Security implications of user non-compliance behavior to software updates: A risk assessment study

Software updates are essential to enhance security, fix bugs, and add better features to the existing software. While some users accept software updates, non-compliance remains a widespread issue. End users’ systems remain vulnerable to security threats when security updates are not installed or are installed with a delay. Despite research efforts, users’ noncompliance behavior with software updates is still prevalent. In this study, we explored how psychological factors influence users’ perception and behavior toward software updates. In addition, we investigated how information about potential vulnerabilities and risk scores influence their behavior. Next, we proposed a model that utilizes attributes from the National Vulnerability Database (NVD) to effectively assess the overall risk score associated with delaying software updates. Next, we conducted a user study with Windows OS users, showing that providing a risk score for not updating their systems and information about vulnerabilities significantly increased users’ willingness to update their systems. Additionally, we examined the influence of demographic factor, gender, on users’ decision-making regarding software updates. Our results show no statistically significant difference in male and female users’ responses in terms of concerns about securing their system. The implications of this study are relevant for software developers and manufacturers as they can use this information to design more effective software update notification messages. The communication of the potential risks and their corresponding risk scores may motivate users to take action and update their systems in a timely manner, which can ultimately improve the overall security of the system.