March 17, 2020
Why people delay software updates, despite the risks
In May 2017, around a quarter of a million computers around the world running Microsoft Windows were attacked and infected with malware that would later be named "WannaCry." Victims found their computers locked and unusable, but could free them if the victims transferred Bitcoin—typically an amount equivalent to $300-600 USD—to the people behind the attack.
It turned out, the attack could have been avoided if people had applied a software update Microsoft had issued just weeks before the attack. The update fixed the vulnerability that the attackers had exploited, but many chose to delay implementing it.
"Understanding what drives people to delay a software update—an important protective action because they fix bugs that attackers can exploit—would be a step toward preventing such cyberattacks," says CyLab's Cleotilde Gonzalez, a professor in the department of Social and Decision Sciences at Carnegie Mellon University.
In a study published in the latest issue of the Journal of Cybersecurity, Gonzalez and her co-authors found that the time-cost of updates and individuals' risk preferences have a significant impact on whether or not a user applies a software update, and how long it takes them to do so.
The researchers created a simulation in which participants posed as investors for 20 periods of 10 days, with each simulated "day" consisting of either making an investment decision or applying a software update to their computer. In the real world, users often can't perform their primary task while also processing a software update, so they have to choose one and delay the other.
In the simulation, the investment decision—the primary task of an investor—was to decide between a "safe" investment that earned them 2 points or a "risky" investment that earned them either 0 or 4 points with equal probability.
"By counting the number of risky choices, we can determine how risk-taking people are," says Gonzalez.
Alternatively, participants could forgo their primary task of investing in order to apply a security update to their computers. Eighty-five percent of the time, the update cost 10 points, akin to an update process requiring some amount of time and disrupting a user's primary task. Otherwise, the update cost 0 points, akin to the update process occurring overnight or some other time when a user's primary task would not be disrupted.
After either investing or applying a security update, participants learned whether or not they experienced a security failure. A security failure resulted in a loss of 100 points, and applying an update would reduce the probability of a security failure from 3 percent to 1 percent. After making these decisions 200 times—simulating 200 days as an investor—participants were compensated based on the number of points they had accumulated.
Even though the best decision in terms of optimizing points was to apply a security update in the first day of each period, many people delayed. The results showed that participants updated only 54 percent of the time, and 65 percent of those updates were delayed. Both the risk preference and the cost of the update played relatively equal roles in driving participants to delay the security updates.
Given the prominence of security update delays, many participants experienced security failures. But did they learn their lesson? Yes and no.
"If a participant suffered a security failure, they almost always applied a security update the next day," says Gonzalez. "But that behavior usually decayed over time, and participants would fall back to their old habits."
Given these results, the researchers suggest that companies should come up with ways to incentivize users—or at least reduce the time and effort costs—to apply security updates as soon as they're available.
"Make it easier. Make it simpler. Make it cheaper," says Gonzalez. "A big influence in the decisions we make are the incentives we have to make those decisions. Reducing the cost—not only the monetary cost but also time and effort—that helps."
Other authors on the study included former Carnegie Mellon post-doctoral researchers Prashanth Rajivan and Efrat Aharonov-Majar.