(ISC)2 Blog

My friend and colleague Stephen Cobb has shared some interesting survey data in a blog article indicating that the age group between 18 and 34 is less likely than older groups to use complex passwords or even to use different passwords according to the sensitivity of the context. Kevin Townsend had his own take on the article, and in fact we talked subsequently about his suggestions that:

1. More mature people have had more negative experiences in life which make them more cautious/security conscious 
2. People with more to lose will make more effort to protect what they've got.

I agree that more mature people have had more negative experiences in life, and while it may or may not directly equip them with the best conceptual tools for being safe(r) on the Internet, it's likely to make them less likely to take things at face value.

I often say that part of my job (or at least what I think of as my job) is to encourage people to be sceptical. When my job involved more direct engagement with end users in support and training contexts, I found that people who'd been around the block a time or two were generally more receptive to advice and likelier to act upon it.

Of course, that was in a work context, and you could argue that I might have been seen as representing authority, but in fact even people who normally considered me very much as a hewer of wood and drawer of water rather than as an authority to be reckoned with were likelier to seek and follow security advice than more general advice. To be honest, the higher individuals perceive themselves as being in the hierarchy, the likelier they are to complain about inconvenient restrictions, but that will be tempered by the fact that they're aware of their own responsibilities, in particular for ensuring the safety of their data (and, no doubt, their jobs).

Outside the workplace, it can be very different, though not necessarily for more mature people: this group may have been conditioned by life and work experience to behave somewhat similarly at home as in the workplace. If they've learned to be concerned about security and respect the advice of others, they're likely to carry over that behaviour to their home life. (Though that in itself might be problematical, as there is so much bad or mixed advice available.)

The young are, perhaps, more vulnerable because, as the generation that is most likely to have grown up with information technology, they tend to overestimate their own understanding of it. And indeed, older generations - using the term generation in a very imprecise sense - tend to make similar assumptions. However, familiarity with interfaces is a lot different to understanding the underlying technology. (I'm reminded of an old science fiction story where someone from the future discovered that unlike Twain's hero in the Court of King Arthur, he was unable to capitalize on his knowledge of what technology would be available in his own time because he didn't really understand the processes behind the interface.)

People with more experience of life are more likely to see how a technology can be misused without fully understanding the technology, by extrapolating from off-line experience. They may certainly have more to lose, but more to the point, will also value what they have more, because it's likely that they'll have put more of their own effort into acquiring it, rather than simply having been given it. They're also likelier to be more aware that they don't have a whole lifetime in which to make up their losses. There’s certainly plenty to indicate that they don’t see their personal data as particularly sensitive, and certainly don't necessarily think ahead to what their Facebook Timeline will look like to a prospective employer, let alone to posterity.

However, they're also more vulnerable in that they will see the online world of social media in which they spend so much of their time as 'their' world - the natural environment of switched-on youth - rather than the habitat of a whole range of human beings, including some very unpleasant people indeed.

What really interests me about these data is that they have very little to do with technical knowledge - most people don't have a deep understanding of computer science and IT security (let alone the elements of cryptography), or even the ergonomic and psychosocial aspects of the interaction between human and computer. As it happens, the behaviour patterns that drive people to make certain password/passphrase/PIN choices - especially the stereotypical choices that are so helpful to an attacker - are a topic I find particularly interesting. But then these data aren't so much about self-knowledge as received wisdom.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow