Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
156 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

To Patch, or not To Patch? That is the Question: A Case Study of System Administrators' Online Collaborative Behaviour (2307.03609v1)

Published 7 Jul 2023 in cs.HC and cs.SI

Abstract: System administrators, similar to end users, may delay or avoid software patches, also known as updates, despite the impact their timely application can have on system security. These admins are responsible for large, complex, amalgamated systems and must balance the security related needs of their organizations, which would benefit from the patch, with the need to ensure that systems must continue to run unimpeded. In this paper, we present a case study which follows the online life-cycle of a pair of Microsoft patches. We find that communities of sysadmins have evolved sophisticated mechanisms to perform risk assessments that are centred around collecting, synthesizing, and generating information on patches. These communities span different Virtual Communities of Practice, as well as influencers who monitor and report on the impact of new patches. As information is propagated and aggregated across blogs, forums, web sites, and mailing lists, eventually resulting in a consensus around the risk of a patch. Our findings highlight the role that these communities play in informing risk management decisions: Patch information is not static, and it transforms as communities collaborate to understand patch issues.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (91)
  1. Ms-defcon system. https://www.askwoody.com/ms-defcon-system/.
  2. Patchmanagement.org. http://www.patchmanagement.org/default.asp.
  3. How to Enable or Disable Desktop Composition in Windows 7 and Vista. https://www.sevenforums.com/tutorials/127411-desktop-composition-enable-disable.html, November 2010. Accessed Feb 19, 2019.
  4. KB4034664 macht Probleme bei PDFXchange . https://www.heise.de/forum/heise-Security/News-Kommentare/Patchday-Windows-Suche-als-Einfallstor-fuer-wurmartige-Attacken/KB4034664-macht-Probleme-bei-PDFXchange/posting-30849369/show/, August 2017. Accessed Feb 19, 2019.
  5. Irfanview Fullscreen bug version 4.44 & 4.37 with windows update KB4034664 . https://irfanview-forum.de/archive/index.php/t-11261.html, August 2017. Accessed Feb 19, 2019.
  6. Matlab 2016b command is black after Windows Update. https://de.mathworks.com/matlabcentral/answers/352339-matlab-2016b-command-is-black-after-windows-update?w.mathworks.com, August 2017. Accessed Feb 19, 2019.
  7. KB4034664 causing issues with NVIDIA video drivers. https://forums.geforce.com/default/topic/1022095/geforce-drivers/kb4034664-causing-issues-with-nvidia-video-drivers/, August 2017. Accessed Feb 19, 2019.
  8. Microsoft Releases KB4034664 and KB4034681 Rollup Updates for Windows 7/8.1. https://news.softpedia.com/news/microsoft-releases-kb4034664-and-kb4034681-rollup-updates-for-windows-7-8-1-517349.shtml, August 2017. Accessed Feb 19, 2019.
  9. Office 2013 not rendering correctly on second monitor only after update. https://social.technet.microsoft.com/Forums/en-US/cc63be1e-0457-4da1-8d83-89b0f79fdddd/office-2013-not-rendering-correctly-on-second-monitor-only-after-update?forum=winserverTS, August 2017. Accessed Feb 19, 2019.
  10. Web filter categories, 2019. URL https://fortiguard.com/webfilter/categories.
  11. An empirical study of software release notes. Empirical Software Engineering, 21(3):1107–1142, 2016.
  12. Software documentation issues unveiled. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE), pages 1199–1210, 2019. doi: 10.1109/ICSE.2019.00122.
  13. Activity-based management of it service delivery. In Proceedings of the 2007 symposium on Computer human interaction for the management of information technology, page 5. ACM, 2007.
  14. Rob Barrett. People and policies: Transforming the human-computer partnership. In null, page 111. IEEE, 2004.
  15. Field studies of computer system administrators: analysis of system management tools and practices. In Proceedings of the 2004 ACM conference on Computer supported cooperative work, pages 388–395. ACM, 2004.
  16. Usable autonomic computing systems: The system administrators’ perspective. Advanced Engineering Informatics, 19(3):213–221, 2005.
  17. Timing the application of security patches for optimal uptime. In LISA, volume 2, pages 233–242, 2002. URL http://static.usenix.org/legacy/events/lisa02/tech/full_papers/beattie/beattie_html/.
  18. Before we knew it: an empirical study of zero-day attacks in the real world. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 833–844. ACM, 2012.
