Abstract

Installing software updates is one of the most important security actions that people can take to protect their computer systems. However, people often delay installing updates. Why would people delay installation of security updates, knowing that these updates may reduce the risk of information loss from attacks? In a laboratory experiment, we studied how people learn to make update decisions from past experiences. In a simulated “work” environment, participants could defend against low probability and high impact losses, by installing a security update. The cost of updates was variable; participants could update immediately for a high cost or wait to update for free, risking increased exposure to attacks and losses. Thus, the optimal decision was to update immediately when the update was made available. The results from our experiment indicate people learn from experience to delay security updates. The cost of the update and individual risk preference both significantly predicted the tendency to delay the update; people with higher willingness to take risks may be more likely to neglect to update, keeping the status quo even when it may be sub-optimal. We discuss the implications of these findings for the design of interventions to reduce delays in update installations.

中文翻译：

---

现在还是以后更新？经验，成本和风险偏好对更新决策的影响

摘要

安装软件更新是人们可以用来保护其计算机系统的最重要的安全措施之一。但是，人们经常会延迟安装更新。人们为什么知道这些更新可以减少攻击造成的信息丢失的风险，却会推迟安装安全更新？在实验室实验中，我们研究了人们如何学会根据过去的经验来制定更新决策。在模拟的“工作”环境中，参与者可以通过安装安全更新来防御低概率和高冲击损失。更新费用是可变的；参与者可能会立即以高昂的成本进行更新，或者等待免费更新，这有增加遭受攻击和损失的风险。因此，最佳决策是在使更新可用时立即进行更新。我们的实验结果表明，人们可以从经验中学习以延迟安全更新。更新的成本和个人风险偏好都显着预测了延迟更新的趋势；愿意冒险的人可能更容易忽略更新，即使现状不是最理想的，也能保持现状。我们讨论了这些发现对减少更新安装延迟的干预措施设计的意义。