Security Implications of User Non-compliance Behavior to Software Updates: A Risk Assessment Study

TL;DR

This study investigates how psychological factors and risk information influence user compliance with software updates, proposing a risk assessment model and demonstrating that targeted information can increase update willingness.

Contribution

The paper introduces a model using NVD attributes to assess update delay risks and shows that providing risk scores and vulnerability info enhances user update behavior.

Findings

Providing risk scores increases update willingness

No significant gender difference in update behavior

Risk communication can improve system security

Abstract

Software updates are essential to enhance security, fix bugs, and add better features to the existing software. While some users accept software updates, non-compliance remains a widespread issue. While some users accept software updates, non-compliance remains a widespread issue. End users' systems remain vulnerable to security threats when security updates are not installed or are installed with a delay. Despite research efforts, users' noncompliance behavior with software updates is still prevalent. In this study, we explored how psychological factors influence users' perception and behavior toward software updates. In addition, we investigated how information about potential vulnerabilities and risk scores influences their behavior. Next, we proposed a model that utilizes attributes from the National Vulnerability Database (NVD) to effectively assess the overall risk score associated with delaying software updates. Next, we conducted a user study with Windows OS users, showing that providing a risk score for not updating their systems and information about vulnerabilities significantly increased users' willingness to update their systems. Additionally, we examined the influence of demographic factors, gender, on users' decision-making regarding software updates. Our results show no statistically significant difference in male and female users' responses in terms of concerns about securing their systems. The implications of this study are relevant for software developers and manufacturers as they can use this information to design more effective software update notification messages. The communication of the potential risks and their corresponding risk scores may motivate users to take action and update their systems in a timely manner, which can ultimately improve the overall security of the system.