How to explain to traditional people why they should upgrade their old Windows XP device? <- The interesting point made in the highest upvoted answer to this Q is that a fully patched OS is largely insignificant for the security of an 'average home elder'. On the other hand, regular backups and AV software are essential.
While I do understand the point about backups, the point about patches vs AV is surprising for me precisely because I was usually being told something opposite.
Usually, I was being told that for the security of a home user, the first points to consider are: Full disk encryption (defense against device theft), password managers that allow one to abandon reusing passwords (defense against hacked websites), fully patched software and enabled firewall (defense against malware, especially the kinds that infect the computer without a person's knowledge and consent), backups (defense against hardware failure and attacks that somehow slip through the other lines of defense).
Antivirus software, while still important, nonetheless is dead last on the above list because:
- The main purpose of AV is to defend against well-known, indiscriminate threats. This, as I understand, often means threats that would be stopped either by fully patched software or user's diligence (do not run unknown executables, do not click on links in phishing e-mail, ...) in the first place. Even worse, fully patched software paired with user's diligence will be able to stop far more threats than AV.
- AVs slow the computer down and open up their own attack vector.
Sources (examples): 1, 2, [3](
Of course user's diligence cannot be relied upon (many claim the human is the weakest link in any security system), especially in the case of home elders, so I'm not going to argue AV software is not important. It's just that I cannot see how can fully patched OS be less important here?
Note that since we're talking about the 'average home elder' I do not consider it a realistic scenario that they are personally targeted. However, I should note that I've been told about such a case that a hacked website of a parish was installing malware on its visitors' computer. For this reason I'm not sure if it is possible to rule out drive by download.