One of the largest tech companies in the world, the U.S. government, and cybersecurity professionals are all fervently urging computer users to apply an easy patch that could prevent a vulnerability known as BlueKeep from becoming a major cybersecurity incident.
Why won’t users do it? New research from Avast suggests an answer.
Microsoft has been imploring users to apply a patch to a vulnerability in older versions of Windows in blunt warnings since mid-May. The company warned that the BlueKeep vulnerability could cause a “wormable” cybersecurity outbreak that could “propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”
For this reason, Microsoft said, “We are taking the unusual step of providing a security update for all customers to protect Windows platforms.”
Two weeks later Microsoft circled back with a warning that noted how many users were not heeding its warnings about BlueKeep. “If recent reports are accurate, nearly one million computers connected directly to the internet are still vulnerable,” Microsoft wrote to users at the end of May.
Microsoft wasn’t the only one noticing the issue. The company’s statement cited research by Robert Graham of Errata Security that warned, “Hackers are likely to figure out a robust exploit in the next month or two and cause havoc with these machines.”
Last week the United States’ 30,000-employee National Security Agency took the unusual step of reinforcing the warnings. The Microsoft vulnerability “could spread without user interaction across the internet,” the NSA warned in an advisory about BlueKeep. “We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw.”
But how can companies, governments, and cybersecurity professionals “motivate increased protections” when warnings this stern don’t work? How many dire warnings do people need? The answer, the Avast research notes, may be fewer.
“Repeated exposure to a security warning – particularly if we’ve ignored one before and nothing bad happened – leads to habituation,” according to the report from Avast and ORConsulting, a psychology practice for business.
Past experiences that were complicated or time-consuming can cause users to hesitate when they are urged to update software. A fuzzy understanding of what’s involved can also cause them to be reluctant. In a split-second struggle in the brain’s limbic system, avoidance conquers logic. Someone goes back to work and lets the warning fade from their mind.
How do you fix this avoidance? A different approach that includes empathy for users, framing the message, and behavioral economics may engage users better than intimidating advisories, the researchers found.
Cybersecurity pros may balk at the idea of promoting a badly needed update, but understanding people’s motivations might make a huge difference. Explaining the issue patiently, noting the user’s ability to make a difference, and creating greater awareness and shared responsibility could go a long way.
“Using ideas like this requires creativity and experimentation, but at least they are informed by evidence about how humans actually make decisions,” the report found.
Read more from Avast’s report on user behavior that can make stopping major cybersecurity incidents harder in “Update Inertia: The Psychology Behind Patching and Updating Software.”
*** This is a Security Bloggers Network syndicated blog from Blog | Avast EN authored by Avast Blog. Read the original post at: https://blog.avast.com/avast-report-bluekeep-patch