Culture 3 min read

Study Explores why we Delay Software Updates Despite the Risks



In a recent study, researchers explore why we delay software updates, even though we know the risk involved in doing so.

Three years ago, attackers infected roughly 250,000 computers around the world running Windows with malware that would later be named “WannaCry.”

Victims of the attack found their PC locked and unusable. To regain access to their computers, the victims had to transfer Bitcoin — that’s equivalent to $300 to $600 — to the attackers.

There’s just one thing.

Weeks before the attack, Microsoft had released a software update that fixed the vulnerability that the attackers exploited. In other words, the victims could have avoided “WannaCry” malware if only they had applied the software update.

So, why didn’t they? That was the question that the researchers at Carnegie Mellon University sought to answer.

In a statement about the study, a professor in the Department of Social and Decision Sciences, Cleotilde Gonzalez said:

“Understanding what drives people to delay a software update—an critical protective action because they fix bugs that attackers can exploit—would be a step toward preventing such cyberattacks.”

The researchers published their findings in the latest issue of the Journal of Cybersecurity.

Why People Delay Software Updates

For the study, the researchers ran a simulation that involves rewarding participants for applying the security update. They also lose some points if a security failure occurred as a result of delays in updates.

According to the result, the participants only updated 54 percent of the time. What’s more, 65 percent of those updates were delayed.

Findings from the study suggest that the time-cost of updates and individuals’ risk preferences play a significant role. Not only does it impact whether or not a user applies a software update, but it also determines how long it takes them to do so.

The researchers point out that the participants didn’t learn their lesson, even after the update delays led to security failures.

If a participant suffered a security failure, they almost always applied a security update the next day,” says Gonzalez. “But that behavior usually decayed over time, and participants would fall back to their old habits.”

Based on these results, Gonzalez and colleagues recommend that companies come up with ways to incentivize security updates. That way, users can apply the updates as soon as they’re available.

Other authors on the study included former Carnegie Mellon post-doctoral researchers Prashanth Rajivan and Efrat Aharonov-Major.

Read More: Global Organizations Believe Cybersecurity Threats Will Increase in 2020

First AI Web Content Optimization Platform Just for Writers

Found this article interesting?

Let Sumbo Bello know how much you appreciate this article by clicking the heart icon and by sharing this article on social media.

Profile Image

Sumbo Bello

Sumbo Bello is a creative writer who enjoys creating data-driven content for news sites. In his spare time, he plays basketball and listens to Coldplay.

Comments (0)
Most Recent most recent
share Scroll to top

Link Copied Successfully

Sign in

Sign in to access your personalized homepage, follow authors and topics you love, and clap for stories that matter to you.

Sign in with Google Sign in with Facebook

By using our site you agree to our privacy policy.