Coping Information Affects Older and Young Adults’ Security Update Decisions

Abstract

Software updating is a critical cybersecurity measure that often depends on decision making by end users on whether to apply, delay, or ignore updates when available. Little is known about how aging may interact with cognitive factors and cybersecurity attitudes to affect software update decisions in older versus younger adults. The present study used an online experiment (N = 120) to compare older and younger adults’ responses to hypothetical software update scenarios that varied in cognitive load, threat information, and coping information, along with measurements of cybersecurity-related attitudes. Across both age groups, coping-related information was more effective than threat information at yielding adaptive responses to software update decisions. Additionally, among older adults, the OSBBQ was associated with more adaptive responses, suggesting that it has practical utility in assessing older adults’ cybersecurity behaviors. The results have implications for future research and promotion of safe cybersecurity practices among younger and older adults.

Keywords

cybersecurity software updates cognitive aging protection motivation theory

Introduction

A key element of cybersecurity is software updating to patch vulnerabilities, which depends upon timely compliance with update installation and is therefore subject to various influences on users’ decision-making processes (e.g., Rajivan et al., 2020). As a result, cognitive factors that influence software updating have been a subject of increasing interest in recent years, with the goal of designing more effective update messages. For example, Fagan et al. (2015) found that users frequently expressed negative attitudes toward software update messages. Aharonov-Majar and colleagues (Aharonov-Majar, Rajivan, Gonzalez, & Erev, 2020; Rajivan et al., 2020) have also examined effects of update cost and prior experience on security updates within the context of economic decision-making games, and found that users may learn to delay updates as a cost-avoidance strategy.

Despite these advancements in research on security-related software update decision making, relatively little research has investigated the role of users’ age, and how older adults may differ from young adults in security-related software updating. Although aging is known to influence decision making generally (e.g., Lighthall, 2020; Samanez-Larkin & Knutson, 2015) a gap exists in understanding age effects in security-related software updating behaviors.

Cybersecurity and Aging

Several recent studies have examined aging effects on general cybersecurity, but did not examine software updating specifically, or included only small samples of older adults. For example, Gillam and Foster (2020) found age was negatively associated with risky cybersecurity behaviors as measured by a survey instrument (Hadlington, 2017) that covered a broad range of items including password behaviors, online safety, and anti-virus protection. Branley-Bell et al. (2022) conducted an online survey which found a positive association between age and reported software updating behavior; however, the large majority (approximately 85%) of respondents to that survey were aged younger than 45 years, with only 2.4% of respondents (n = 14) aged 65 or older. Although these survey results are somewhat encouraging about the association between age and cybersecurity behaviors, other studies have identified potential areas for concern. Morrison et al. (2020; 2021) have used interview methods to examine cybersecurity vulnerabilities and attitudes among small samples of older adults (n = 12 and n = 14, respectively), and found that common themes related to the older adults’ engagement with cybersecurity included their perceptions of computer self-efficacy, the costs associated with protective behaviors, and the availability of support for protective behaviors and against risks. These factors were identified as having potentially negative effects on older adults’ cybersecurity, particularly as they manage retirement transitions. Similarly, Jiang et al. (2016) conducted focus groups with younger and older adults, and found that Silent and GI generation (born before 1945) and older Baby Boomer (born 1946–1954) age groups were more suspicious about online security, had less confidence in their abilities, were uncertain about the effectiveness of protection resources, performed fewer protection behaviors, and were more likely to rely on others’ assistance compared to the Millennial age group (in that study, participants born between 1977 and 1992). Thus, there are mixed findings regarding age differences in cybersecurity behaviors, especially with regard to software updates.

In addition to the limited empirical evidence regarding age differences in security updating, there are theoretical reasons for investigating how aging might affect security updating. For example, age comparisons may shed light on cognitive and affective components of cybersecurity decisions including threat and coping appraisal, cybersecurity attitudes, self-efficacy, and “technostress” (e.g., Nimrod, 2018). None of the aforementioned studies of aging and cybersecurity asked participants to consider specific decision scenarios, in which such age-related cognitive differences might come into play. Thus, an overarching working hypothesis for the present study was that age differences in software update decisions may correspond to age differences in each of these factors (i.e., threat and coping appraisal, cybersecurity attitudes, self-efficacy, and technostress). Each factor and its potential relation to aging is described below.

