Thomas Skill, Ph.D, Associate Provost & Chief Information Officer, University of Dayton
How nervous should your cybersecurity team be when the Gen-Z population joins the workforce over the next few years? The University of Dayton’s Center of Cybersecurity & Data Intelligence did a small study in March 2018 that explored how the different generations encounter cybersecurity awareness and practices. A key group that we analyzed was Generation Z (Gen-Z). These are the kids now in high school that will soon be entering college and the broader workforce. This study measured self-reported behaviors and attitudes toward cybersecurity across four generations - from Baby Boomers & Gen X’ers to Millennials and Gen Z. Using both our research findings and data from other sources, we were able to craft descriptive profiles of the generational differences regarding cybersecurity and data privacy. While our results revealed many interesting findings across the different generations, we were most struck by the extent to which the Gen-Z respondents revealed a very disruptive set of expectations and new behaviors with respect to technology, privacy, and cybersecurity.
In terms of the Gen-Z engagement with technology and cybersecurity, this is a generation that views their technology as totally and almost exclusively mobile! Their personally-owned smartphone reflects its “always connected” lifestyle. They expect to use these devices for personal and work activities and they strongly believe that their personally-owned and self-managed device allows them to be substantially more productive than any technology provided by their school or employer.
The "BYOD" world-view of the Gen-Z population will likely be very disruptive to traditional cybersecurity models and practices.
A critical finding is that traditional “rules-based” security practices that use the typical lecture-based training are not only ineffective, but it is viewed very negatively by the Gen-Z population. They interpret these approaches as similar to the “parental lecture” and hate it! The more effective way to engage Gen-Z’ers in good cybersecurity behaviors is to ground appropriate actions in a “values-based approach.” For example, educational outreach on cybersecurity should emphasize values such as “shared responsibility in protecting our community” whereby users are activated to think and act in a “mindful manner” when responding to requests to share information online.
"The "BYOD" world-view of the Gen-Z population will likely be very disruptive to traditional cybersecurity models and practices"
As we explored the attitudes and behaviors of Millennials and Gen-Z, we applied our cyber-mindfulness model in terms of the three core elements—Awareness, Agency, and Action. The Agency role truly emerged as critical to good sustainable practices because it addresses the need for users to feel a sense of ownership for cybersecurity. Addressing this gap is a challenge with all generations. However, in building agency with Gen-Z, it is essential to drive that training around the concept of shared values and community engagement. With many of the other generations, pushing compliance with rules can be reasonably effective. Gen-Z does not accept rules very easily.
Finally, one of our interesting discoveries was the difference between Gen-Z high school students and Gen-Z college students. We found that 19-year-old college students have a much stronger sense of agency than 19-year-old high school students and they are much more concerned about the privacy of their information than 19-year-old high school students. Our interpretation of this result suggests that experience changes generational patterns. As students enter college, they are experiencing situations whereby concerns around privacy and shared responsibility (agency) are shifting attitudes. What this means is that Gen-Z high school students going into the workforce will be a substantially higher cybersecurity risk than those coming from college - even if they are the same age and of the same generation!