"They Keep Coming Back Like Zombies": Improving Software Updating Interfaces

Users often do not install security-related software updates, leaving their devices open to exploitation by attackers. We are beginning to understand what factors affect this software updating behavior but the question of how to improve current software updating interfaces however remains unanswered. In this paper, we begin tackling this question by studying software updating behaviors, designing alternative updating interfaces, and evaluating these designs. We describe a formative study of 30 users’ software updating practices, describe the low fidelity prototype we developed to address the issues identified in formative work, and the evaluation of our prototype with 22 users. Our findings suggest that updates interrupt users, users lack sufficient information to decide whether or not to update, and vary in terms of how they want to be notified and provide consent for updates. Based on our study, we make four recommendations to improve desktop updating interfaces and outline sociotechnical considerations around software updating that will ultimately affect end-user security.

[1]  Paul Dourish,et al.  Security in the wild: user strategies for managing security as an everyday, practical problem , 2004, Personal and Ubiquitous Computing.

[2]  W. Keith Edwards,et al.  Security automation considered harmful? , 2008, NSPW '07.

[3]  Elizabeth D. Murphy,et al.  Think-aloud protocols: a comparison of three think-aloud protocols for use in testing data-dissemination web sites for usability , 2010, CHI.

[4]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[5]  W. Keith Edwards,et al.  Talc: using desktop graffiti to fight software vulnerability , 2008, CHI.

[6]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[7]  Ted Boren,et al.  Thinking aloud: reconciling theory and practice , 2000 .

[8]  Serge Egelman,et al.  Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS) , 2015, CHI.

[9]  Laura A. Dabbish,et al.  The Role of Social Influence in Security Feature Adoption , 2015, CSCW.

[10]  Jay Chen,et al.  FlashPatch: Spreading Software Updates over Flash Drives in Under-connected Regions , 2014, ACM DEV.

[11]  Farnam Jahanian,et al.  If It Ain't Broke, Don't Fix It: Challenges and New Directions for Inferring the Impact of Software Patches , 2009, HotOS.

[12]  Marshini Chetty,et al.  A mixed-methods study of mobile users' data usage practices in South Africa , 2015, UbiComp.

[13]  Laura A. Dabbish,et al.  Increasing Security Sensitivity With Social Proof: A Large-Scale Experimental Confirmation , 2014, CCS.

[14]  Bin Liu,et al.  Supporting Privacy-Conscious App Update Decisions with User Reviews , 2015, SPSM@CCS.

[15]  Rick Wash,et al.  Betrayed by updates: how negative experiences affect future security , 2014, CHI.

[16]  Sunny Consolvo,et al.  "...No one Can Hack My Mind": Comparing Expert and Non-Expert Security Practices , 2015, SOUPS.

[17]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[18]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[19]  I. Seidman Interviewing as qualitative research : a guide for researchersin education and the social sciences , 1991 .

[20]  Huseyin Cavusoglu,et al.  The critical elements of the patch management process , 2009, Commun. ACM.

[21]  Amelia Acker,et al.  Software Update Unrest: The Recent Happenings Around Tinder and Tesla , 2016, 2016 49th Hawaii International Conference on System Sciences (HICSS).

[22]  Ayalvadi J. Ganesh,et al.  On the effectiveness of automatic patching , 2005, WORM '05.

[23]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[24]  Paul C. van Oorschot,et al.  Secure Software Installation on Smartphones , 2011, IEEE Security & Privacy.

[25]  Andy Crabtree,et al.  Design in the absence of practice: breaching experiments , 2004, DIS '04.

[26]  Stefan Frei,et al.  Why Silent Updates Boost Security , 2009 .

[27]  Rick Wash,et al.  Too Much Knowledge? Security Beliefs and Protective Behaviors Among United States Internet Users , 2015, SOUPS.

[28]  Mohammad Maifi Hasan Khan,et al.  A study of users' experiences and beliefs about software update messages , 2015, Comput. Hum. Behav..

[29]  Joseph Dadzie Understanding Software Patching , 2005, ACM Queue.

[30]  Richard Banks,et al.  You're capped: understanding the effects of bandwidth caps on broadband use in the home , 2012, CHI.

[31]  Lorrie Faith Cranor,et al.  A Framework for Reasoning About the Human in the Loop , 2008, UPSEC.

[32]  Leyla Bilge,et al.  The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching , 2015, 2015 IEEE Symposium on Security and Privacy.

[33]  Christos Gkantsidis,et al.  Planet scale software updates , 2006, SIGCOMM '06.

[34]  Rick Wash,et al.  Out of the Loop: How Automated Software Updates Cause Unintended Security Consequences , 2014, SOUPS.

[35]  Serge Egelman,et al.  The Myth of the Average User: Improving Privacy and Security Systems through Individualization , 2015, NSPW.

[36]  Scott Nettles,et al.  Dynamic software updating , 2001, PLDI '01.