Sage Journals: Discover world-class research

Abstract

Installing security updates is one of the important security actions individuals can take to prevent potential cybersecurity threats. The cumulative risk of delaying the installation of security updates over an extended period can be substantial, and yet, people often choose to delay such actions. Past research suggests that people neglect to update because the majority overestimate the cost (e.g., time) of an update and underestimate an attack risk. Utilizing the repeated protective decision paradigm, we conducted a laboratory experiment to examine whether priming people about the cumulative risk of not updating could influence their update speed. Results from our experiment show that communicating cumulative risk would only have a momentary eﬀect on peoples’ update decisions and that people would quickly learn from experience to delay or neglect to update. Our ﬁndings highlight the importance of augmenting user habits to improve update decision-making.

Get full access to this article

View all access options for this article.

References

Aharonov-Majar

Rajivan

Gonzalez

Erev

(2020). The impact of variability and prechoice experience on taking safety measures: The case of security updates. Journal of Behavioral Decision Making, 33(1), 3–14.

Maza

Davis

Gonzalez

Azevedo

(2019). Understanding cumulative risk perception from judgments and choices: an application to flood risks. Risk analysis, 39(2), 488–504.

Fischhoﬀ

Bostrom

Quadrel

M. J.

(1993). Risk perception and communication. Annual review of public health, 14(1), 183–203.

Harman

J. L.

Gonzalez

(2015). Allais from experience: Choice consistency, rare events, and common consequences in repeated decisions. Journal of Behavioral Decision Making, 28(4), 369–381.

Hertwig

Barron

Weber

E. U.

Erev

(2004). Decisions from experience and the eﬀect of rare events in risky choice. Psychological science, 15(8), 534–539.

Kahneman

Slovic

S. P.

Slovic

Tversky

(1982). Judgment under uncertainty: Heuristics and biases. Cambridge university press.

Möller

Michahelles

Diewald

Roalter

Kranz

(2012). Update behavior in app markets and security implications: A case study in google play. In Research in the large, large 3.0: 21/09/2012-21/09/2012 (pp. 3–6).

Rajivan

Aharonov-Majar

Gonzalez

(2020). Update now or later? eﬀects of experience, cost, and risk preference on update decisions. Journal of Cybersecurity, 6(1), tyaa002.

Redmiles

E. M.

Zhu

Kross

Kuchhal

Dumitras

Mazurek

M. L.

(2018). Asking for a friend: Evaluating response biases in security user studies. In Proceedings of the 2018 acm sigsac conference on computer and communications security (pp. 1238–1255).

10.

Vaniea

Rashidi

(2016). Tales of software updates: The process of updating software. In Proceedings of the 2016 chi conference on human factors in computing systems (pp. 3215– 3226).

11.

Vaniea

K. E.

Rader

Wash

(2014). Betrayed by updates: how negative experiences aﬀect future security. In Proceedings of the sigchi conference on human factors in computing systems (pp. 2671–2674).

12.

Wash

Rader

Vaniea

Rizor

(2014). Out of the loop: How automated software updates cause unintended security consequences. In 10th symposium on usable privacy and security ({SOUPS}2014) (pp. 89–104).

13.

Workman

Bommer

W. H.

Straub

(2008). Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in human behavior, 24(6), 2799–2816.

Influence of Cumulative Risk Priming on Security Update Decision Making

Abstract

Get full access to this article

References