My friend and colleague Stephen Cobb has shared some interesting survey
data in a
blog article indicating that the age group between 18 and 34 is less likely
than older groups to use complex passwords or even to use different passwords
according to the sensitivity of the context. Kevin Townsend had his
own take on the article, and in fact we talked subsequently about his
suggestions that:
I agree that more mature people have had more negative experiences in
life, and while it may or may not directly equip them with the best conceptual
tools for being safe(r) on the Internet, it’s likely to make them less likely
to take things at face value.
I often say that part of my job (or at least what
I think of as my job) is to encourage people to be sceptical. When my job
involved more direct engagement with end users in support and training
contexts, I found that people who’d been around the block a time or two were
generally more receptive to advice and likelier to act upon it.
Of course, that
was in a work context, and you could argue that I might have been seen as
representing authority, but in fact even people who normally considered me very
much as a hewer of wood and drawer of water rather than as an authority to be reckoned with were
likelier to seek and follow security advice than more general advice. To be honest, the
higher individuals perceive themselves as being in the hierarchy, the likelier
they are to complain about inconvenient restrictions, but that will be tempered
by the fact that they’re aware of their own responsibilities, in particular for
ensuring the safety of their data (and, no doubt, their jobs).
Outside the workplace, it can be very different, though not necessarily for
more mature people: this group may have been conditioned by life and work
experience to behave somewhat similarly at home as in the workplace. If they’ve learned to be concerned
about security and respect the advice of others, they’re likely to carry over
that behaviour to their home life. (Though that in itself might be
problematical, as there is so much bad or mixed advice available.)
The young
are, perhaps, more vulnerable because, as the generation that is most likely to
have grown up with information technology, they tend to overestimate their own
understanding of it. And indeed, older generations – using the term generation
in a very imprecise sense – tend to make similar assumptions. However,
familiarity with interfaces is a lot different to understanding the underlying
technology. (I’m reminded of an old science fiction story where someone from
the future discovered that unlike Twain’s
hero in the Court of King Arthur, he was unable to capitalize on his
knowledge of what technology would be available in his own time because he
didn’t really understand the processes behind the interface.)
People with more experience of life are more likely to see how a technology can
be misused without fully understanding the technology, by extrapolating from
off-line experience. They may certainly have more to lose, but more to the
point, will also value what they have more, because it’s likely that they’ll
have put more of their own effort into acquiring it, rather than simply having
been given it. They’re also likelier to be more aware that they don’t have a
whole lifetime in which to make up their losses. There’s certainly plenty to
indicate that they don’t see their personal data as particularly sensitive, and certainly don’t necessarily think ahead to what their Facebook Timeline will look like to a prospective employer, let alone to posterity.
However, they’re also more vulnerable in that they will see the online world of
social media in which they spend so much of their time as ‘their’ world – the
natural environment of switched-on youth – rather than the habitat of a whole
range of human beings, including some very unpleasant people indeed.
What really interests me about these
data is that they have very little to do with technical knowledge – most people
don’t have a deep understanding of computer science and IT security (let alone
the elements of cryptography), or even the ergonomic and psychosocial aspects
of the interaction between human and computer. As it happens, the behaviour
patterns that drive people to make certain password/passphrase/PIN choices –
especially the stereotypical choices that are so helpful to an attacker – are a
topic I find particularly
interesting . But then these data aren’t so much about self-knowledge as received wisdom.
David Harley CITP FBCS CISSPESET Senior Research Fellow
fe-shopru fe-acc18cc