{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,27]],"date-time":"2026-06-27T19:34:33Z","timestamp":1782588873042,"version":"3.54.5"},"reference-count":75,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2020,3,6]],"date-time":"2020-03-06T00:00:00Z","timestamp":1583452800000},"content-version":"vor","delay-in-days":65,"URL":"http:\/\/creativecommons.org\/licenses\/by-nc\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2020,1,1]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Installing software updates is one of the most important security actions that people can take to protect their computer systems. However, people often delay installing updates. Why would people delay installation of security updates, knowing that these updates may reduce the risk of information loss from attacks? In a laboratory experiment, we studied how people learn to make update decisions from past experiences. In a simulated \u201cwork\u201d environment, participants could defend against low probability and high impact losses, by installing a security update. The cost of updates was variable; participants could update immediately for a high cost or wait to update for free, risking increased exposure to attacks and losses. Thus, the optimal decision was to update immediately when the update was made available. The results from our experiment indicate people learn from experience to delay security updates. The cost of the update and individual risk preference both significantly predicted the tendency to delay the update; people with higher willingness to take risks may be more likely to neglect to update, keeping the status quo even when it may be sub-optimal. We discuss the implications of these findings for the design of interventions to reduce delays in update installations.<\/jats:p>","DOI":"10.1093\/cybsec\/tyaa002","type":"journal-article","created":{"date-parts":[[2020,3,6]],"date-time":"2020-03-06T15:33:29Z","timestamp":1583508809000},"source":"Crossref","is-referenced-by-count":21,"title":["Update now or later? Effects of experience, cost, and risk preference on update decisions"],"prefix":"10.1093","volume":"6","author":[{"given":"Prashanth","family":"Rajivan","sequence":"first","affiliation":[{"name":"Social and Decision Sciences Department, Carnegie Mellon University, Pittsburgh, PA, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Efrat","family":"Aharonov-Majar","sequence":"first","affiliation":[{"name":"Social and Decision Sciences Department, Carnegie Mellon University, Pittsburgh, PA, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6244-2918","authenticated-orcid":false,"given":"Cleotilde","family":"Gonzalez","sequence":"first","affiliation":[{"name":"Social and Decision Sciences Department, Carnegie Mellon University, Pittsburgh, PA, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"286","published-online":{"date-parts":[[2020,3,6]]},"reference":[{"key":"2020030610331388500_tyaa002-B1","year":"2015"},{"key":"2020030610331388500_tyaa002-B2","year":"2014"},{"key":"2020030610331388500_tyaa002-B3","first-page":"1","volume-title":"7th International Conference on Risk and Security of Internet and Systems (Crisis)","author":"Marconato","year":"2012"},{"key":"2020030610331388500_tyaa002-B4","first-page":"426","volume-title":"International Workshop on Recent Advances in Intrusion Detection","author":"Nayak","year":"2014"},{"key":"2020030610331388500_tyaa002-B5","author":"Anderson"},{"key":"2020030610331388500_tyaa002-B6","first-page":"175","article-title":"Impact of user characteristics on attitudes towards automatic mobile application updates","author":"Mathur","year":"2017","journal-title":"Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017)"},{"key":"2020030610331388500_tyaa002-B7","first-page":"3215","author":"Vaniea","year":"2016"},{"key":"2020030610331388500_tyaa002-B8","first-page":"1","volume-title":"2012 