From Paranoia to Compliance: The Bumpy Road of System Hardening Practices on Stack Exchange

TL;DR

This study qualitatively analyzes 316 Stack Exchange posts to understand system operators' motivations, practices, and challenges in system hardening, revealing key issues like misconceptions, deployment challenges, and compliance-driven concerns.

Contribution

It provides an in-depth qualitative analysis of real-world practices and challenges in system hardening based on Stack Exchange data, highlighting areas for improvement.

Findings

Access control and deployment issues are most challenging.

Operators face misconceptions and unrealistic expectations.

Fear of attacks and compliance drive hardening practices.

Abstract

Hardening computer systems against cyberattacks is crucial for security. However, past incidents illustrated, that many system operators struggle with effective system hardening. Hence, many computer systems and applications remain insecure. So far, the research community lacks an in-depth understanding of system operators motivation, practices, and challenges around system hardening. With a focus on practices and challenges, we qualitatively analyzed 316 Stack Exchange (SE) posts related to system hardening. We find that access control and deployment-related issues are the most challenging, and system operators suffer from misconceptions and unrealistic expectations. Most frequently, posts focused on operating systems and server applications. System operators were driven by the fear of their systems getting attacked or by compliance reasons. Finally, we discuss our research questions, make recommendations for future system hardening, and illustrate the implications of our work.