Why Computer Users Don’t Install Security Patches

Security professionals are often surprised and frustrated by computer users’ apparent inability to keep up with security patches. With free tools such as Microsoft Update and Secunia PSI, why are people failing to regularly install the updates?

It’s not that people don’t care about security per se. It’s just that they rarely think about using a computer in terms of non-browser applications nowadays.

When you look at the new software initiatives in established companies as well as start-ups, the product development efforts seem to focus on building either web-based or mobile applications. That’s what users of computers and mobile phones truly care about. Since the users don’t give much thought to the workings of the operating system or native applications, they won’t remember to keep them patched up.

With this in mind, perhaps we should give up the notion that we can educate people to install their own security patches to the computer’s OS or native applications. If the patches are to be installed, the installation needs to be completely automated without requiring any user involvement. Otherwise it won’t happen in the vast majority of cases. This is how most antivirus software and signature updates happen now. Other computer software vendors should consider adopting the same model.

Update: I should clarify that the need for the patch installation process that doesn’t require the user’s involvement applies in both consumer and enterprise environments. However, enterprises need to have the ability to test and approve the updates before they are rolled out to the users. On consumer systems, I’d like to see a setup that enables interaction-free installation by default; however, a “power” user should have the ability to enable a more interactive update process, should he need to exercise control over what gets installed and how.


Lenny Zeltser


About the Author

Lenny Zeltser develops products and programs that use security to achieve business results. He is the CISO at Axonius and Faculty Fellow at SANS Institute. Lenny has been leading efforts to establish resilient security practices and solve hard security problems for over two decades. A respected author and practitioner, he has been advancing tradecraft and contributing to the community. His insights build upon real-world experience, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more