Protection Motivation Theory

An important theoretical framework for characterizing decision making in relation to risk and safety is Protection Motivation Theory (PMT; Rogers, 1975). PMT has been applied extensively to the study of health-related behaviors (e.g., Floyd, Prentice-Dunn, & Rogers, 2000), as well as a variety of other domains. More recently, PMT has been found useful in explaining cybersecurity behaviors (Mayer et al., 2017; Van Bavel et al., 2019), and similar models inspired by PMT have been proposed for application to information technology domains, such as Technology Threat Avoidance Theory (TTAT; Liang & Xue, 2009). PMT (and related theories such as TTAT) posits two cognitive mediating processes that influence the selection of adaptive or maladaptive responses to some danger. The first is threat appraisal, which entails the evaluation of threat severity and vulnerability as well as rewards associated with maladaptive responses to the threat; the second is coping appraisal, which includes assessment of self-efficacy and response efficacy as well as costs associated with adaptive responses to the threat. Within this framework, both the threat and coping appraisal processes may be influenced by external stimuli (i.e., the presentation of threat- and coping-related information), attitudes and past experiences, self-efficacy, and cognitive load. Each of these factors has been investigated to some extent in the cybersecurity domain, but little is known about their effects on software updating across young and older age groups. If PMT is an accurate model for cybersecurity decision making, then decision-making differences between age groups should be related to age differences in variables related to the theoretical appraisal processes (i.e., threat and coping).

Threat-and Coping-Related Messages

Studies of PMT and cybersecurity have suggested that coping and threat related information may not be equally effective in promoting adaptive behaviors. For example, van Bavel et al. (2019) conducted an online study in which participants completed a mock purchasing transaction that was preceded by either a coping message (i.e., “You can easily minimize the possibility of suffering a cyber-attack if you choose safe connections, remember to log out, and use secure passwords”), a threat message (i.e., “if you don’t [navigate safely] your personal data could be compromised or you could introduce a virus onto your computer”), a combination of both coping and threat messages, or a control message that merely stated “navigate safely.” They found that the coping message was reliably associated with safe outcomes in the task, whereas the threat message was not. The relative ineffectiveness of threat messages is in line with other mixed results in the cybersecurity literature (Schuetz et al., 2020). Such findings may cast doubt on whether PMT provides a complete enough theoretical framework for cybersecurity and aging. Witte’s (1992) Extended Parallel Processing Model has argued that fear appeals can backfire when high perceived threat is coupled with low self-efficacy. Such circumstances may lead to defensive motivation, in which individuals merely attempt to cope with their fear, rather than the actual danger, for example through denial. Additionally, Van Bavel et al. found that participants’ age was positively associated with safer outcomes in the task but did not examine the relative effects of coping and threat information across age groups. According to both PMT and EPPM, these appraisal processes might be affected by differing levels of self-efficacy among age groups (see self-efficacy section below). Taken together, prior findings from both the PMT and EPPM perspectives suggest that coping information may have a greater influence than threat information on the outcome of the decision process in software updating, particularly among older adults.

Attitudes and Past Experiences

In the cybersecurity domain, both the threat appraisal and coping appraisal processes may be influenced by a person’s prior experiences (for example, software updates that caused problems, cyberattacks that occurred as a result of failure to update, training in cybersecurity best practices) as well as overall attitudes regarding technology and cybersecurity. Anwar and colleagues (Anwar et al., 2017; Li et al., 2019) developed a survey instrument, the Online Security Behaviors and Beliefs Questionnaire (OSBBQ) that measures respondents’ cybersecurity attitudes and experiences along the dimensions of perceived vulnerability, perceived severity, self-efficacy, perceived barriers, perceived benefits, response efficacy, cues to action, and peer behavior. Studies using the OSBBQ have found differences between corporate employees and college students (Schaffer & Debb, 2019), and between Generation Y (born 1980-1999) and Generation Z (born after 1999) young adults (Debb et al., 2020); however, OSBBQ differences between young and older adults have not been studied, nor is it known whether OSBBQ scores correlate to specific cybersecurity decision scenarios such as software updating.

A related factor to cybersecurity attitudes and experiences is technostress, i.e., difficulty coping with adaptation to new technologies (Brod, 1984). Technostress is thought to affect older adults more severely than young adults (Nimrod, 2018), and may be expected to affect both self-efficacy, response efficacy, and vulnerability within the framework of PMT. However, as with OSBBQ, its relation to cybersecurity decision making is not known. However, given that both of these measures relate to cybersecurity and technology attitudes, we expected that positive attitudes as measured by OSBBQ scores would be associated with adaptive decisions in software update scenarios, and that negative attitudes as measured by Technostress would be associated with maladaptive decisions. Additionally, if these attitudes influence the coping appraisal process, and older adults are more responsive to coping information (versus threat information) than younger adults, then the associations between OSBBQ, Technostress, and update decisions may be more pronounced in older adults.