IEEE Military Communications Conference (MICOM 2012)","author":"Khan","year":"2012"},{"key":"2020030610331388500_tyaa002-B9","first-page":"3","volume-title":"3rd workshop on Research in the large at MobileHCI 2012","author":"M\u00f6ller","year":"2012"},{"key":"2020030610331388500_tyaa002-B10","doi-asserted-by":"crossref","first-page":"113","DOI":"10.1007\/978-3-319-54328-4_9","volume-title":"International Conference on Passive and Active Network Measurement","author":"Sarabi","year":"2017"},{"key":"2020030610331388500_tyaa002-B11","first-page":"4242","author":"Vitale","year":"2017"},{"key":"2020030610331388500_tyaa002-B12","first-page":"239","article-title":"To pin or not to pin-helping app developers bullet proof their TLS connections","author":"Oltrogge","year":"2015","journal-title":"In: 24th {USENIX} Security Symposium (USENIX Security 15)"},{"key":"2020030610331388500_tyaa002-B13","first-page":"1938","article-title":"A brief study of wannacry threat: ransomware attack 2017","author":"Mohurle"},{"key":"2020030610331388500_tyaa002-B14","doi-asserted-by":"crossref","first-page":"215","DOI":"10.1002\/bdm.443","article-title":"Small feedback-based decisions and their limited correspondence to description-based decisions","volume":"16","author":"Barron","year":"2003","journal-title":"J Behav Decis Mak"},{"key":"2020030610331388500_tyaa002-B15","doi-asserted-by":"crossref","first-page":"534","DOI":"10.1111\/j.0956-7976.2004.00715.x","article-title":"Decisions from experience and the effect of rare events in risky choice","volume":"15","author":"Hertwig","year":"2004","journal-title":"Psychol Sci"},{"key":"2020030610331388500_tyaa002-B16","first-page":"133","author":"Herley","year":"2009. ' , , . 9, 2009."},{"key":"2020030610331388500_tyaa002-B17","first-page":"97","volume-title":"Twelfth Symposium on Usable Privacy and Security (SOUPS 2016)","author":"Forget","year":"2016"},{"key":"2020030610331388500_tyaa002-B18","first-page":"89","volume-title":"In: Symposium on Usable Privacy and Security (SOUPS)","author":"Wash","year":"2014"},{"key":"2020030610331388500_tyaa002-B19","doi-asserted-by":"crossref","first-page":"49","DOI":"10.1007\/BF01065350","article-title":"Determinants of risk-taking: behavioral and economic views","volume":"6","author":"Schoemaker","year":"1993","journal-title":"J Risk Uncertain"},{"key":"2020030610331388500_tyaa002-B20","first-page":"1238","author":"Redmiles","year":"2018"},{"key":"2020030610331388500_tyaa002-B21","first-page":"2873","author":"Egelman","year":"2015"},{"key":"2020030610331388500_tyaa002-B22","first-page":"209","author":"Grossklags","year":"2008"},{"key":"2020030610331388500_tyaa002-B23","article-title":"Interdependent security games on networks under behavioral probability weighting","volume":"5","author":"Hota","journal-title":"IEEE T Control Netw Syst,"},{"key":"2020030610331388500_tyaa002-B24","doi-asserted-by":"crossref","first-page":"23","DOI":"10.1145\/2635673","article-title":"A survey of interdependent information security games","volume":"47","author":"Laszka","year":"2015","journal-title":"ACM Comput Surv"},{"key":"2020030610331388500_tyaa002-B25","doi-asserted-by":"crossref","first-page":"43","DOI":"10.1145\/2629487","article-title":"Designing user incentives for cybersecurity","volume":"57","author":"August","year":"2014","journal-title":"Communications of the ACM"},{"key":"2020030610331388500_tyaa002-B26","doi-asserted-by":"crossref","first-page":"642","DOI":"10.1287\/mnsc.1070.0771","article-title":"Optimal policy for software vulnerability disclosure","volume":"54","author":"Arora","year":"2008","journal-title":"Manag Sci"},{"key":"2020030610331388500_tyaa002-B27","doi-asserted-by":"crossref","first-page":"1703","DOI":"10.1287\/mnsc.1060.0568","article-title":"Network software