Automatic updates are becoming increasingly common, which minimizes the amount of update decisions that users have to make. Rapidly deployed important updates have a major impact on security. However, automatic updates also reduce the users' opportunities to build useful mental models which makes decision-making harder on other consumer devices without automatic updates. Users generally transfer their understanding from domains that they know well (i.e., smartphones) to others. We investigate how well this transfer process works with respect to updates and if users with automatic updates fare worse than those with manual updates. We conducted a formative field study (N = 5$) to observe users' update settings on smartphones and examine reasons for their (de-)activation. Based on the results, we conducted an online survey (N = 91) to compare how users perceive update notifications for smartphones and smart consumer devices. One of our main findings is that update decisions based on expected changes do not apply well to these devices since participants do not expect meaningful and visual changes. We suggest naming updates for such devices 'maintenance' to move users' expectations from 'new features' to 'ensuring future functionality'.
The 3rd Workshop on Security, Privacy, Organizations, and Systems Engineering