A lot of ink over the years has gone into comparing the most common generations within the workplace—and for a good reason. Generations are a great way to compare and study variations in broad subjects like the importance of job security, working habits, and technology usage.

These generalizations have been crucial data for many important workplace improvements, including cyber security awareness.

It’s no surprise that Gen X, Millennials, and Gen Z see and use technology very differently. For some, it’s been an evolution, but a growing number of people in the workforce have simply never known anything else. This can have a significant impact on the way each generation sees crucial subjects such as cyber security.

Most Gen X and millennials have had training in various cyber security threats such as phishing, but a frightening 60% of Gen Z-ers reported never receiving any education on cyber safety. Perhaps their managers thought they already knew enough since they are digital natives, but this kind of assumption can lead to disastrous situations for any company.

Cyber security professionals already modify their awareness teaching by department and country, but generational segmenting can be an even more powerful tool. This article will give an overview of each generation, how they react to threats, and tips on building a proactive cyber security culture based on this information.

Overview of digital generations

The main differences between the three generations studied here were when technology was introduced and how they used it to communicate. These might seem like subtle differences at first glance, but they can have significant impacts in terms of cyber security.

Gen X

  • 1965-1980
  • Main technology: desktop computer
  • Mode of communication: emails, phone

The Gen X generation is what academics refer to as “digital immigrants.” Technology wasn’t always a part of their work, and they’ve had to adapt over the years. They often learned about cyber threats by falling victim to them and have had to develop their own tricks and habits since cyber security departments were rare when they entered the workforce.

Phone calls still reign supreme for this generation, and email is their preferred method of communication. They see emails as more secure and convenient than text messages and are better equipped to notice phishing done through email.


  • 1980-1995
  • Main technology: laptops and smartphones
  • Mode of communication: text messages, social media

Millennials are in an odd situation technology-wise. They weren’t all digital natives, and while most had computers at home, social media was a later addition to their lives. In terms of work, however, they are definitely digital natives, and computers have always been present in their workplaces.

They are no strangers to cyber security and have often received extensive training on the subject. They are more likely to communicate via text messages and use smartphone apps for certain tasks such as banking and bill payments.

Gen Z

  • 1995-2010
  • Main technology: tablets and smartphones
  • Mode of communication: social media

The definition of digital native truly starts with Gen Z. In most cases, members of this generation don’t remember a time when technology wasn’t a major fixture of their lives. However, a large portion of their exposure to technology has been through smartphones. They embrace new platforms faster than other generations but are often less well-versed with desktops.

They communicate primarily through social media platforms such as Snapchat, often exchanging their username instead of their phone number when they meet someone new. They often have had less cyber security training than other generations and feel much more secure online overall.

Cyber risk by generation

No generation is better or worse at cyber security. They simply have different notions and risks. After all, that makes a lot of sense when they communicate and work differently. Some generations also have had more or less exposure to certain types of threats.

Gen X

This is the generation with the most work experience and the only ones to have seen cyber threats evolve since the beginning. Cyber security has been a foundational principle in the workplace, and they are more likely to follow the rules to the tee.

They are usually very good at keeping their work and personal emails separate and are assiduous in changing their passwords following the company-mandated guidelines. However, including technology in their personal lives is a newer concept and can lead to spillover issues in the corporate world.

For example, Gen X-ers are more prone to share personal information on their social media profiles, leaving them open to social engineering attacks. Since they know these platforms less, they also have a harder time detecting phishing attacks on social media before it’s too late.

The personal information they openly share on social media can quickly become a threat to businesses if the information is used in a spear phishing attack or to answer their security questions and breach their work account.


Millennials are an interesting mix of exposure to technology and workplace experience. They grew up with technology and understand its power, but that also makes them prone to thinking they know better than their work IT department.

This generation takes security precautions for their personal devices but isn’t likely to follow the same level of caution for their work devices. They can have issues with password hygiene and are the generation that uses online banking the most.

This means they are more likely to trust a phishing message from a banking institution since they get emails and messages from their bank often. Many of their technology decisions revolve around convenience, so getting them to adopt a password manager or use a VPN won’t be an issue.

Gen Z

It may be a bit early to pass judgment on Gen Z’s habits in the workplace—the youngest members being 11 years old—but trends are already emerging. Growing up with technology doesn’t mean you automatically understand it. In fact, it seems like it might have been too normalized for the members of this generation.

Gen Z’s technological knowledge is heavily influenced by smartphones and social media applications, making them ill-equipped to detect phishing attacks via email or spoofed websites. They are also the most likely generation to ignore mandated IT updates until the last minute and reuse passwords for personal and work accounts.

However, they are also the most adept at detecting scam attempts carried out through social media. This generation is quick to adapt to new technology trends and will comply if the importance is explained in terms they relate to.

How CISOs can build a proactive cyber security culture

Cyber security awareness must be a team endeavor to be effective. If you’re trying to understand employee behaviors, looking at their generation would be one of the best ways to do it. Here are some ways to integrate this point of view:

Generational cyber security heroes

One of the most efficient ways to propagate cyber security awareness is to identify employee heroes within each department to help their colleagues understand the threats they face. People are more likely to listen to someone they relate to, and similar age groups are a great way to find common ground in these situations.

Personalized content

As mentioned earlier in this article, different generations face very different challenges regarding cyber security awareness. The generation users come from is a great way to address challenges that might not be universal but makes them a security risk, nonetheless.

Intergenerational training

Each generation has its strengths and its weaknesses in cyber security. Training with members of all generations present can foster beneficial collaboration and stories that people can relate to and later use in their cyber security awareness.

Understanding Your Users’ Behaviors

Looking at generations is a common practice in management to understand the type of leadership needed for specific cohorts of employees. There’s no reason why the same logic can’t be applied to cyber security awareness.

The behaviors companies try to change via a cyber security awareness program largely result from a user’s perception of technology. This can be hard to fix if you don’t understand the source of the behavior, and generation is often the perfect starting point.



Understand Crucial Phishing Stats

Check out this webcast  to understand how to use and evaluate user behaviors to significantly reduce information security risk factors.