  19. Günter Born. Windows 7: KB4039884 fixes dual monitor rendering bug. http://borncity.com/win/2017/08/27/windows-7-kb4039884-fixes-dual-monitor-rendering-bug/, August 2017a. Accessed Feb 19, 2019.
  20. Günter Born. Windows Update KB4034664 is causing trouble on 2nd screen. http://borncity.com/win/2017/08/12/windows-update-kb4034664-is-causing-trouble-on-2nd-screen/, August 2017b. Accessed Feb 19, 2019.
  21. Toward understanding distributed cognition in it security management: the role of cues and norms. Cognition, Technology & Work, 13(2):121–134, 2011.
  22. Susan Bradley. It’s patch day! https://marc.info/?t=150221746200001&r=1&w=2, August 2017a. Accessed Feb 19, 2019.
  23. Susan Bradley. KB4039884. https://marc.info/?t=150389768200001&r=1&w=2, August 2017b. Accessed Feb 19, 2019.
  24. Peter Bright. Data-deletion bug forces microsoft to suspend rollout of windows 10 update, Oct 2018. URL https://arstechnica.com/gadgets/2018/10/microsoft-suspends-distribution-of-latest-windows-10-update-over-data-loss-bug/.
  25. Martin Brinkmann. Microsoft Security Updates August 2017 release. https://www.ghacks.net/2017/08/08/microsoft-security-updates-august-2017-release, August 2017. Accessed Feb 19, 2019.
  26. John Seely Brown. The Social Life of Information. Harvard Business School Press, Boston, 2002. ISBN 1578517087.
  27. J.S Busby. Error and distributed cognition in design. Design Studies, 22(3):233–254, 2001. ISSN 0142-694x. doi: https://doi.org/10.1016/S0142-694X(00)00028-4. URL http://www.sciencedirect.com/science/article/pii/S0142694X00000284.
  28. Dustin Childs. The August 2017 Security Update Review. https://www.thezdi.com/blog/2017/8/8/the-august-2017-security-update-review, August 2017. Accessed Feb 19, 2019.
  29. The role of social influence in security feature adoption. In Proceedings of the 18th ACM conference on computer supported cooperative work & social computing, pages 1416–1426. ACM, 2015.
  30. Investigating system operators’ perspective on security misconfigurations. In The 25th ACM Conference on Computer and Communications Security (CCS’18). ACM, 2018.
  31. The impact of structuring characteristics on the launching of virtual communities of practice. Journal of Organizational Change Management, 2005.
  32. Why eve and mallory (also) love webmasters: a study on the root causes of ssl misconfigurations. In Proceedings of the 9th ACM symposium on Information, computer and communications security, pages 507–512. ACM, 2014.
  33. Users - the hidden software product quality experts?: A study on how app users report quality aspects in online reviews. 2017 IEEE 25th International Requirements Engineering Conference (RE), pages 80–89, 2017.
  34. A theoretical framework for building online communities of practice with social networking tools. Educational Media International, 46(1):3–16, 2009.
  35. Security administrators: A breed apart. SOUPS USM, pages 3–6, 2007.
  36. Design guidelines for system administration tools developed through ethnographic field studies. In Proceedings of the 2007 symposium on Computer human interaction for the management of information technology, page 1. ACM, 2007.
  37. Collaboration in system administration. Communications of the ACM, 54(1):46–53, 2011.
  38. Knowledge-sharing in an online community of health-care professionals. Information Technology & People, 20(3):235–261, 2007. doi: 10.1108/09593840710822859. URL https://doi.org/10.1108/09593840710822859.
  39. A survey of system administrator mental models and situation awareness. In Proceedings of the 2001 ACM SIGCPR conference on Computer personnel research, pages 166–172. ACM, 2001.
  40. Edwin Hutchins. Distributed cognition. International Encyclopedia of the Social and Behavioral Sciences. Elsevier Science, 138, 2000.
  41. ”anyone else seeing this error?”: Community, system administrators, and patch information (preprint). June 2020. URL https://groups.inf.ed.ac.uk/tulips/papers/jenkins2020.pdf.
  42. Christopher M Johnson. A survey of current research on online communities of practice. The Internet and Higher Education, 4(1):45–60, 2001. ISSN 1096-7516. doi: https://doi.org/10.1016/S1096-7516(01)00047-1. URL https://www.sciencedirect.com/science/article/pii/S1096751601000471.
  43. Brian Joseph. Software update accidentially cancels food stamp cards for 37,000 californians, January 2013. URL https://www.ocregister.com/2013/01/07/software-update-accidentially-cancels-food-stamp-cards-for-37000-californians/.
