Tales of Software Updates: The process of updating software

Updates alter the way software functions by fixing bugs, changing features, and modifying the user interface. Sometimes changes are welcome, even anticipated, and sometimes they are unwanted leading to users avoiding potentially unwanted updates. If users delay or do not install updates it can have serious security implications for their computer. Updates are one of the primary mechanisms for correcting discovered vulnerabilities, when a user does not update they remain vulnerable to an increasing number of attacks. In this work we detail the process users go through when updating their software, including both the positive and negative issues they experience. We asked 307 survey respondents to provide two contrasting software update stories. Using content analysis we analysed the stories and found that users go through six stages while updating: awareness, deciding to update, preparation, installation, troubleshooting, and post state. We further detail the issues respondents experienced during each stage and the impact on their willingness to update.

[1]  Robert Biddle,et al.  Stop Clicking on "Update Later": Persuading Users They Need Up-to-Date Antivirus Protection , 2014, PERSUASIVE.

[2]  Leyla Bilge,et al.  The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching , 2015, 2015 IEEE Symposium on Security and Privacy.

[3]  Christos Gkantsidis,et al.  Planet scale software updates , 2006, SIGCOMM '06.

[4]  Sonia Chiasson,et al.  Does context influence responses to firewall warnings? , 2012, 2012 eCrime Researchers Summit.

[5]  Rick Wash,et al.  Out of the Loop: How Automated Software Updates Cause Unintended Security Consequences , 2014, SOUPS.

[6]  Lorrie Faith Cranor,et al.  Harder to Ignore? Revisiting Pop-Up Fatigue and Approaches to Prevent It , 2014, SOUPS.

[7]  David Aspinall,et al.  Accessible Banking: Experiences and Future Directions , 2015, ArXiv.

[8]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[9]  Lorrie Faith Cranor,et al.  A Framework for Reasoning About the Human in the Loop , 2008, UPSEC.

[10]  岩橋 敏幸,et al.  "Your Attention Please: Designing security-decision UIs to make genuine risks harder to ignore"の紹介 , 2013 .

[11]  Leyla Bilge,et al.  Before we knew it: an empirical study of zero-day attacks in the real world , 2012, CCS.

[12]  W. Keith Edwards,et al.  Computer help at home: methods and motivations for informal technical support , 2009, CHI.

[13]  Sunny Consolvo,et al.  Your Reputation Precedes You: History, Reputation, and the Chrome Malware Warning , 2014, SOUPS.

[14]  Tudor Dumitras,et al.  To upgrade or not to upgrade: impact of online upgrades across multiple administrative domains , 2010, OOPSLA.

[15]  Kirstie Hawkey,et al.  On the challenges in usable security lab studies: lessons learned from replicating a study on SSL warnings , 2011, SOUPS.

[16]  Michael S. Wogalter,et al.  Failure to Recognize Fake Internet Popup Warning Messages , 2008 .

[17]  Prashanth Rajivan,et al.  Instrument for Measuring Computing and Security Expertise – TR 715 , 2015 .

[18]  Kat Krol,et al.  Don't work. Can't work? Why it's time to rethink security warnings , 2012, 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS).

[19]  W. Keith Edwards,et al.  Security automation considered harmful? , 2008, NSPW '07.

[20]  Laura A. Dabbish,et al.  Privacy Attitudes of Mechanical Turk Workers and the U.S. Public , 2014, SOUPS.

[21]  Eduardo R. B. Marques Fine-grained Patches for Java Software Upgrades , 2013, HotSWUp.

[22]  Bin Liu,et al.  Supporting Privacy-Conscious App Update Decisions with User Reviews , 2015, SPSM@CCS.

[23]  John A. Copeland,et al.  Software updates as a security metric: Passive identification of update trends and effect on machine infection , 2012, MILCOM 2012 - 2012 IEEE Military Communications Conference.

[24]  Tudor Dumitras,et al.  Some Vulnerabilities Are Different Than Others - Studying Vulnerabilities and Attack Surfaces in the Wild , 2014, RAID.

[25]  Lilly Irani,et al.  Amazon Mechanical Turk , 2018, Advances in Intelligent Systems and Computing.

[26]  Rick Wash,et al.  Stories as informal lessons about security , 2012, SOUPS.

[27]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[28]  Lorrie Faith Cranor,et al.  Bridging the Gap in Computer Security Warnings: A Mental Model Approach , 2011, IEEE Security & Privacy.

[29]  Johnny Saldaña,et al.  The Coding Manual for Qualitative Researchers , 2009 .

[30]  Johnny Saldaña,et al.  Qualitative Data Analysis: A Methods Sourcebook. Third Edition. , 2014 .

[31]  Sunny Consolvo,et al.  "...No one Can Hack My Mind": Comparing Expert and Non-Expert Security Practices , 2015, SOUPS.

[32]  Mohammad Maifi Hasan Khan,et al.  A study of users' experiences and beliefs about software update messages , 2015, Comput. Hum. Behav..

[33]  Rick Wash,et al.  Betrayed by updates: how negative experiences affect future security , 2014, CHI.

[34]  Eric Rescorla Security Holes . . . Who Cares? , 2003, USENIX Security Symposium.

[35]  Rick Wash,et al.  Organization Interfaces—collaborative computing General Terms , 2022 .

[36]  L. Jean Camp,et al.  Designing for Trust , 2002, Trust, Reputation, and Security.

[37]  Lorrie Faith Cranor,et al.  Improving Computer Security Dialogs , 2011, INTERACT.

[38]  Vincent Nicomette,et al.  Security-related vulnerability life cycle analysis , 2012, 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS).

[39]  Lorrie Faith Cranor,et al.  Your attention please: designing security-decision UIs to make genuine risks harder to ignore , 2013, SOUPS.