Self Efficacy

The PMT and EPPM frameworks incorporate self-efficacy as a component of the coping appraisal process, but it is important to note that self-efficacy has been studied extensively on its own in relation to aging. For example, associations have been found between self-efficacy and cognitive task performance in older adults (e.g., Beaudoin & Desrichard, 2011; Lachman et al., 2006). In particular, these studies found that older adults who perceive themselves to be in control of their cognitive abilities (as opposed to external forces) tend to perform better on cognitive tasks. Similarly, interventions focused on increasing cognitive self-efficacy in older adults have yielded positive results on cognitive performance (e.g., Hastings & West, 2009; West, Bagwell, & Dark-Freudeman, 2008). Thus, based on the importance of self-efficacy in PMT, it may be predicted that measurements of overall self-efficacy will influence cybersecurity decisions such as software updating. Additionally, as mentioned above, the EPPM (Witte, 1992) predicts that low self-efficacy can interact with high perceived threat to increase maladaptive responses. Thus, similar to the predicted associations between cybersecurity attitudes and software update decisions, the importance of self-efficacy in cognitive aging suggests that coping information may be more influential than threat information in software update decisions among older adults, and to a greater degree than in young adults.

Cognitive Load

Given that the threat and coping appraisal processes of PMT involve the use of cognitive resources, these processes should be affected by the overall level of cognitive demand. According to cognitive load theory (CLT; e.g., Sweller, 2010), working memory demands of extraneous information can harm task performance by reducing cognitive capacity available to the task. In older adults, a general reduction in working memory capacity can lead to complexity effects (e.g., Czaja & Sharit, 1993) in which extraneous cognitive load has greater negative effects on older adults’ performance relative to young adults. Although little research has examined cognitive load effects in cybersecurity decision making, some recent evidence (Ganye & Smith, 2022) suggests that extraneous cognitive load may particularly affect coping appraisal by reducing self-efficacy and response efficacy and increasing perceived response cost. It is not known how such effects interact with aging; however, one reasonable prediction is that cognitive load may reduce the influence of both types of appraisal processes (coping and threat) by limiting resources for those processes, especially in older adults.

The Current Study

Based on the PMT framework and the potential for age-related interactions with the factors involved in coping appraisal and threat appraisal processes, the current study was designed to examine younger and older adults’ software update decisions in hypothetical scenarios, and whether these decisions were affected by manipulations of cognitive load, coping information, and threat information, and whether they were associated with individuals’ overall cybersecurity attitudes, technostress, and self-efficacy. As noted above, there are reasons to expect that each of these factors may be predictive of age differences in software update decision-making, but little data have been published that can provide a strong indication of how they relate to one another. Combining across the factors, the study tested the following hypotheses.

Hypothesis 1

Coping appraisal, as prompted by coping-related information, will affect older adults’ software update decisions to a greater degree than in young adults.

Hypothesis 2

Cybersecurity attitudes will be more strongly correlated with software update decisions in older adults than in young adults.

Hypothesis 3

(a) High cognitive load will limit the effectiveness of appraisal processes (threat and coping), leading to more frequent dismissal of software update messages. (b) The effect of cognitive load will be greater among older adults than among young adults, due to reduced cognitive capacity.

Method

Participants

All materials and procedures for the study adhered to the ethical guidelines of the Declaration of Helsinki and were approved by the Institutional Review Board of Elon University. Participants were recruited from two age ranges: 18–25 years old (younger adults) and 65+ years old (older adults). Recruitment was conducted within the local community surrounding the investigators’ institutions in the Southeastern region of the USA, via postcards that were mailed to registered voters within the desired age ranges, as well as flyers that were distributed on college campuses and local businesses. A specific effort was made to distribute recruitment materials among racially and ethnically diverse segments of the community. This included over-representing racial and ethnic identities in the mailing list that was derived from public voting records, visiting local Hispanic/Latinx businesses, and recruiting from student organizations on campus that are centered around racial and/or ethnic identity. Recruitment postcards and flyers instructed interested individuals to contact a laboratory email address. The purpose of this recruitment strategy was to yield a reasonably diverse sample from the community, and was not intended to provide a nationally or universally representative sample. As in any study based on participation from local community volunteers, the generalizability of the findings should be interpreted with caution given the demographic limitations of the sample and the fact that participants were to some degree self-selected. In all, complete data sets were obtained from 120 participants who fit age criteria and completed at least 98% of the experiment (four individuals began the experiment but completed less than 10% of the items; an additional three individuals completed the experiment but were subsequently found to have entered ages outside the age ranges of interest). The coping version of the experiment had responses from 30 younger adults (M = 20.6 years) and 26 older adults (M = 72.0 years) and the threat version of the experiment had responses from 35 younger adults (M = 19.9 years) and 29 older adults (M = 73.7 years). The sample sizes were planned such that they would include approximately double the number (or more) of participants per condition relative to other recent studies that have investigated age differences in cybersecurity decision making (e.g., Branley-Bell et al., 2022; Morrison et al., 2020; Morrison et al., 2021).