security and user incentives","volume":"52","author":"August","year":"2006","journal-title":"Manag Sci"},{"key":"2020030610331388500_tyaa002-B28","first-page":"233","volume-title":"LISA","author":"Beattie","year":"2002"},{"key":"2020030610331388500_tyaa002-B29","doi-asserted-by":"crossref","first-page":"462","DOI":"10.1287\/ijoc.2014.0638","article-title":"Optimal policies for security patch management","volume":"27","author":"Dey","year":"2015","journal-title":"INFORMS J Comput"},{"key":"2020030610331388500_tyaa002-B30","doi-asserted-by":"crossref","first-page":"504","DOI":"10.1016\/j.chb.2015.04.075","article-title":"A study of users\u2019 experiences and beliefs about software update messages","volume":"51","author":"Fagan","year":"2015","journal-title":"Comput Human Behav"},{"key":"2020030610331388500_tyaa002-B31","first-page":"2671","author":"Vaniea","year":"2014"},{"key":"2020030610331388500_tyaa002-B32","doi-asserted-by":"crossref","first-page":"34","DOI":"10.1145\/1330311.1330320","article-title":"The psychology of security","volume":"51","author":"West","year":"2008","journal-title":"Commun ACM"},{"key":"2020030610331388500_tyaa002-B33","doi-asserted-by":"crossref","first-page":"302","DOI":"10.1007\/978-3-319-07127-5_27","volume-title":"International Conference on Persuasive Technology","author":"Zhang-Kennedy","year":"2014"},{"key":"2020030610331388500_tyaa002-B34","doi-asserted-by":"crossref","first-page":"205","DOI":"10.1016\/j.geb.2009.11.003","article-title":"Present-bias, quasi-hyperbolic discounting, and fixed costs","volume":"69","author":"Benhabib","year":"2010","journal-title":"Games Econom Behav"},{"key":"2020030610331388500_tyaa002-B35","author":"Frik","year":"2018"},{"key":"2020030610331388500_tyaa002-B36","first-page":"604","author":"Frik","year":"2019"},{"key":"2020030610331388500_tyaa002-B37","doi-asserted-by":"crossref","first-page":"25","DOI":"10.1080\/10447318.2017.1314612","article-title":"The user affective experience scale: a measure of emotions anticipated in response to pop-up computer warnings","volume":"34","author":"Buck","year":"2018","journal-title":"Int J Hum\u2013Comput Int"},{"key":"2020030610331388500_tyaa002-B38","doi-asserted-by":"crossref","first-page":"36","DOI":"10.1186\/s13673-015-0053-y","article-title":"How does this message make you feel? A study of user perspectives on software update\/warning message design","volume":"5","author":"Fagan","year":"2015","journal-title":"Hum-Cent Comput Info Sci"},{"key":"2020030610331388500_tyaa002-B39","doi-asserted-by":"crossref","first-page":"94","DOI":"10.1007\/978-3-642-41320-9_7","volume-title":"International Conference on Financial Cryptography and Data Security","author":"Harbach","year":"2013"},{"key":"2020030610331388500_tyaa002-B40","author":"Morgner","year":"2019"},{"key":"2020030610331388500_tyaa002-B41","author":"Qu","year":"2019"},{"key":"2020030610331388500_tyaa002-B42","doi-asserted-by":"crossref","first-page":"22","DOI":"10.4018\/joeuc.2004070102","article-title":"Computer security and risky computing practices: a rational choice perspective","volume":"16","author":"Aytes","year":"2004","journal-title":"J Organ End User Comput"},{"key":"2020030610331388500_tyaa002-B43","doi-asserted-by":"crossref","first-page":"70","DOI":"10.1162\/DAED_a_00116","article-title":"Doctrine for cybersecurity","volume":"140","author":"Mulligan","year":"2011","journal-title":"Daedalus"},{"key":"2020030610331388500_tyaa002-B44","doi-asserted-by":"crossref","first-page":"2799","DOI":"10.1016\/j.chb.2008.04.005","article-title":"Security lapses and the omission of information security measures: a threat control model and empirical test","volume":"24","author":"Workman","year":"2008","journal-title":"Comput Human Behav"},{"key":"2020030610331388500_tyaa002-B45","doi-asserted-by":"crossref","first-page":"149","DOI":"10.1177\/1555343415570055","article-title":"Influence