Known age differences exist in relation to information and communication technology (ICT) use, attitudes, access, and literacy. Less is known about age differences in relation to cybersecurity risks and associated cybersecurity behaviours. Using an online survey, this study analyses data from 579 participants to investigate age differences across four key cybersecurity behaviours: device securement, password generation, proactive checking, and software updating. Significant age differences were found; however, this is not a straightforward relationship. Older users appear less likely to secure their devices compared to younger users; however, the reverse was found for the other behaviours, with older users appearing more likely to generate secure passwords and show proactive risk awareness and regularly install updates. Gender was not a significant predictor of security behaviour (although males scored higher for self-reported computer self-efficacy and general resilience). Self-efficacy was identified as a mediator between age and three of the cybersecurity behaviours (password generation, proactive checking, and updating). General resilience was also a significant mediator for device securement, password generation, and updating; however, resilience acted as a moderator for proactive checking. Implications of these findings are twofold: firstly, helping to guide the development of training and interventions tailored to different cybersecurity behaviours and secondly informing cybersecurity policy development.

1. Introduction

More people are using digital technology than ever before; however, “digital divides” remain prevalent across user groups [13]. Demographic factors such as age and gender have often been cited as moderators of these digital divides. Younger age ranges have traditionally been the earliest adopters of ICT; however, these age groups are reaching saturation (99% of young adults now use the Internet in the UK [4]). Consequently, older adults are now the fastest growing group of adopters [46]. Despite many older adults being keen to adopt technology [7], a negative narrative prevails [8]. For example, research suggests that this user group may still lack confidence in their ability (or self-efficacy) to use their devices [911] and may show deficits in ICT skills and literacy [2, 12, 13], something often referred to as the “second level” of the digital divide (where access to information and communication technology [ICT] forms the first level [1]). However, some researchers have argued that rather than there being an age-related skill gap, older adults may simply underestimate their actual capabilities and knowledge [14]. In their review of this issue, Hunsaker and Hargittai [2] note a methodological issue with researching older adults, pointing out that studies differ in how they group age categories, the categories included, and the age that is used to signal the start of older adulthood. They called for further work to identify whether age disparities are continuing.

For all users, the cost of embracing digital connectivity is a growing cybersecurity risk. As older adults now spend longer online, they in turn have become the latest target population for cyberattacks, with £4m lost by older adults in the UK between 2018 and 2019 [15]. However, research into age-related differences in cybersecurity posture and attitude is scarce [11, 16], which means it is difficult to identify and mitigate age-specific issues.

The risks that individual users are susceptible to may vary with age, but this is by no means conclusive. For example, whilst [17] suggests that younger users are more vulnerable to phishing attacks, Grilli et al. [18] found that older adults were worse at discriminating between genuine and phishing emails based on perceived suspiciousness. Sarno et al. [19] found no age differences in the ability to classify emails as phishing or not. Oliveira et al. [20] discovered that older and younger adults fall for different persuasion triggers, with older women being the most vulnerable group. Other research suggests that younger adults display fewer privacy and security concerns compared to older users (the latter potentially due to high levels of social media use and the associated sharing of personal data [21, 22]). Note, however, that this may not be a simple linear relationship, given a study by Little et al., who found a more complex U-shaped trend with younger and older Internet users appearing less protective of their privacy than their middle-aged counterparts [23].

Older adults show a reluctance to fully engage with cybersecurity behaviours, citing reasons including low self-efficacy and a lack of awareness [11]. They are also less likely to adopt security measures to protect against unauthorised access to their devices, e.g., personal identification number (PIN) or biometric protections [24]. Taken as a whole, the current research suggests that cybersecurity concerns may be more complicated than simply identifying a single age range as vulnerable or “at risk.” It is important that we understand how adults of different ages engage with different security behaviours to protect themselves online. This study addresses this gap in the literature and concentrates on four key cybersecurity-related behaviours: device securement (e.g., locking their device screen when not in use), secure password generation, proactive checking (checking legitimacy and security indicators such as uniform resource locator (URLs) and senders before clicking), and regular software updating.