  44. Security administration tools and practices. Security and Usability: Designing Secure Systems that People Can Use, pages 357–378, 2005.
  45. Taming information technology: Lessons from studies of system administrators. Oxford University Press, 2012.
  46. Brian Krebs. Critical Security Fixes from Adobe, Microsoft. https://krebsonsecurity.com/2017/08/critical-security-fixes-from-adobe-microsoft-2/, August 2017. Accessed Feb 19, 2019.
  47. ”i have no idea what i’m doing”-on the usability of deploying https. In Proc. of the 26th USENIX Security Symposium, ser. USENIX Security, volume 17, pages 1339–1356, 2017.
  48. Woody Leonhard. 2000011: Group A, Group B and Group W - what’s the difference? https://www.askwoody.com/forums/topic/2000011-group-a-group-b-and-group-w-whats-the-difference/, April 2018. Accessed Feb 19, 2019.
  49. Keepers of the machines: Examining how system administrators manage software updates for multiple machines. In Fifteenth Symposium on Usable Privacy and Security ({normal-{\{{SOUPS}normal-}\}} 2019), 2019.
  50. Distributed cognition and joint activity in collaborative problem solving. In Proceedings of the Annual Meeting of the Cognitive Science Society, volume 25, 2003.
  51. What does this update do to my systems?–an analysis of the importance of update-related information to system administrators. 2020.
  52. ” they keep coming back like zombies”: Improving software updating interfaces. In SOUPS, pages 43–58, 2016.
  53. Microsoft. August 8, 2017-KB4034664 (Monthly Rollup). https://support.microsoft.com/en-us/help/4034664/windows-7-sp1-windows-server-2008-r2-sp1-update-kb4034664, a. Accessed Feb 19, 2019.
  54. Microsoft. August 30, 2017-KB4039884. https://support.microsoft.com/en-us/help/4039884/windows-7-update-kb4039884, b. Accessed Feb 19, 2019.
  55. Microsoft. August 8, 2017-KB4034679 (Security-only update). https://support.microsoft.com/en-us/help/4034679/windows-7-sp1-windows-server-2008-r2-sp1-update-kb4034679), c. Accessed Feb 19, 2019.
  56. Microsoft. Security Update Guide. https://portal.msrc.microsoft.com/en-us/security-guidance, d. Accessed Feb 19, 2019.
  57. Code-red: A case study on the spread and victims of an internet worm. In Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement, IMW ’02, pages 273–284, New York, NY, USA, 2002. ACM. ISBN 1-58113-603-X. doi: 10.1145/637201.637244. URL http://doi.acm.org/10.1145/637201.637244.
  58. Nineberry. Graphics Bug in Windows 7 after installing August 2017 Security Updates. https://www.neunbeere.de/blog/2017/08/graphics-bug-in-windows-7-after-installing-august-2017-security-updates/, August 2017. Accessed Feb 19, 2019.
  59. How i learned to be secure: a census-representative survey of security advice sources and behavior. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 666–677. ACM, 2016a.
  60. I think they’re trying to tell me something: Advice sources and selection for digital security. In 2016 IEEE Symposium on Security and Privacy (SP), pages 272–288. IEEE, 2016b.
  61. Sustaining an online community of practice: A case study. Journal of Distance Education, 22(2):43–58, 2008.
  62. The role of ethnographic studies in empirical software engineering. IEEE Transactions on Software Engineering, 42(8):786–804, 2016.
  63. Adam Shostack. Quantifying patch management. Secure Business Quarterly, 3(2):1–4, 2003.
  64. William Smart. Lessons learned review of the WannaCry Ransomware Cyber Attack. NHS England, February 2018.
  65. Supporting privacy-conscious app update decisions with user reviews. In Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, pages 51–61. ACM, 2015.
  66. A usability evaluation of let’s encrypt and certbot: Usable security done right. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pages 1971–1988, 2019.
  67. Security, availability, and multiple information sources: Exploring update behavior of system administrators. In Sixteenth Symposium on Usable Privacy and Security ({normal-{\{{SOUPS}normal-}\}} 2020), pages 239–258, 2020.
  68. Johannes B. Ullrich. Microsoft Patch Tuesday August 2017. https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+August+2017/22694/, August 2017. Accessed Feb 19, 2019.
  69. Cooperative knowledge work and practices of trust: Sharing environmental planning data sets. In CSCW, volume 98, pages 335–343, 1998.
