To Patch, or not To Patch? That is the Question: A Case Study of System Administrators' Online Collaborative Behaviour

TL;DR

This study examines how system administrators' online communities collaboratively assess risks and influence patch adoption decisions, revealing sophisticated information-sharing practices that impact security management.

Contribution

It provides a detailed case study of online sysadmin communities, highlighting their role in risk assessment and decision-making regarding software patches.

Findings

Communities synthesize patch information from diverse online sources.

Risk assessments evolve through community collaboration.

Influencers shape patch perception and adoption decisions.

Abstract

System administrators, similar to end users, may delay or avoid software patches, also known as updates, despite the impact their timely application can have on system security. These admins are responsible for large, complex, amalgamated systems and must balance the security related needs of their organizations, which would benefit from the patch, with the need to ensure that systems must continue to run unimpeded. In this paper, we present a case study which follows the online life-cycle of a pair of Microsoft patches. We find that communities of sysadmins have evolved sophisticated mechanisms to perform risk assessments that are centred around collecting, synthesizing, and generating information on patches. These communities span different Virtual Communities of Practice, as well as influencers who monitor and report on the impact of new patches. As information is propagated and aggregated across blogs, forums, web sites, and mailing lists, eventually resulting in a consensus around the risk of a patch. Our findings highlight the role that these communities play in informing risk management decisions: Patch information is not static, and it transforms as communities collaborate to understand patch issues.