In a recent study, researchers explore why we delay software updates, even though we know the risk involved in doing so.
Three years ago, attackers infected roughly 250,000 computers around the world running Windows with malware that would later be named “WannaCry.”
Victims of the attack found their PC locked and unusable. To regain access to their computers, the victims had to transfer Bitcoin — that’s equivalent to $300 to $600 — to the attackers.
There’s just one thing.
Weeks before the attack, Microsoft had released a software update that fixed the vulnerability that the attackers exploited. In other words, the victims could have avoided “WannaCry” malware if only they had applied the software update.
So, why didn’t they? That was the question that the researchers at Carnegie Mellon University sought to answer.
In a statement about the study, a professor in the Department of Social and Decision Sciences, Cleotilde Gonzalez said:
“Understanding what drives people to delay a software update—an critical protective action because they fix bugs that attackers can exploit—would be a step toward preventing such cyberattacks.”
The researchers published their findings in the latest issue of the Journal of Cybersecurity.
Why People Delay Software Updates
For the study, the researchers ran a simulation that involves rewarding participants for applying the security update. They also lose some points if a security failure occurred as a result of delays in updates.
According to the result, the participants only updated 54 percent of the time. What’s more, 65 percent of those updates were delayed.
Findings from the study suggest that the time-cost of updates and individuals’ risk preferences play a significant role. Not only does it impact whether or not a user applies a software update, but it also determines how long it takes them to do so.
The researchers point out that the participants didn’t learn their lesson, even after the update delays led to security failures.
“If a participant suffered a security failure, they almost always applied a security update the next day,” says Gonzalez. “But that behavior usually decayed over time, and participants would fall back to their old habits.”
Based on these results, Gonzalez and colleagues recommend that companies come up with ways to incentivize security updates. That way, users can apply the updates as soon as they’re available.
Other authors on the study included former Carnegie Mellon post-doctoral researchers Prashanth Rajivan and Efrat Aharonov-Major.
Comments (0)
Most Recent