The impact of variability and prechoice experience on taking safety measures: The case of security updates

Abstract

AbstractThe goal of this research is to clarify the conditions that trigger reluctance to take cost‐effective safety measures. We present three experiments. In two of the experiments, the participants were asked to operate a simulated system for 20 periods, each with 10 trials. They could “update the system” to eliminate the risk of a “security failure” that led to a loss of 100 points. The updating cost was either fixed (at 10 points) or variable (initially 10 points, and some probability of free—0 points—updates). The optimal strategy prescribed updating at the first opportunity. Another experiment focused on one‐shot decision under risk. The results highlight two factors that reduce the tendency to update and impair performance: cost variability and prechoice experience. Importantly, we show that the negative impact of cost variability is the product of two tendencies. First, experiencing periods with free updates slowed learning to select the optimal policy. Second, in many cases, the participants behaved as if they plan to update when the cost of updating is low but forget to do so. The results suggest that security can be enhanced by asking users to select a default updating policy before gaining experience and by replacing “free updates” with automatic updates. Information concerning the existence of automatic updates reduced manual updating, but this effect was eliminated by experience.