Using data from across the adult lifespan (18-82 yrs), the current study addresses some of the limitations of previous research, where quite limited age ranges have been investigated (often due to practical difficulties in data collection [25]). For example, Ayyagari and Crowell [26] recently investigated differences between three age groups in relation to cybersecurity behaviours; however, they were restricted to a university sample, and their eldest group constituted anyone over 35 years. In addition to assessing reported behaviours, we also expand the current literature by exploring the role of computer self-efficacy, as this has been shown to influence ICT behaviour [27, 28]. Psychological resilience has also been linked to risky behaviour. Specifically, resilience has been linked to both risk seeking and risk adverse behaviours, depending upon the study and/or context [29, 30]. We therefore include a general resilience measure as a variable within our study.

This study also investigates gender differences as existing research in this area is inconclusive. Traditionally, research has suggested that females score lower for computer self-efficacy than males [20, 21] although more recently [22] suggest that this gender difference may be diminishing. It is important to note that self-efficacy relates to the individuals’ own beliefs about how they can perform [23]. As such, it is not possible to determine whether any gender differences reflect differences in actual ability and/or differences in self-perception [24]. Computer self-efficacy can also be context dependent, with several studies showing that gender differences may differ depending on the context (e.g., ICT for educational versus general use [25]) or the specific task (e.g., Internet tasks versus high level software-related tasks [31]). Interestingly, some studies looking specifically at cybersecurity behaviours report that females tend to show greater online privacy concerns [27] and greater security policy compliance [28]. Whilst other studies show no gender differences, for example, Vance et al. [32] found no gender differences for intention to comply with security policies, and others suggest that females are likely to act less securely [33]. In their review of older adult research, Hunsaker and Hargittai [2] also described the existing literature as inconclusive. We address this need for increased understanding by including gender analyses in the current study.

In summary, our study tests for age and gender differences in cybersecurity behaviour across the adult lifespan, after controlling for computer self-efficacy and general resilience. The results have implications for identifying priority areas for future targeted training and development interventions.

2. Materials and Methods

Full ethical approval was granted from the School of Health and Life Sciences ethics committee at Northumbria University (#23761). An online survey was distributed by online recruitment platform “Prolific.ac.” Prolific is a paid service that distributes online questionnaires to their userbase of participants. The initial sample of 607 responses was cleaned and 28 responses removed due to failing the “attention check” question. The final sample consists of data from 579 participants, aged 18-82 years ( yrs,  yrs). Further demographics are shown in Table 1.

In addition to the demographic questions, participants were asked to complete a series of scale items to measure their cybersecurity behaviour, their computer self-efficacy, and their general resilience. Cybersecurity-related behaviour was measured using the Security Behaviour Intentions Scale (SeBIS) [34]. SeBIS is a 16-item scale consisting of four subscales that measure attitudes towards device securement, password generation, proactive checking, and software updating. The scale showed acceptable reliability in our study with Cronbach’s alpha (α) ranging from .64 to .75 for the four subscales (see Table 2). The computer self-efficacy scale [35] was used to measure users’ beliefs about their ICT capabilities. The scale showed excellent reliability (). General resilience was measured using the Brief Resilience Scale [36] ().

Construct and discriminant validity was checked to ensure that each scale was measuring what it is intended to measure, and that the scales were loading onto different components. Convergent validity for both scales is excellent (computer self-efficacy scale: and ; and ). Heterotrait-monotrait ratio of correlations (HTMT) was used to test discriminant validity. A HTMT ratio of 0.25 indicated excellent discriminant validity [37].

3. Results

Data was analysed using IBM SPSS Statistics (version 27). Missing data accounted for less than 0.3% of the items. Little’s MCAR test was nonsignificant (, ) indicating that the data was missing completely at random; therefore, estimated maximum likelihood was used to compute the missing data. Due to insufficient sample size (), the other gender category was excluded from the analyses.

Data was checked to ensure it met the assumptions of normality, independence, and homoscedasticity. All values were checked to ensure that they were within the excepted ranges given the measurement scales used. There was no sign of multicollinearity between the predictor variables (all , see Table 3; VIF ); scatterplots indicated a linear relationship between the IVs and DVs, and plotting the standardised residuals and predicted values indicated adequate homoscedasticity. All dependent variables appeared normally distributed on the Q-Q plots (and skew and kurtosis ), except for device securement. The latter indicated negative skew (more scores towards the top of the scale) although this was still within the acceptable threshold of +/-2 [38]. Device securement also showed a kurtosis value of 2.28. Therefore, as the normality assumption was violated for device securement, all analyses using this variable were conducted using the bootstrapping method (with bias-corrected and accelerated confidence intervals, ) to ensure robustness.