Materials

The experiment consisted of five parts: a set of security-related software update decision scenarios; the Online Security Behaviors and Beliefs Questionnaire (OSBBQ; Anwar et al., 2017); a self-efficacy scale (NGSE; Chen et al., 2001); the Technostress Scale (Nimrod, 2018); and demographic questions. The experiment was implemented in Qualtrics XM (Qualtrics, Provo, UT), which enabled participants to complete the study online, with their own personal devices in their home environments. This methodology was selected to provide greater ecological validity in having participants consider software update decision scenarios they would make for themselves about their own devices, and to measure participants’ cybersecurity attitudes while situated within the relevant context for cybersecurity decision making. One tradeoff of using this method was that cognitive load could not be directly manipulated; instead, participants were asked to imagine varying levels of cognitive load when making their decisions. The scenario decision-making portion of the experiment consisted of four items, each of which presented a hypothetical software updating scenario along with an example update message (See Figure 1). Participants were instructed to read the scenario and example update message carefully, and to indicate what they thought their response would be: Install Now, Schedule a Time, or Dismiss. Two of the scenarios described a high (hypothetical) cognitive load by stating that the update message would appear while working on a complicated spreadsheet, and two of the scenarios described a low (hypothetical) cognitive load by stating that the update message would appear while browsing social media. The two scenarios within each load condition differed in the information that was presented in the update message, which was manipulated to relate to either the coping appraisal or threat appraisal components of PMT. In the coping version of the experiment, one update message stated that the update would require the user to save all work and possibly re-install some applications (low coping). The other message stated that the update would be brief and all work would be automatically saved (high coping). In the threat version of the experiment, one update message stated that the update would ensure ongoing security (low threat), and the other message stated that failure to install the update would put the system at serious risk (high threat).

Figure 1.

Examples of the Software Update Notification Messages Presented to Participants in the Study

Procedure

Prospective participants who responded to the recruitment materials were provided with a Qualtrics link. Links were alternatingly sent for the coping and threat versions of the study, with the purpose of balancing the number of young and older adults in each version. When participants accessed the link provided by the researchers, they first completed a consent form, followed by a notification that they were about the begin. From there, participants completed the four scenario questions. The order of scenario items was randomly determined for each participant. Subsequently, participants completed the OSBBQ (adapted from Anwar et al., 2017), the NGSE (Chen et al., 2001), followed by the Technostress scale (Nimrod, 2018), and a set of demographic questions followed by a debriefing message. The OSBBQ was slightly modified from its original form in order to ensure that items were interpretable within a personal computing context (for example, “I believe that my effort to protect my organization’s information will reduce illegal access to it” was rephrased as “I believe that my effort to protect my information will reduce illegal access to it”). Upon completion, a link was provided to a separate Google form where participants could enter their email or postal mailing information in order to be compensated with a $20 gift card. They had the option to choose to be mailed the gift card or receive it electronically, and were provided with compensation accordingly.

Results

Demographic Characteristics

As noted above, effort was made to obtain responses from a racially and ethnically diverse sample that reflected the local population. Tables 1 and 2 display the distributions of race, ethnicity, and education level for the two versions of the experiment and the two age groups sampled. Chi-square tests of independence indicated that the two versions of the were not significantly different in the distribution of Race/Ethnicity, χ² (3, N = 120) = 2.82, p = .42, or Education Level, χ² (5, N = 120) = 7.91, p = .16. However, the two age groups did have significantly different distributions of Race/Ethnicity, χ² (3, N = 120) = 23.5, p < .001, and Education Level, χ² (3, N = 120) = 61.8, p < .001, with a higher proportion of older adult participants identifying as White alone and not Hispanic or Latinx compared to the younger adults, and a higher proportion of older adults having completed undergraduate or graduate degrees compared to the younger adults. Because the two age groups had substantial differences on these demographic variables, subsequent comparisons between groups are interpreted with caution.

Table 1.

Participants’ Race and Ethnicity (Combined Categories)

Race/ethnicity	Younger				Older
	Coping version		Threat version		Coping version		Threat version
	N	Percent	N	Percent	N	Percent	N	Percent
Asian	4	13.3%	2	5.7%	2	7.7%	0	0.0%
Black or African-American	7	23.3%	11	31.4%	4	15.4%	2	6.9%
Hispanic or Latinx	6	20.0%	8	22.9%	1	3.8%	0	0.0%
White alone, not Hispanic	13	43.3%	14	40.0%	19	73.1%	27	93.1%
Total	30	100%	35	100%	26	100%	29	100%

Note. For the combined Race/Ethnicity categories, Hispanic or Latinx includes all individuals who identified as Hispanic or Latinx for Ethnicity (all of whom identified as either White and/or Other for Race). Asian includes two individuals who identified as both Asian and White for Race. White includes individuals who only responded White for Race and Not Hispanic or Latinx for Ethnicity.

Table 2.

