With Age Comes Wisdom...and Information Security Savvy

Last year we wrote about the state of student information security hygiene practices, using results from the 2015 ECAR Study of Students and Information Technology. In 2017, ECAR revisited the state of student information security practices to see what changes have taken place in the past two years.¹

As information security professionals, we find the 2017 results both encouraging and interesting. Current responses show that students continue to improve their information security practices. More students secure their mobile devices with a password or PIN (90% in 2017² versus 86% in 2015³). And more students are using complex passwords to secure their online accounts (88% in 2017 versus 86% in 2015).⁴ These numbers are particularly favorable when considered in the context of the general U.S. adult population. For instance, the Pew Research Center reported this year that 68% of smartphone owners secure their mobile device with a PIN, thumbprint, password, dot pattern, or other type of screen lock.⁵

What is interesting about the 2017 results is that the age of students is associated with information security hygiene practices in the study. While rates of mobile device protection, password complexity, and device theft are similar, younger students (those ages 18–24) are more likely to share their devices or credentials. In fact, for every risky practice we asked about, younger students were far more likely to respond that they had engaged in the risky practice. (See table 1.)

Table 1. Students who responded yes to a selection of information security practices

Personal Devices and Online Account Security Practices	Students Age 18–24 Who Responded Yes	Students Age 25+ Who Responded Yes
I sometimes let other people use my mobile devices unsupervised.	35%	12%
I have given the password or PIN for my computer, tablet, or smartphone to another person in the past 12 months.	41%	13%
I have given my password or PIN for an online account to another person in the past 12 months.	21%	8%
I have let someone log in as me to a college or university service, system, application, or website in the past 12 months.	15%	6%

These findings are fascinating. Francis Bacon wrote, "Age appears to be best in four things; old wood best to burn, old wine to drink, old friends to trust, and old authors to read." It seems that age also seems to be best in adopting good information security hygiene practices for device and credential sharing. It could be that older students perhaps have experienced the pain of poor information security practices: an ex-romantic partner accessing online accounts; friends posting nonsense on social media under the account owner's name; identity theft; and personal property theft. Thus, they are less likely to share their devices (unsupervised) or passwords to online accounts.⁶ All is not lost for younger students, however. This year's research found that rates of device protection (e.g., using a password or PIN), password complexity, and rates of device theft are similar for both age groups .

Another interesting finding in this year's research is that those students (and here we are talking about all students, not just younger ones) who secure their devices with a password/PIN (90% of respondents) or who use complex passwords for online accounts (88% of respondents) are no more or less likely to have had an account hacked in the last 12 months. However, many students who have had an online account hacked in the past 12 months engage in risky personal device and online account security practices that can (or already did) contribute to an account being hacked.⁷ The table below shows the personal device and online security practices for students who have had an online account hacked in the past 12 months.

Table 2. Responses to a selection of information security practices from students who have had an online account hacked in the last 12 months

Personal Devices and Online Account Security Practices	Students Who Responded No	Students Who Responded Yes
I sometimes let other people use my mobile devices unsupervised.	8%	16%
I have given the password or PIN for my computer, tablet, or smartphone to another person in the past 12 months.	8%	15%
I have given my password or PIN for an online account to another person in the past 12 months.	8%	21%
I have let someone log in as me to a college or university service, system, application, or website in the past 12 months.	8%	25%
I have had a computer, tablet, or smartphone stolen in the past 12 months.	8%	38%

Overall, we are pleased to note that this year's research found that most students have relatively good information security hygiene practices. We found the research findings related to age and account hacking/continued risky behaviors to be fascinating and to signal areas in which improved information security training may be most useful. We look forward to sharing additional information about student information security hygiene practices in future versions of this ECAR research.

Notes

1. For the 2017 ECAR Student Study, 43,559 respondents from 124 institutions in 10 countries and 40 U.S. states participated in the research. The quantitative findings in this research were developed using the entire sample of respondents from 35,760 students at 110 U.S. institutions.
2. D. Christopher Brooks and Jeffrey Pomerantz, ECAR Study of Undergraduate Students and Information Technology, 2017, research report (Louisville, CO: ECAR, October 2017); available here. All references to 2017 data come from this resource unless otherwise noted. The authors wish to thank Mike Roedema for his thoughtful review of the information security results.
3. Eden Dahlstrom, with D. Christopher Brooks, Susan Grajek, and Jamie Reeves, ECAR Study of Students and Information Technology, 2015, research report (Louisville, CO: ECAR, December 2015); available here. All references to 2015 data come from this resource unless otherwise noted.
4. The ECAR survey asked students to answer yes or no to the question "In general, I use a combination of alphanumeric, and symbol character passwords for my online accounts."
5. Interestingly, in the Pew Research Center's January 2017 report, Americans and Cybersecurity, Kenneth Olmstead and Aaron Smith note that "many Americans are failing to follow digital security best practices in their own personal lives, and a substantial majority expects that major cyberattacks will be a fact of life in the future."
6. We really like this NPR story from 2012 about sharing passwords as a sign of intimacy.
7. Poor personal device and online account security practices and having an online account compromised are related, but of course we don't really know which came first. Are accounts being compromised because students had poor practices, or are students still engaging in poor practices even after their accounts have been compromised? It's a chicken or the egg question.

---

Joanna Lyn Grama is the director of cybersecurity and IT GRC programs at EDUCAUSE.

Valerie M. Vogel is senior manager of the cybersecurity program for EDUCAUSE.