Bivariate correlations are shown for each of the variables (Table 3). There is no significant correlation between age and gender. None of the correlations raise concerns around multicollinearity.

3.1. Gender Differences in Perceived Computer Self-Efficacy and General Resilience

Independent samples -tests showed a significant difference between the genders, with males (, ) scoring significantly higher than females for perceived computer self-efficacy (, , , ). t-tests also show a significant difference between the genders for general resilience, with males (, ) scoring significantly higher than females (, , , .

3.2. Predictors of Cybersecurity Behaviours

The data were analysed using a series of hierarchical regressions to test the predictors (age, gender, computer self-efficacy, and general resilience) of cybersecurity behaviour. As aforementioned, the device securement regression was conducted using the bootstrapping method due to violating the assumptions of homoscedasticity; therefore, confidence intervals are reported for this regression.

All four models were significant (Table 2): device securement (bootstrap , , BCa CI (.03 - .08), password generation (, , ), proactive checking (, , ), and updating (, , ).

Investigating the individual predictors revealed that age was a significant predictor for all four cybersecurity behaviours (Table 2). Age was a negative predictor of device securement, but a positive predictor for the other behaviours (password generation, proactive checking, and updating). Gender was not a significant predictor for any of the behaviours.

The standardised coefficients show the strongest predictors. For three of the four behaviours (password generation, proactive checking, and updating), computer self-efficacy was the strongest predictor, followed by age and then general resilience. All of which were positive predictors.

Device securement differed from the other behaviours. The strongest predictor variable, age, acted as a negative predictor of this behaviour. General resilience was the only other significant predictor, acting as a positive predictor of secure behaviour.

3.3. Mediation Analysis

The relationship between age and perceived computer self-efficacy and resilience was investigated further with parallel mediation analysis using the PROCESS macro for SPSS, model 4 (Hayes, 2013, Figure 1).

To aid interpretation of the results, all variables that defined products were mean centered during the PROCESS mediation analysis. The results are shown in Table 4.

The indirect effect of age on cybersecurity behaviour, via self-efficacy (mediator 1), was significant for three of the four behaviours: password generation, proactive checking, and updating. Self-efficacy was not a significant mediator for device securement.

The indirect effect of age on cybersecurity behaviour, via resilience (mediator 2), was significant for three of the four behaviours: device securement, password generation, and updating. The effect of resilience on the remaining cybersecurity behaviour, proactive checking, was investigated using PROCESS model 5. The results indicate that for this behaviour, resilience acts as a moderator rather than a mediator. The tested model is shown in Figure 2.

Plotting the estimates shows that the moderation effect of resilience on proactive checking for low (-1SD), mean, and high (+1SD) age (Figure 3). The effect of age on proactive checking is strongest for the high resilience users.

4. Discussion

This study expands upon the current literature by investigating age and gender differences in relation to different cybersecurity behaviours. Our results show that rather than older adults being universally more at risk than others, age differences vary according to the specific security behaviour in question. Therefore, rather than focusing on first level digital divides (i.e., ICT access and adoption), our findings highlight the importance of investigating ICT behaviour on a more granular level, i.e., investigating specific types of behaviour and/or activities (something also identified by [19]). Whilst younger users appear more likely to secure access to their devices than the older age groups, they also appear less likely to generate secure passwords and/or update their device and show less proactive URL/email checking behaviours. Our result regarding proactive checking provides a reason younger users may be more susceptible to phishing [17] and older adults to be less likely to adopt security measures to secure physical use of their devices [24]. Similarly, a recent study [39] found that—in direct contrast to their original hypothesis—older users are less likely to share their passwords. Our study helps to strengthen the emerging positive discourse that older users are security conscious, challenging dated stereotypes that this age group is not tech savvy [14]. Many older adults actually display high levels of awareness and ability in regard to cybersecurity [3941].