Participants’ Education Levels

Highest education achieved	Younger				Older
	Coping version		Threat version		Coping version		Threat version
	N	Percent	N	Percent	N	Percent	N	Percent
High school graduate/GED	6	20.0%	12	34.3%	1	3.8%	1	3.4%
Some college	18	60.0%	18	51.4%	1	3.8%	5	17.2%
Associate’s degree	0	0.0%	3	8.6%	0	0.0%	2	6.9%
Bachelor’s degree	5	16.7%	2	5.7%	11	42.3%	12	41.4%
Master’s degree	1	3.3%	0	0.0%	10	38.5%	7	24.1%
Doctoral degree	0	0.0%	0	0.0%	3	11.5%	2	6.9%
Total	30	100%	35	100%	26	100%	29	100%

Technology Use

Among younger adults, the majority of respondents (84.6%) indicated using a smartphone as their primary device. In estimating their daily amount of time spent on technology use, the majority (60.0%) of young adult respondents indicated 5 or more hours. A lower percentage of respondents indicated 3–5 h and 1–3 h (29.2% and 10.8% respectively), and no younger adults reported daily usage time of 0–1 hour. Among older adults, the majority of respondents (72.7%) indicated using a computer as their primary device. The majority of older adults (52.7%) reported 1-3 hours of technology use per day. The second-most commonly reported daily use among older adults was 3–5 h (29.1%), followed by 5 or more hours (14.5%) and 0–1 h (3.6%).

Self Efficacy, Technostress, and the OSBBQ

Table 3 displays mean scores on the self-efficacy (NGSE), Technostress, and OSBBQ scales for each age group in each version of the study. For OSBBQ, a composite score was computed for each participant using all items, with scoring reversed for the items in the Perceived Barriers subscale. Within each age group, independent-samples t-tests were used to compare the subgroups that received different update scenarios (i.e., with coping versus threat information). No significant differences were found across versions for younger adults (NGSE: t (63) = −1.11, p = .27; Technostress: t (63) = 0.14, p = .89; OSBBQ: t (63) = 0.05, p = .96), or older adults (NGSE: t (53) = 0.91, p = .37; Technostress: t (53) = 1.50, p = .14; OSBBQ: t (53) = −0.18, p = .86). Comparing across age groups, a significant difference was observed in mean Technostress scores between younger and older adults, t (118) = 4.65, p < .001, d = 0.85, with older adults exhibiting higher Technostress scores overall. OSBBQ scores were also significantly higher for older than younger adults, t (118) = 2.30, p = .023, d = 0.42. NGSE scores did not differ significantly between age groups, t (118) = −0.14, p = .89.

Table 3.

Scores on the NGSE, Technostress, and OSBBQ Scales

Scale	Younger				Older
	Coping version		Threat version		Coping version		Threat version
	M	SD	M	SD	M	SD	M	SD
NGSE	4.09	0.56	4.24	0.57	4.23	0.49	4.09	0.64
Technostress	2.55	0.49	2.53	0.58	3.17	0.55	2.91	0.70
OSBBQ	4.65	0.49	4.64	0.66	4.90	0.58	4.92	0.73

Within each age group, Pearson correlations were also computed between NGSE, Technostress, and OSBBQ. Among younger adults, no significant correlations were observed. Among older adults, OSBBQ was positively correlated with NGSE, r (53) = 0.54, p < .001, and negatively correlated with Technostress, r (53) = −0.52, p < .001.

Scenario Responses

Figure 2 displays the percentage of participants who gave each response (i.e., Install Now, Schedule a Time, Dismiss) to each of the scenarios, across the two age groups and two versions of the study. One notable feature of the response patterns was that Dismiss was the most common response across all scenarios for the younger adults. For the older adults, Dismiss was the most common response across scenarios that contained threat information, but was the second-most common response (after Schedule a Time) for the scenarios that presented coping information. In order to compare the frequency of Dismiss responses across individuals, data were coded to identify which participants responded Dismiss to all scenarios they encountered. Among younger adults, 37.1% of participants in the threat version and 30.0% of participants in the coping version selected Dismiss for every scenario. Among older adults, 48.3% of participants in the threat version and 19.2% of participants in the coping version selected Dismiss for every scenario. Chi-square tests indicated that these proportions did not differ significantly across versions for young adults, χ² (1, N = 65) = 0.37, p = .54, but did differ significantly across versions for older adults, χ² (1, N = 55) = 5.12, p = .024.

Figure 2.

Response Percentages for the Software Update Scenarios that Included Threat Information (Left Panel) and Coping Information (Right Panel), for Younger and Older Adults

In order to examine the influence of scenario information on hypothetical update decisions, participants’ responses were analyzed to assess whether their decisions shifted between the low and high cognitive load conditions, and low and high coping/threat appraisal conditions, respectively. First, responses were scored such that Dismiss = 0, Schedule a Time = 1, Install Now = 2. Then, each participant’s cognitive load effect was calculated as the sum of response scores in the low load scenarios minus the sum of response scores in the high load scenarios. The resulting scores provided a measure of each participant’s overall shift away from (negative) or towards (positive) choosing to update in the low versus high cognitive load scenarios, on a scale from −4 to +4. Similarly, an appraisal effect score was computed for each participant as the sum of response scores in the high coping/threat conditions minus the sum of response scores in the low coping/threat conditions, such that the positive values of the score reflected a participant’s shift towards choosing to update in the high threat or high coping conditions versus low threat or low coping conditions, respectively.