of risk\/safety information framing on android app-installation decisions","volume":"9","author":"Chen","year":"2015","journal-title":"J Cogn Eng Decis Mak"},{"key":"2020030610331388500_tyaa002-B46","author":"Rajivan","year":"2016"},{"key":"2020030610331388500_tyaa002-B47","first-page":"16","author":"Egelman","year":"2015"},{"key":"2020030610331388500_tyaa002-B48","doi-asserted-by":"crossref","first-page":"410","DOI":"10.1016\/j.cose.2007.03.001","article-title":"Assessing the security perceptions of personal internet users","volume":"26","author":"Furnell","year":"2007","journal-title":"Comput Security"},{"key":"2020030610331388500_tyaa002-B49","doi-asserted-by":"crossref","first-page":"1466","DOI":"10.1080\/13669877.2016.1153504","article-title":"My computer is infected: the role of users\u2019 sensation seeking and domain-specific risk perceptions and risk attitudes on computer harm","volume":"20","author":"Herrero","year":"2017","journal-title":"J Risk Res"},{"key":"2020030610331388500_tyaa002-B50","doi-asserted-by":"crossref","first-page":"209","DOI":"10.1109\/SP.2012.23","volume-title":"2012 IEEE Symposium on Security and Privacy","author":"Howe","year":"2012. , , . 20-23, 2012."},{"key":"2020030610331388500_tyaa002-B51","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1089\/cyber.2014.0179","article-title":"Individual differences in cyber security behaviors: an examination of who is sharing passwords","volume":"18","author":"Whitty","year":"2015","journal-title":"Cyberpsychol Behav Soc Netw"},{"key":"2020030610331388500_tyaa002-B52","first-page":"1","article-title":"\u201c \u2026 no one can hack my mind\u201d: comparing expert and non-expert security practices","volume":"15","author":"Ion","year":"2015","journal-title":"SOUPS"},{"key":"2020030610331388500_tyaa002-B53","first-page":"490","author":"Farhang","year":"2018"},{"key":"2020030610331388500_tyaa002-B54","doi-asserted-by":"crossref","first-page":"345","DOI":"10.1016\/j.cose.2017.11.015","article-title":"Correlating human traits and cyber security behavior intentions","volume":"73","author":"Gratian","year":"2018","journal-title":"Comput Secur"},{"key":"2020030610331388500_tyaa002-B55","author":"Abbasi"},{"key":"2020030610331388500_tyaa002-B56","first-page":"213","author":"Christin","year":"2004"},{"key":"2020030610331388500_tyaa002-B57","author":"Cranford","year":"40"},{"key":"2020030610331388500_tyaa002-B58","author":"Grossklags"},{"key":"2020030610331388500_tyaa002-B59","doi-asserted-by":"crossref","first-page":"85","DOI":"10.1201\/b21145-5","volume-title":"Human Factors and Ergonomics for the Gulf Cooperation Council","author":"Rajivan","year":"2018"},{"key":"2020030610331388500_tyaa002-B60","doi-asserted-by":"crossref","first-page":"341","DOI":"10.1037\/0003-066X.39.4.341","article-title":"Choices, values, and frames","volume":"39","author":"Kahneman","year":"1984","journal-title":"Am Psychol"},{"key":"2020030610331388500_tyaa002-B61","doi-asserted-by":"crossref","first-page":"99","DOI":"10.1142\/9789814417358_0006","volume-title":"Handbook of the Fundamentals of Financial Decision Making: Part I","author":"Kahneman","year":"2013"},{"key":"2020030610331388500_tyaa002-B62","doi-asserted-by":"crossref","first-page":"297","DOI":"10.1007\/BF00122574","article-title":"Advances in prospect theory: cumulative representation of uncertainty","volume":"5","author":"Tversky","year":"1992","journal-title":"J Risk Uncertain"},{"key":"2020030610331388500_tyaa002-B63","doi-asserted-by":"crossref","first-page":"515","DOI":"10.1016\/j.ssci.2005.11.006","article-title":"The effect of experience on using a safety device","volume":"44","author":"Yechiam","year":"2006","journal-title":"Saf Sci"},{"key":"2020030610331388500_tyaa002-B64","doi-asserted-by":"crossref","first-page":"118","DOI":"10.1006\/obhd.1998.2772","article-title":"Accidents