It can appear contradictory that older users on the one hand are security conscious and generate more secure passwords but are also less likely to secure access to their devices, e.g., failing to lock their screen when the device is not in use. On further consideration, this may be due to differences in the context of use and associated perceived risks. Existing literature suggests that this age group focuses heavily upon the privacy and security of the data they enter online [42]—which is in keeping with our results which show they are more likely to generate strong passwords, update devices, and show proactive checking for risk. In comparison, it is possible that they are not as aware or not as cautious of “offline risks” around the security of their physical device, such as it being stolen or used maliciously. For instance, if their main point of access is a home computer, they may feel that the device is already secure within the home and that there is little risk of other people accessing it [11]. Interventions to increase the salience and importance of physical device securement may be beneficial for this age group. Based on the existing literature, the most favoured and/or effective intervention approaches for older adults may be those involving in-person support and/or promoting these security behaviours through social connections, peer support, and family members [3, 4143]. However, it is also important to note that a lack of device securement may be an active choice on behalf of some users and may not represent a lack of awareness. For example, it is possible that older adults knowingly allow others to access their devices; for example, research suggests that older adults may be more likely to ask trusted others to complete ICT tasks on their behalf [11, 44]. There may also be barriers due to problems with biometric security; for example, Morrison et al. identified that fingerprint readers can be problematic for older users [11].

Similarly, if younger users are the earliest and most intensive users of ICT and they are more likely to secure access to their devices, why is it that they appear to be less likely to generate secure passwords, demonstrate proactive checking for risk, or update their devices? Some of these findings could potentially be explained through differences in usage and/or device type. For example, in relation to secure passwords—it could be that younger users are relying more heavily upon automatic password generators [11, 45] and/or biometrics (e.g., face ID and fingerprints), therefore removing much of the emphasis on personally generating a secure password. In relation to proactive checking for risk, frequent ICT usage and over familiarisation with the sharing of personal data can lead to overconfidence, complacency, and/or security fatigue [4649]—factors which have been linked to cybersecurity vulnerability [50]. It is also possible that the salience of a possible attack may be reduced in the younger age groups due to a lack of learned experience (i.e., not having personally suffered an attack or heard of friends or family being affected; something supported by the existing literature [51]). Regarding younger users reporting being less likely to update their devices, many devices now automatically install software updates as they become available. Trust in automation could lead to users feeling less responsibility and reduce the requirement to check whether their devices are up to date. However, it is important to note that the relationship between age and such trust is complex and reliant on many factors [5255]. Whilst some literature suggests that older users may be more likely to trust automation [56, 57], age differences are likely to differ across situations and contexts [52, 53]. More work would be required in this area to find the root cause. Our mediation results also suggest that self-efficacy is a significant mediator of age and security behaviour, therefore suggesting that, at least to some extent (and again potentially related to a reliance upon automation), younger users may demonstrate reduced self-efficacy compared to older users. Further qualitative and quantitative research is necessary to identify the factors underlying the age differences and the role of efficacy identified in this study. These insights can help to guide the design of future interventions to promote more secure behaviour.

It is not unexpected that computer self-efficacy would positively predict some cybersecurity behaviour given that it relates to the individual’s confidence in their IT capabilities (a similar result was found by Mitzer et al. [58]) and therefore their ability to act securely. It is perhaps more surprising that general resilience was a significant positive predictor across all four behaviours. It could have been expected that resilience would act as a negative predictor due to being associated with self-confidence in “bouncing back” if anything bad happens and therefore perhaps less incentive to avoid risks. However, the literature shows that the relationship between resilience and risk is not this simple. It has been suggested that resilience negatively predicts negative health behaviours (e.g., smoking, heavy drinking, and drug use) and positively predicts protective health and safety promotion behaviours (e.g., wearing a seatbelt, eating a healthy diet, exercising, and crossing the street safely) [29]. This resonates with our results as the behaviours we were predicting were safety promoting. Our findings indicate that the general resilience acts as a mediator for three of the four behaviours (device securement, password generation, and updating) and as a moderator for the remaining behaviour, proactive checking for risk. The greatest effect of age on proactive checking was found for those users who scored high for general resilience. One potential explanation is that younger users’ perceptions of resilience may be based more on optimism bias (i.e., feeling resilient but not being proactive to protect against risk), whereas older users’ resilience may be based more upon learned experience (and therefore their learned abilities to act proactively to protect against risk in the future). Future research may wish to further investigate the role of resilience in relation to online behaviour.