Wilcoxon signed-rank tests were used to determine whether the median cognitive load effect and appraisal effect scores were greater than zero, i.e. whether low cognitive load or high threat/coping information had a positive effect on updating decisions, relative to high cognitive load or low threat/coping information. For cognitive load effect scores, the median for all participants (n = 120) was not significantly different than zero, W = 507.5, p = .311. The same result was also found when the age groups were analyzed separately: for younger adults (n = 65), W = 177, p = .701, and for older adults (n = 55), W = 90, p = .254. For appraisal effect scores, the median was significantly different than zero (in the positive direction), W = 846, p = .007. Separating the younger and older adult groups, the effect of appraisal information was seen in the younger adults, W = 311.5, p = .011, but not in the older adults, W = 138, p = .215. Additional analyses were performed to examine the appraisal effect in each of the two versions of the study. For the version with coping information (n = 56), the effect was significantly different than zero (in the positive direction), W = 276, p = .033, but the effect was not significantly different than zero for the version with threat information (n = 64), W = 162.5, p = .097 (note that all of the above are two-sided p-values; although the effect was expected to be in the positive direction, it was not assumed that this would necessarily be so). Spearman’s rank correlation was used to test whether load effect or appraisal effect scores were correlated with composite OSBBQ scores; no significant correlation with OSBBQ was found for either load effect, r (118) = 0.13, p = .145, or appraisal effect, r (118) = −0.04, p = .703.

In addition to the load effect and appraisal effect scores described above, an overall updating decision score was computed for each participant as the sum of response scores across all four scenarios. The distributions of overall decision scores were compared between age groups and versions using Mann-Whitney tests, which found no significant median differences by age group, U(N_older = 55; N_younger = 65) = 1873.0, p = .65, or version, U(N_coping = 56; N_threat = 64) = 2069.5, p = .135. Spearman’s rank correlation indicated that overall update decision scores were significantly positively correlated with OSBBQ composite scores, r (118) = 0.27, p = .003. Examining age groups separately, this correlation was significant within the older sample, r (53) = 0.33, p = .015, but did not reach significance within the younger adult sample, r (63) = 0.21, p = .091.

Discussion

The current study examined cybersecurity decision making by younger and older adults in hypothetical software update scenarios that differed in cognitive load, and in the threat- and coping-appraisal information provided by the update message. Participants also provided responses to instruments that measured attitudes and experiences with cybersecurity (i.e., the OSBBQ), self-efficacy, and technostress.

In the software update scenarios examined here, the experimentally-manipulated factor that had the most consistent influence on hypothetical update decisions was coping appraisal information. Specifically, there was an overall shift towards better (i.e., more adaptive, in PMT terminology) update decisions in the high-coping condition than in the low-coping condition. Additionally, older adults were less likely to dismiss all updates when coping information was provided than when threat information was provided. These results are consistent with Hypothesis 1, which predicted that coping appraisal would affect software update decision making to a greater degree in older adults than in young adults. This is also consistent with the results reported by van Bavel et al. (2019), who found that coping messages were more effective than threat messages at promoting secure behaviors in an online shopping task. Further, the current results extend prior findings to the domain of software update decision making, and the degree of coping information (high versus low) can affect decisions (van Bavel et al.’s study only compared the presence versus absence of coping information). The current finding that older adults are relatively insensitive to both high- and low-threat messages is also consistent with other recent findings (e.g., Samanez-Larkin & Knutson, 2015) that older adults show reduced affective and neural sensitivity to anticipated financial losses. Additionally, given that the age groups in the present study did not significantly differ in self-efficacy, the differing effects of threat versus coping messages on older adults’ responses does not appear to be explained as a distinction between protection motivation and defensive motivation (e.g., as predicted by EPPM; Witte, 1992).

Regarding Hypothesis 2, which predicted that cybersecurity attitudes would be more strongly correlated with software update decisions in older adults than in young adults, the present study provided some support for this hypothesis in that older adults, but not younger adults, exhibited several associations between OSBBQ scores and other variables. In particular, among older adults OSBBQ scores were positively correlated with self-efficacy as measured by the NGSE, negatively correlated with scores on the Technostress scale, and positively correlated with overall decision scores for the software update scenarios. These results provide evidence that the OSBBQ can be an accurate indicator of older adults’ cybersecurity behaviors, and that older adults’ attitudes towards cybersecurity are related to their broader coping skills vis-à-vis technology. This pattern of findings further highlights the importance of coping appraisal in older adults’ cybersecurity decisions.

