Why Computer Users Don’t Install Security Patches

Security professionals are often surprised and frustrated by computer users’ apparent inability to keep up with security patches. With free tools such as Microsoft Update and Secunia PSI, why are people failing to regularly install the updates?

It’s not that people don’t care about security per se. It’s just that they rarely think about using a computer in terms of non-browser applications nowadays.

When you look at the new software initiatives in established companies as well as start-ups, the product development efforts seem to focus on building either web-based or mobile applications. That’s what users of computers and mobile phones truly care about. Since the users don’t give much thought to the workings of the operating system or native applications, they won’t remember to keep them patched up.

With this in mind, perhaps we should give up the notion that we can educate people to install their own security patches to the computer’s OS or native applications. If the patches are to be installed, the installation needs to be completely automated without requiring any user involvement. Otherwise it won’t happen in the vast majority of cases. This is how most antivirus software and signature updates happen now. Other computer software vendors should consider adopting the same model.

Update: I should clarify that the need for the patch installation process that doesn’t require the user’s involvement applies in both consumer and enterprise environments. However, enterprises need to have the ability to test and approve the updates before they are rolled out to the users. On consumer systems, I’d like to see a setup that enables interaction-free installation by default; however, a “power” user should have the ability to enable a more interactive update process, should he need to exercise control over what gets installed and how.

Related:

Lenny Zeltser

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more