Users frequently delay or ignore software updates, exposing systems to exploitable vulnerabilities—a behavioral phenomenon termed “update neglect.” Method: This study integrates psychological constructs (knowledge, awareness, experience) with quantitative vulnerability risk scores to develop an interpretable security risk assessment model. A controlled experiment (N=XXX, Windows users) evaluates the impact of risk-visualization prompts and structured vulnerability information on update compliance. Contribution/Results: Psychological traits significantly predict update behavior (p<0.01); risk-awareness interventions substantially increase update response rates, with no statistically significant gender differences. The proposed model provides both empirical validation and a deployable framework for designing effective security notification mechanisms—bridging behavioral psychology and practical risk modeling in cybersecurity.

Software updates are essential to enhance security, fix bugs, and add better features to existing software. However, while some users comply and update their systems upon notification, non-compliance is common. Delaying or ignoring updates leaves systems exposed to security vulnerabilities. Despite research efforts, users' noncompliance behavior with software updates is still prevalent. In this study, we explored how psychological factors influence users' perception and behavior toward software updates. In addition, we proposed a model to assess the security risk score associated with delaying software updates. We conducted a user study with Windows OS users to explore how information about potential vulnerabilities and risk scores influence their behavior. Furthermore, we also studied the influence of demographic factors such as gender on the users' decision-making process for software updates. Our results showed that psychological traits, such as knowledge, awareness, and experience, impact users' decision-making about software updates. To increase users' compliance, providing a risk score for not updating their systems and information about vulnerabilities statistically significantly increased users' willingness to update their systems. Additionally, our results indicated no statistically significant difference in male and female users' responses in terms of concerns about securing their systems. The implications of this study are relevant for software developers and manufacturers as they can use this information to design more effective software update notification messages. Highlighting potential risks and corresponding risk scores in future software updates can motivate users to act promptly to update the systems in a timely manner, which can ultimately improve the overall security of the system.