Millennials: An Urban Legend In Cybersecurity

One evening when I was in college, one of my friends told me the story of this girl he knew.  The girl had come home late to her dorm room, saw the lights were off, and thought that her roommate had gone to bed early.  Not wanting to wake her friend, she went to bed herself.  She woke up the next morning, sunlight filling the room to see her roommate had been killed.  On the wall, written in blood was a note, “Aren’t you glad you didn’t turn on the lights?”

Of course, the story isn’t true – it’s an example of an urban legend – stories that people tell one another that take on a life of their own.  This may have been the first urban legend I had ever heard.  If you’re curious, there is a list of the most famous urban legends in each state.

Here is another story.  A company hires a new employee straight out of college.  Being a Millennial, the new employee is constantly posting on social media.  Eventually, the company is hacked because the employee did something they weren’t supposed to do.  According to a recent study by Centrify, more than a third of managers believe that millennials are the “main culprits” of data breaches.

I’ve been leading the Information Security program for Southern Methodist University for over 10 years now, so I’ve had a front row seat to watch the Millennial generation come of age.  When I came to SMU, I had incorrectly assumed, that because students have been using computers before they could walk, that they would computer literate.  Just because you use Facebook or have a smartphone doesn’t mean you know or even care how they work.  And in that regard, they look like every other generation that has come before.  A dance major may or may not know how to code.  An engineering student may or may not know how to build a network.

But just because many people believe a compelling story about a scary person or group doesn’t make it true.  It’s easy to stereotype all social media as being “bad” and that a person or company will be hacked if they allow it.  But a survey of my own employees reveals something different.  I asked 350 users how many hours per day they use social media.  But I also asked whether these users had been a victim of identity theft or an account compromise.  My goal was to make data-driven decisions on how to improve my cybersecurity program and to discover areas where I can focus to have the biggest impact.

Your users may be different, but my own study suggests that the more a person uses social media, the less likely it is for them to have experienced a hack, irrespective of age.  Why?  One explanation is that the more one uses social media, the more likely it will be that a person is exposed to the dangers of that service and how to better protect themselves against those threats.  An implication of this might be that rather than training users to never use social media, we might be better off telling them to use it more.

There is a lot at stake when it comes to the question of Millennials and data security.  The future of cybersecurity is, quite literally, in the hands of Millennials.  According to a report by the Pew Research Center, Millennials are projected to overtake baby boomers in population size by 2019 and already outnumber Generation X.  By 2025, Millennials will make up the majority of the workforce.  If it is true that millennials are the main culprits of data breaches, then we need to start working now to remedy that situation.  But if it isn’t true, we need to focus our resources in understanding the problem and coming up with solutions that work.

Millennials have been described as “Digital Natives.”  Millennials are the first generation to grow up in a fully digital world and in that regard they are different from every generation that has preceded them.  “It’s tempting to over generalize when it comes to millennials,” according to Kal Bittianda, head of the global cybersecurity practice for Egon Zehnder.  “Digital Natives have a different perspective on things like Social Security Numbers being posted to the Internet because they’re already out there,” Bittianda observed, “their definition of crown jewels may be different.”

Another question that I asked of my users is whether they looked at what their social media profile looks like to the public.  To my surprise, 100% of Millennials indicated that they performed this basic hygienic habit.  Baby Boomers and Generation X both fell between 56% and 74%.  When it comes to locking down their social media profiles, Millennials again came out on top at 100%.  Baby Boomers and Generation X did better this time, falling between 69% and 91%.

The report by Centrify mentioned above also suggests that millennials are more likely to share their passwords than their older coworkers.  16% said that they had shared passwords.  But there is a catch: in the majority of cases the person they were sharing the password with was their manager.  And the context for this is important: Millennials are usually in lower level positions within an organization and aren’t necessarily in a position to question authority.  Boomers are more likely to be in a position of authority and should know better.  Yet 15% of managers in the Centrify study admitted to sharing passwords with colleagues…nearly as bad as the millennials.

I came across another study that indicates that the size of a person’s ears has a direct correlation to their ability to do math.  Scientists have observed that ear size has a 100% correlation to the ability to decipher complex algebraic formulas, solve differential equations, and predict the outcomes of formulas.

Now, before you get out your tape measure, you should remember that babies have really small ears and are terrible at math.  It’s easy to draw connections that look valid on paper, but have an explanation that has nothing to do with the mystery that you’re attempting to solve.  In order to fully understand how shifting demographics will impact your organization’s cybersecurity, you must capture the whole context of the problem.  This means you must first have a deep understanding of your organization’s overall culture before you can draw conclusions about specific demographics.  For all we know, rather than being the “cause of all data breaches,” millennials may hold some of the solutions to our cybersecurity challenges.