and decision making under uncertainty: a comparison of four models","volume":"74","author":"Barkan","year":"1998","journal-title":"Organ Behav Human Decis Process"},{"key":"2020030610331388500_tyaa002-B65","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1177\/1745691610393980","article-title":"Amazon\u2019s mechanical turk: a new source of inexpensive, yet high-quality, data?","volume":"6","author":"Buhrmester","year":"2011","journal-title":"Perspect Psychol Sci"},{"key":"2020030610331388500_tyaa002-B66","first-page":"215","author":"Redmiles","year":"2018"},{"key":"2020030610331388500_tyaa002-B67","doi-asserted-by":"crossref","first-page":"517","DOI":"10.1016\/j.tics.2009.09.004","article-title":"The description\u2013experience gap in risky choice","volume":"13","author":"Hertwig","year":"2009","journal-title":"Trends Cogn Sci"},{"key":"2020030610331388500_tyaa002-B68","first-page":"692","author":"Nappa","year":"2015"},{"key":"2020030610331388500_tyaa002-B69","doi-asserted-by":"crossref","first-page":"369","DOI":"10.1002\/bdm.1855","article-title":"Allais from experience: choice consistency, rare events, and common consequences in repeated decisions","volume":"28","author":"Harman","year":"2015","journal-title":"J Behav Decis Mak"},{"key":"2020030610331388500_tyaa002-B70","doi-asserted-by":"crossref","first-page":"369","DOI":"10.1037\/rev0000062","article-title":"From anomalies to forecasts: toward a descriptive model of decisions under risk, under ambiguity, and from experience","volume":"124","author":"Erev","year":"2017","journal-title":"Psychol Rev"},{"key":"2020030610331388500_tyaa002-B71","doi-asserted-by":"crossref","first-page":"37","DOI":"10.1109\/MTS.2009.934142","article-title":"Mental models of privacy and security","volume":"28","author":"Camp","year":"2009","journal-title":"IEEE Technol Soc Mag"},{"key":"2020030610331388500_tyaa002-B72","doi-asserted-by":"crossref","DOI":"10.1136\/qshc.2009.032763","article-title":"The value of \u2018gentle reminder\u2019 on safe medical behaviour","volume":"19","author":"Erev","year":"2010","journal-title":"BMJ Qual Saf"},{"key":"2020030610331388500_tyaa002-B73","doi-asserted-by":"crossref","first-page":"122","DOI":"10.1504\/IJRAM.2007.011726","article-title":"On the difficulty of promoting workers\u2019 safety behaviour: overcoming the underweighting of routine risks","volume":"7","author":"Zohar","year":"2007","journal-title":"Int J Risk Assess Manag"},{"key":"2020030610331388500_tyaa002-B74","doi-asserted-by":"publisher","DOI":"10.1002\/bdm.2131","article-title":"The impact of variability and prechoice experience on taking safety measures: the case of security updates","author":"Aharonov-Majar","journal-title":"J Behav Decis Mak"},{"key":"2020030610331388500_tyaa002-B75","doi-asserted-by":"crossref","first-page":"83","DOI":"10.1111\/j.1539-6924.1982.tb01369.x","article-title":"Why study risk perception?","volume":"2","author":"Slovic","year":"1982","journal-title":"Risk Anal"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/academic.oup.com\/cybersecurity\/article-pdf\/6\/1\/tyaa002\/32817264\/tyaa002.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"http:\/\/academic.oup.com\/cybersecurity\/article-pdf\/6\/1\/tyaa002\/32817264\/tyaa002.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,3,3]],"date-time":"2021-03-03T00:00:11Z","timestamp":1614729611000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyaa002\/5788613"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,1,1]]},"references-count":75,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2020,1,1]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyaa002","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2020]]},"published":{"date-parts":[[2020,1,1]]},"article-number":"tyaa002"}}