Interestingly, we found no evidence of gender differences in relation to any of the cybersecurity behaviours. There was a gender difference for computer self-efficacy scores, with males scoring significantly higher than females. This is not unexpected as this trend has traditionally been reported in the previous literature [59]. As self-efficacy can be context specific [31], it is also possible that the computer self-efficacy scale [35] measures self-efficacy in relation to tasks that males generally feel more confident with. Furthermore—and as noted earlier—self-efficacy relates to an individual’s own beliefs about their ability and does not necessarily reflect actual differences in ability or performance [60]. Even so, it is worth noting that our findings are contrary to research suggesting that gender differences in perceptions of computer self-efficacy may have abated in recent years [61]. We also found that males scored significantly higher on general resilience; this is a trend that has been observed in the existing literature [62]. Previous research [63] has attributed higher male resilience scores to differences in self-perception and cultural constructions of “masculinity.”

We recognise the limitations within the current study and make recommendations for future research. Firstly, whilst we included a broad range of ages, most of our participants were below 45 years of age. Future research should seek to follow the recommendations of Hunsaker and Hargittai [2], who call for research to include more subcategories of older adults (see, for example, [64] who use the categories 55-64 yrs, 65-79 yrs, and 80-97 yrs). With more granular analysis of older age groups, it is possible that further group disparities and more complex relationships could emerge (such as U-shaped trends similar to those found by [23]). Findings by [51] suggest that individuals over 59 years of age may be most vulnerable to phishing; again, this may be indicative of a U-shaped relationship. Secondly, we recognise that this study relies upon self-reported data, and we suggest that future research utilises experimental and/or observational methods. Thirdly, our participants were recruited via an online recruitment platform; therefore, they may be more tech-savvy than the general population (similar to that found for mTurk users, e.g., [17]). It should be recognised that they may not be representative of the larger population of ICT users.

5. Conclusions and Contributions to the Field

In this paper, we identify behaviour-specific age differences in cybersecurity, highlighting the need for a granular, context-specific approach to identify age-related differences in cybersecurity behaviours, and advise against labelling a particular age group as universally more at risk. Within our sample, older users were more likely to report generating secure passwords, updating their devices, and demonstrating proactive checking for risk. In comparison, they were less likely to secure their device to prevent unauthorised access (e.g., by locking the screen); the relationship between age and security behaviour was mediated by computer efficacy for three of the four behaviours, with the exception being device securement. This indicates that a lack of device securement by older users is due to other reasons; this could include low perceived risk of physical access to devices by malicious parties and/or an active choice to allow access by others such as family members. General resilience was also a mediator for three of the four behaviours and a moderator for the remaining behaviour (proactive checking for risk). The relationship between age and proactive checking was strongest for those users scoring high for resilience. We suggest that this may represent a move from optimism bias in younger users to learned experience (and therefore learned protective mechanisms) in older users. This supports research by [60] which found that younger users were less familiar with cyberthreats and [51] demonstrating that learned experience appears to be the strongest predictor of secure behaviour in relation to phishing.

We present multiple recommendations for future research to further explore the impact of age, self-efficacy, and resilience on cybersecurity behaviour. Despite gender differences in self-perceived computer self-efficacy (similar to [60]) and general resilience, no gender differences were found for the cybersecurity behaviours, suggesting that gender does not play a role in cybersecurity behaviour intentions. This partially supports findings by [51] who found no gender effects across most of their conditions in regard to vulnerability to phishing (with the exception of banking phishing emails for which males were more susceptible). However, it is noted that the existing literature around gender differences is conflicted; for example, [60] found significant gender differences in cybersecurity behaviour—suggesting that further investigation into the potentially nuance effect of gender is needed.

Overall, these findings have implications for future design and development of targeted cybersecurity interventions and the development of policy and practice; in particular, we draw attention to the need to consider differences in cybersecurity behaviour on a more nuanced level.

Data Availability

The survey data used to support the findings of this study have been deposited in the University of Bath data archive. Access available upon request.

Conflicts of Interest

The authors declare no conflicts of interest.


This work was supported by the Engineering and Physical Sciences Research Council (EPSRC) as part of the Cybersecurity across the Lifespan (cSALSA) project (EP/P011454/1) and the Centre for Digital Citizens (EP/T022582/1).