Enabling auto-updates is more complicated than you think
Last week, our CEO recommended a few ways to influence long-term security behaviors. This week, we’re jumping into auto-updates.
“Change is the only constant.” That’s certainly true as far as IT is concerned. Software will always contain flaws and vulnerabilities. And a vulnerability is an invitation for cybercriminals to do some of their favorite things—like steal data and install malware.
That’s why enabling auto-updates is one of the most effective steps people can take against cybercrime.
But, as we saw with the infamous WannaCry ransomware attacks, people often procrastinate or ignore updates. In that case, the result was millions of infected devices worldwide. Behavioral insights suggest that experience, opportunity cost, and risk preferences influence this behavior—proving, once again, that ‘awareness’ isn’t enough.
Let’s dive a little deeper.
Why aren’t people enabling auto-updates?
In 2018, researchers asked participants to work in a simulated operating system. The trials used a “cost variability” design—where security actions (or inactions) incur costs that change over time.
Participants were told there was a risk of a security failure, and that if the failure happened, the cost would be 100 points. To update immediately would cost them 10 points, a relatively small amount in the experiment’s points system. Some users were given another option: they could update the system later, which could cost anything from 0 points upwards, with the cost rising as time passed.
The points system mirrors the productivity costs which real-world users weigh up when choosing when to update. Updating immediately means losing some productivity now, but less risk later. Waiting until a period of low productivity may be appealing, but then there’s a higher chance of facing the very high ‘productivity cost’ of a potential attack.
The researchers found that participants who had the option of updating later for 0 points often intended to wait until the update would be free. But they forgot to do it, so they ended up paying more.
And that’s the thing about intentions—they don’t mean anything unless action follows.
So, how do we override this human instinct to wave away updates like a wasp in a garden? Because, ironically, that’s what gets us stung.
How to encourage people to enable auto-updates
The research touched on the “going with the flow” principle. The basic idea is that humans are predisposed to go with the flow, so when you present auto-updates as the default option, people are more likely to enable them.
It’s a small but effective behavioral ‘nudge’ that can be easily adopted in any organization.
Speaking of nudges, they don’t have to be limited to on-screen pop-ups. Culture and internal communications make a difference—so, effective security messaging across the board should be a top priority.
Don’t let security become another item on your people’s to-do lists. Learn more about driving behavior change.