"Asking for a Friend: Evaluating Response Biases in Security User Studies" is a lengthy scientific research paper exploring consumer software update behavior. Authors Elissa M. Redmiles, Ziyun Zhu, Sean Kross, Dhruv Kuchhal, Tudor Dumitras, and Michelle L. Mazurek conclude, in part, that people don't in fact update their systems as promptly as they say they do, or should do.
The study is primarily concerned with the methods used to survey human behaviors. The authors acknowledge the extensive body of scientific research concerning survey methods and common biases. In respect of discrepancies between lab tests and real-world results, they acknowledge typical reasons such as:
- Sub-optimal study designs;
- Inadequate survey population sampling;
- Cognitive biases by respondents, including a reluctance to admit to socially unacceptable behavior; and
- Other issues with some approaches (e.g. online surveys).
They actively countered some of the biases in this study, for example by:
- Carefully framing and wording each survey question and the responses (e.g. asking how respondents would advise a friend on speed of updates, in contrast to how they report their own update speeds);
- Randomizing the sequence of some questions;
- Comparing online against interview-based surveys.
My interest is more pragmatic than academic: why is it that people don't update as promptly as they think or should do? Is there anything we might do to close that gap between intention and action?
Awareness efforts (including ours!) typically emphasize the importance of rapid patching of vulnerable systems for security reasons ... but it would be helpful if our approach was even more motivational.
To be fair, it would also help if the process of patching systems was less arduous, disruptive and risky in its own right. Automating the new-version checks, patch downloading and installation reduce the effort but increase the risk, especially on today's relatively complex IT systems with numerous applications sharing and sometimes conflicting for the same resources. There's a lot to be said for the IoT-type approach, simplifying things (and things) through specialization. Why install a networked Windows or Linux PC to control an elevator when a dedicated and isolated control system can do the job with much less complexity and risk?
And one more thing: if software was better specified, designed, developed and quality-assured in the first place, there would be less need for security patches at all! Dream on.