Cognitive load was one key element of the current study that was not found to reliably influence software update decisions. This finding was contrary to Hypothesis 3, which predicted that cognitive load would interfere with appraisal processes to a greater degree in older adults than younger adults. However, as noted in the Method section, a limitation of the current design with respect to the cognitive load variable was that the cognitive load differences were hypothetical, i.e., the experiment did not actively impose differing levels of cognitive load. Rather, participants were asked to imagine scenarios with differing levels of cognitive load, which may not have adequately simulated real cognitive load effects. Future studies should examine the effects of cognitive load by directly inducing load differences during software updating decisions.

Conclusions

In summary, the present study is among the first to examine young and older adults’ security-related software update decision-making processes within the framework of Protection Motivation Theory, and the results highlight the importance of coping processes in older adults’ cybersecurity behaviors – both in terms of coping appraisal information that is provided at the time of the decision, as well as older adults’ overall self-efficacy and technological coping skills.

Footnotes

ORCID iDs

Joseph D. W. Stephens

Amy A. Overman

Funding

The authors disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported by the material is based upon work supported by the National Science Foundation under grant numbers 2007651 to A. Overman and 2007662 to M. Anwar and J. Stephens.

Declaration of Conflicting Interests

The authors declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Data Availability Statement

The data storage protocol for this study did not include use of a publicly accessible repository. However, data are available upon request to the corresponding author.*

Author Biographies

Joseph D. W. Stephens, Ph.D., is currently a Professor of Psychology at Xavier University in Cincinnati, Ohio. He has previously been a Professor of Psychology at North Carolina A&T State University in Greensboro, North Carolina.

Amy A. Overman, Ph.D., is currently the Dean of the College of Professional Sciences and a Professor of Psychology at Xavier University in Cincinnati, Ohio. She has previously been a Professor of Psychology and held several administrative positions at Elon University in Elon, North Carolina.

Mohd Anwar, Ph.D., is currently Lead of Foundational AI in the Office of Data Science Strategy at the National Institutes of Health (NIH). His previous positions have included National Service Scholar for Data & Technology Advancement at NIH, Professor of Computer Science at North Carolina A&T State University, and RTI Scholar at RTI International.

Paige L. Goldberg graduated from Elon University in 2024 with a bachelor's degree in psychology. She is currently pursuing a doctoral degree in clinical psychology at Widener University in Chester, Pennsylvania.

Alejandro Mejia graduated from Elon University in 2024 with a bachelor's degree in computer science.

References

Aharonov‐Majar

Rajivan

Gonzalez

Erev

(2020). The impact of variability and prechoice experience on taking safety measures: The case of security updates. Journal of Behavioral Decision Making, 33(1), 3–14. https://doi.org/10.1002/bdm.2131

Anwar

Ash

Yuan

(2017). Gender difference and employees’ cybersecurity behaviors. Computers in Human Behavior, 69, 437–443. https://doi.org/10.1016/j.chb.2016.12.040

Beaudoin

Desrichard

(2011). Are memory self-efficacy and memory performance related? A meta-analysis. Psychological Bulletin, 137(2), 211–241. https://doi.org/10.1037/a0022106

Branley-Bell

Coventry

Dixon

Joinson

Briggs

(2022). Exploring age and gender differences in ICT cybersecurity behaviour. Human Behavior and Emerging Technologies, 2022 , Article 2693080. https://doi.org/10.1155/2022/2693080

Brod

(1984). Technostress: The human cost of the computer revolution. Addison Wesley.

Chen

Gully

S. M.

Eden

(2001). Validation of a new general self-efficacy scale. Organizational Research Methods, 4(1), 62–83. https://doi.org/10.1177/109442810141004

Czaja

S. J.

Sharit

(1993). Age differences in the performance of computer-based work. Psychology and Aging, 8(1), 59–67. https://doi.org/10.1037/0882-7974.8.1.59

Debb

S. M.

Schaffer

D. R.

Colson

D. G.

(2020). A reverse digital divide: Comparing information security behaviors of generation Y and generation Z adults. International Journal of Cybersecurity Intelligence and Cybercrime, 3(1), 42–55. https://doi.org/10.52306/03010420GXUV5876

Fagan

Khan

M. M. H.

Buck

(2015). A study of users’ experiences and beliefs about software update messages. Computers in Human Behavior, 51, 504–519. https://doi.org/10.1016/j.chb.2015.04.075

10.

Floyd

D. L.

Prentice‐Dunn

Rogers

R. W.

(2000). A meta‐analysis of research on protection motivation theory. Journal of Applied Social Psychology, 30(2), 407–429. https://doi.org/10.1111/j.1559-1816.2000.tb02323.x

11.

Ganye

Smith

(2022). Examining cognitive load and information systems security compliance. ICIS 2022 TREOs, 10. https://aisel.aisnet.org/treos_icis2022/10

12.

