I'm at the Anti-Phishing Working Group Counter eCrime Operations Summit (APWG CeCOS) this week, an annual conference looking at disseminating information and analyses about eCrime in general, as well as discussing better ways of organizing the good guys to combat ecrime.
One potentially disturbing trend that came out in the meeting is that younger people seem to be more susceptible to eCrime. Richard Martin, a consultant for APACS, presented the results of a survey asking people what they would do when presented with an email that appeared to be from their bank. The good news is that only 4% of people in general said that they would act on it. The bad news is that, when drilling down on the data, 12% of people under the age of 24 said that they would act on it, an increase by a factor of three.
We saw the same result in a large-scale phishing experiment that we conducted at Carnegie Mellon earlier this year (which I reported on in a previous blog entry). We saw a factor of two to three difference between people age 18-25 and people of different age brackets, in terms of falling for phishing attacks.
The concern here regarding youth is twofold. First, while the two data points above are only about phishing, I would be willing to bet that they correlate strongly with security practices in general. As such, it means that younger people are bigger security risks in general for all kinds of attacks and malware, a very worrisome trend given that younger people are more likely to try out new technologies and services.
Second, and more importantly, today's youth will be tomorrow's workforce. If it turns out that age itself does not solve the problem, then we will be seeing far more and far worse security breaches in the future. Or, as Kurt Vonnegut put it, "True terror is to wake up one morning and discover that your high school class is running the country."
I think it's worth speculating why younger people are more likely to fall for these kinds of scams. If we as a community can correctly diagnose the problem, we can then start developing appropriate remedies.
For example, is this simply a problem of age and experience, which will solve itself as they grow older? If so, perhaps we need better education campaigns to accelerate this
process. Is it because this Facebook and MySpace generation are too comfortable sharing information online? In this case, we would need a different educational program warning people about the risks. The worst case is that some of these people are already aware of the risks but feel like they don't have much to lose even if infected or scammed, because this would require ways of changing people's motivations.
At this point, our understanding of young people and security is still murky,
and it will require more work to understand the problem so that we can devise appropriate solutions.