issue of disk usage, infected files, and copyright issues.

3) And now the younger generation. Rules, what rules? I know what I am doing. Hey did you see this cool video on You-Tube? Watch this ESPN clip from the game last night. I need I-Tunes so I can keep my Ipod charged. Heck I won’t get caught I clean my cache every day so no one knows where I have been. Why can’t we have wireless everywhere in the office?

You need to have a published security policy and take that message to the work force. The IT security staff needs to meet with departments in a group setting and explain the reasons behind the rules. Younger people are much more likely to do things for a reason than for a rule.

Lunch and learns often work well for this. Have some examples of how User A downloaded an infected file and corrupted their system. How User B was caught sucking up the bandwidth (impacting payroll) yesterday when the network analyzer caught him viewing hockey videos. Tell them that network usage is monitored and prove it. Educate, train, warn, and then take action. Make sure the Human Resource Department is involved every step of the way.

posted 6 months ago

Answer is quite simple and it has nothing to do with stereotyping and assumptions, and especially age.

Your environment is either secure or not, and it should not matter on the age of your user base. Your risk assessment is performed against industry accepted standards and they do not encompass the factors of age or even the level of knowledge the users have.

posted 6 months ago

Very interesting answers, even Remi Onopa's answer, which looks too rigid to me. 'Industry accepted standards' may change in time...

I'm working in a corporate environment where this multi-generational workforce issue is highly visible and impacts information security on a daily basis.

I learned to be flexible when a twenty-something employee break a security policy rule. I explain why this behaviour is dangerous for the company and finally to himself. I even give him a solution to solve his problem without breaking the policy.

You may say this is not 'industry accepted standard' but i found out that is the only way that works. And it was not an easy process.

The fact that i have two teenagers at home helped me a lot also :-)

posted 6 months ago

Short answer: Short-term risks are quantifiable, long-term risks are often not, and measuring risks without weighing benefits is only half the analysis.

Long answer: Be careful with what you assume to be safe. Traditional practices often aren't, as Federal deparment audits keep showing. Newer practices may contain shortcuts you can learn from and techniques for protection that are superior to those in the manual. Learn as much as is useful, as much as is beneficial from the younger generation, THEN plan out the next generation of policies. These should make use of mandatory access controls, firewalls, network intrusion detection systems, regular security audits of computers on the network, etc. What is enforced, though, should be the knowledge and skills of the youth, together with the wisdom and experience of the older employees. Learn, integrate, assimilate.

posted 6 months ago

Short answer: different generations will have different approaches to solving problems and different perspectives on certain issues. The more input you get, the more comprehensive of a risk management organization you're going to have.

Don't be surprised if you have a team full of boomers and the facebook using crowd doesn't feel that they "get you". Similarly, don't be surprised if you have a team full of generation Y'ers and the boomers feel that they aren't understood. :)

posted 6 months ago