Gillam

A. R.

Foster

W. T.

(2020). Factors affecting risky cybersecurity behaviors by US workers: An exploratory study. Computers in Human Behavior, 108, Article 106319. https://doi.org/10.1016/j.chb.2020.106319

13.

Hadlington

(2017). Human factors in cybersecurity: Examining the link between internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours. Heliyon, 3(7), Article E00346. https://doi.org/10.1016/j.heliyon.2017.e00346

14.

Hastings

E. C.

West

R. L.

(2009). The relative success of a self-help and a group-based memory training program for older adults. Psychology and Aging, 24(3), 586–594. https://doi.org/10.1037/a0016951

15.

Jiang

Tsai

H. S.

Cotton

S. R.

Rifon

N. J.

LaRose

Alhabash

(2016). Generational differences in online safety perceptions, knowledge, and practices. Educational Gerontology, 42(9), 621–634. https://doi.org/10.1080/03601277.2016.1205408

16.

Lachman

M. E.

Andreoletti

Pearman

(2006). Memory control beliefs: How are they related to age, strategy use and memory improvement? Social Cognition, 24(3), 359–385. https://doi.org/10.1521/soco.2006.24.3.359

17.

Ash

Anwar

Yuan

(2019). Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior. International Journal of Information Management, 45, 13–24. https://doi.org/10.1016/j.ijinfomgt.2018.10.017

18.

Liang

Xue

(2009). Avoidance of information technology threats: A theoretical perspective. MIS Quarterly, 33(1), 71–90. https://doi.org/10.2307/20650279

19.

Lighthall

N. R.

(2020). Neural mechanisms of decision‐making in aging. WIREs Cognitive Science, 11(1), Article e1519. https://doi.org/10.1002/wcs.1519

20.

Mayer

Kunz

Volkamer

(2017). Reliable behavioural factors in the information security context. In: Proceedings of the 12th International Conference on Availability, Reliability and Security, article 9. (pp. 1–10). 29 August 2017, Reggio Calabria, Italy. https://doi.org/10.1145/3098954.3098986

21.

Morrison

Coventry

Briggs

(2021). How do older adults feel about engaging with cyber-security? Human Behavior and Emerging Technologies, 3(5), 1033–1049. https://doi.org/10.1002/hbe2.291

22.

Morrison

B. A.

Coventry

Briggs

(2020). Technological change in the retirement transition and the implications for cybersecurity vulnerability in older adults. Frontiers in Psychology, 11, 623. https://doi.org/10.3389/fpsyg.2020.00623

23.

Nimrod

(2018). Technostress: Measuring a new threat to well-being in later life. Aging & Mental Health, 22(8), 1086–1093. https://doi.org/10.1080/13607863.2017.1334037

24.

Rajivan

Aharonov-Majar

Gonzalez

(2020). Update now or later? Effects of experience, cost, and risk preference on update decisions. Journal of Cybersecurity, 6(1), tyaa002. https://doi.org/10.1093/cybsec/tyaa002

25.

Rogers

R. W.

(1975). A protection motivation theory of fear appeals and attitude change. Journal of Psychology, 91(1), 93–114. https://doi.org/10.1080/00223980.1975.9915803

26.

Samanez-Larkin

G. R.

Knutson

(2015). Decision making in the ageing brain: Changes in affective and motivational circuits. Nature Reviews Neuroscience, 16(5), 278–289. https://doi.org/10.1038/nrn3917

27.

Schaffer

D. R.

Debb

S. M.

(2019). Validation of the online security behaviors and beliefs questionnaire with college students in the United States. Cyberpsychology, Behavior, and Social Networking, 22(12), 766–770. https://doi.org/10.1089/cyber.2019.0248

28.

Schuetz

S. W.

Lowry

P. B.

Pienta

D. A.

Thatcher

J. B.

(2020). The effectiveness of abstract versus concrete fear appeals in information security. Journal of Management Information Systems, 37(3), 723–757. https://doi.org/10.1080/07421222.2020.1790187

29.

Sweller

(2010). Cognitive load theory: Recent theoretical advances. In Plass

J. L.

Moreno

Brünken

(Eds.), Cognitive load theory (pp. 29–47). Cambridge University Press. https://doi.org/10.1017/CBO9780511844744.004

30.

Van Bavel

Rodríguez-Priego

Vila

Briggs

(2019). Using protection motivation theory in the design of nudges to improve online security behavior. International Journal of Human-Computer Studies, 123, 29–39. https://doi.org/10.1016/j.ijhcs.2018.11.003

31.

West

R. L.

Bagwell

D. K.

Dark-Freudeman

(2005). Memory and goal setting: The response of older and younger adults to positive and objective feedback. Psychology and Aging, 20(2), 195–201. https://doi.org/10.1037/0882-7974.20.2.195

32.

Witte

(1992). Putting the fear back into fear appeals: The extended parallel process model. Communication Monographs, 59(4), 329–349. https://doi.org/10.1080/03637759209376276