Center for Cybersecurity & Data Intelligence

By Thomas Skill, Ph.D., Associate Provost & CIO, University of Dayton

How nervous should your cybersecurity team be when the Gen-Z population joins the workforce over the next few years?  

UD’s Center of Cybersecurity & Data Intelligence did a small study in March 2018 that explored how the different generations encounter cybersecurity awareness and practices.  A key group that we analyzed was Generation Z (Gen-Z).  these are the kids now in high school that will soon be entering college and the broader workforce.  Our study applied our Cyber-Mindfulness model to our analysis of the various generations - from Baby Boomers & Gen X'ers to Millennials and Gen Z.  Using both our original data and existing data sources, we were able to craft descriptive profiles of the generational differences with regard to cybersecurity attitudes and behaviors.  It is really interesting to see the differences in generations and how these Gen-Z students are going to bring a very disruptive set of expectations and new behaviors to both college and career!

In terms of the Gen-Z engagement with technology and cybersecurity, this is a generation that views their technology as totally and almost exclusively mobile!  Their personally-owned smartphone reflects their "always connected" lifestyle.  They expect to use these devices for personal and work activities -- and they strongly believe that their personally-owned and self-managed device allows them to be substantially more productive than any technology provided by their school or employer.

The "BYOD" world-view of the Gen-Z population will likely be very disruptive to traditional cybersecurity models and practices.   

A critical finding is that traditional "rules based" security practices that use the typical lecture-based training is not only ineffective, but it is viewed very negatively by the Gen-Z population. They interpret these approaches as similar to the "parental lecture" and hate it!   The more effective way to engage Gen-Z'ers in good cybersecurity behaviors is to ground them in a “values-based approach.”  For example, educational outreach on cybersecurity should emphasize values such as "shared responsibility in protecting our community" (thereby engaging in “cyber-mindful” actions when entering personal data in a website).  

As we explored the attitudes and behaviors of Millennials and Gen-Z, we applied our cyber-mindfulness model in terms of the three core elements -- Awareness, Agency and Action.   The Agency role truly emerged as critical to sustainable good practices because it addresses the need for users to feel a sense of ownership for cybersecurity.  Addressing this gap is a challenge with all generations. However, in building agency with Gen-Z, it is very important to drive that training around the concept of shared values and community engagement.  With many of the other generations, pushing compliance to rules can be reasonably effective. Gen-Z does not accept rules very easily.

Finally, one of our interesting discoveries was the difference between Gen-Z high school students and Gen-Z college students. We found that 19-year-old college students have a much stronger sense of agency that 19-year-old high school students.  And 19-year-old college students are much more concerned about privacy of their information than 19-year-old high school students.  Our interpretation of this result suggests that experience likely changes generational patterns.  As students enter college, they are experiencing situations whereby concerns around privacy and shared responsibility (agency) are shifting attitudes.  What this really means is that Gen-Z high school students going into the workforce will be a substantially higher cybersecurity risk than those coming from College - even if they are same age and of the same generation!