Why Computer Users Don’t Install Security Patches

Security professionals are often surprised and frustrated by computer users’ apparent inability to keep up with security patches. With free tools such as Microsoft Update and Secunia PSI, why are people failing to regularly install the updates?

It’s not that people don’t care about security per se. It’s just that they rarely think about using a computer in terms of non-browser applications nowadays.

When you look at the new software initiatives in established companies as well as start-ups, the product development efforts seem to focus on building either web-based or mobile applications. That’s what users of computers and mobile phones truly care about. Since the users don’t give much thought to the workings of the operating system or native applications, they won’t remember to keep them patched up.

With this in mind, perhaps we should give up the notion that we can educate people to install their own security patches to the computer’s OS or native applications. If the patches are to be installed, the installation needs to be completely automated without requiring any user involvement. Otherwise it won’t happen in the vast majority of cases. This is how most antivirus software and signature updates happen now. Other computer software vendors should consider adopting the same model.

Update: I should clarify that the need for the patch installation process that doesn’t require the user’s involvement applies in both consumer and enterprise environments. However, enterprises need to have the ability to test and approve the updates before they are rolled out to the users. On consumer systems, I’d like to see a setup that enables interaction-free installation by default; however, a “power” user should have the ability to enable a more interactive update process, should he need to exercise control over what gets installed and how.


Lenny Zeltser


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more