TULIPS: Projects

Technology Usability Lab In Privacy and Security

Software Updates

Updating software is one of the most effective methods of protecting computers from security vulnerabilities, yet many people choose to not install them. In this project we look at all types of users to understand how people approach the problem of updating software and what potential solutions look like.

The automatic installation of updates is a contentious issue between end users, admins, and developers. End users want a safe and bother-free user experience. Security professionals want to see vulnerabilities patched as infected devices are often used to attack other systems and compromise the networks they are connected to. Software developers want to support fewer legacy installations. The result is conflicting goals.

End Users

End users are regularly asked to update all types of software including: mobile apps, applications, operating systems, and firmware on devices like robot vacumes. Our work talking to end-users suggests that they do not associate updates with security, unless the software being updated has an obvious security role, such as an anti-virus. Instead they update because they feel it is something they are supposed to do. Updates are seen as necessary to get new features, fix bugs, and ensure compatability with other technologies. End users do sometimes choose to "skip" an update or to stop updating all together. Common reasons tend to be related to risks of disruption including: unexpected user interface changes which then cost time learning new interactions, time required for the installation, potential instability of the new version, and loss of features.

System Administrators and Developers

Many serious security compromises could have been prevented using basic patch management, including WannaCry and the Experian data breach. Yet these systems are not being patched at nearly the rate we would like. This project looks at system administrators and endeavor to determine the barriers they face when attempting to keep a system updated.


  1. Kami Vaniea, and Yasmeen Rashidi, Tales of Software Updates: The process of updating software. In Conference on Human Factors In Computing Systems, 2016.
  2. Rick Wash, Emilee Rader, Kami Vaniea, and Michelle Rizor. Out of the Loop: How Automated Software Updates Cause Unintended Security Consequences. In SOUPS 2014: Symposium on Usable Privacy and Security, July 2014.
  3. Kami Vaniea, Emilee Rader, and Rick Wash. Betrayed By Updates: How Negative Experiences Affect Future Security. In CHI 2014: Conference on Human Factors in Computing Systems, April 2014.



Current Prior


Research and projects here are partially funded by the following groups:

Related Student Projects

The following are projects completed by interns, undergraduate, and masters students related to the Software Update project.
Project screenshot.

Meagle - Crowdsourced software data with community-moderated software reviews

Tom Macmichael (2016-2017, Undergraduate Thesis)

Supervisors: Sebastian Maneth, Kami Vaniea

Finding impartial information about a given piece of software is not easy: there is no single place users can visit to find and contribute information in a consistent manner. This project reated a new website called Meagle, that allows a community of users to review pieces of software with moderation so the best reviews are easy to find.

Project screenshot.

Building a website for users to rate software updates

Kayode Oduyemi (2016-2017, Undergraduate Thesis)

Supervisors: Sebastian Maneth, Kami Vaniea

End users are not particularly aware of the security implications of not installing updates. This project addresses the problem by creating a website where users can comment on and rate software updates.