  70. Tales of software updates: The process of updating software. In CHI 2016: Conference on Human Factors In Computing Systems, 2016.
  71. Betrayed by updates: How negative experience affect future security. In CHI 2014: Conference on Human Factors in Computing Systems, April 2014.
  72. Sysadmins and the need for verification information. In Proceedings of the 2nd ACM Symposium on Computer Human Interaction for Management of Information Technology, page 4. ACM, 2008.
  73. Work practices of system administrators: implications for tool design. In Proceedings of the 2nd ACM Symposium on Computer Human Interaction for Management of Information Technology, page 1. ACM, 2008.
  74. System administrators as broker technicians. In Proceedings of the Symposium on Computer Human Interaction for the Management of Information Technology, page 1. ACM, 2009.
  75. Designing tools for system administrators: An empirical test of the integrated user satisfaction model. In LISA, pages 1–8, 2008.
  76. Verizon. 2020 data breach investigations report. Technical report, Verizon Trademark Services LLC, 2020. Also available as https://vz.to/3vKNI1K. Accessed Jun. 2020.
  77. System administrators prefer command line interfaces, don’t they? an exploratory study of firewall interfaces. In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), pages 259–271, Santa Clara, CA, August 2019. USENIX Association. ISBN 978-1-939133-05-2. URL https://www.usenix.org/conference/soups2019/presentation/voronkov.
  78. Etienne Wenger. Communities of practice: Learning, meaning, and identity. Cambridge university press, 1999.
  79. Woody. Microsoft yanks buggy patch of a buggy patch, KB 4039884 . https://www.computerworld.com/article/3220665/microsoft-windows/microsoft-yanks-buggy-patch-of-a-buggy-patch-kb-4039884.html, August 2017a. Accessed Feb 19, 2019.
  80. Woody. Microsoft repairs buggy Win7 security patch with buggy hotfix KB 4039884. https://www.computerworld.com/article/3219738/microsoft-windows/microsoft-repairs-buggy-win7-security-patch-with-buggy-hotfix-kb-4039884.html, August 2017b. Accessed Feb 19, 2019.
  81. Woody. It’s time to install August Windows and Office patches - carefully. https://www.computerworld.com/article/3221371/microsoft-windows/its-time-to-install-august-windows-and-office-patches-carefully.html, September 2017c. Accessed Feb 19, 2019.
  82. Woody. This month’s Win7 patches KB 4034664, KB 4034679 causing second-screen problems . https://www.computerworld.com/article/3215194/microsoft-windows/two-of-this-months-win7-patches-causing-second-screen-problems.html, August 2017d. Accessed Feb 19, 2019.
  83. Woody. Lots and lots of patches. https://www.askwoody.com/2017/lots-and-lots-of-patches/, August 2017e. Accessed Feb 19, 2019.
  84. Woody. This month’s Win7 patches KB 4034664, KB 4034679 causing second-screen problems . https://www.askwoody.com/forums/topic/this-months-win7-patches-kb-4034664-kb-4034679-causing-second-screen-problems/, August 2017f. Accessed Feb 19, 2019.
  85. Woody. Microsoft patches buggy Windows 7 patch, KB 4039884 solves the dual-monitor rendering problem. https://www.askwoody.com/forums/topic/microsoft-patches-buggy-windows-7-patch-kb-4039884-solves-the-dual-monitor-rendering-problem/, August 2017g. Accessed Feb 19, 2019.
  86. Woody. Buggy KB 4039884 Win7 patch of a patch, returns with no explanation . https://www.askwoody.com/forums/topic/buggy-kb-4039884-win7-patch-of-a-patch-returns-with-no-explanation/, August 2017h. Accessed Feb 19, 2019.
  87. Social influences on secure development tool adoption: why security tools spread. In Proceedings of the 17th ACM conference on Computer supported cooperative work & social computing, pages 1095–1106, 2014.
  88. Systems approaches to tackling configuration errors: A survey. ACM Computing Surveys (CSUR), 47(4):70, 2015.
  89. An hci view of configuration problems. arXiv preprint arXiv:1601.01747, 2016.
  90. Robert K Yin. Case study research : design and methods. SAGE, Los Angeles, fifth edition.. edition, 2014. ISBN 9781452242569.
  91. Christina Zhao. Microsoft starts forcing Windows 7 and 8.1 users to update to Windows 10. https://www.independent.co.uk/life-style/gadgets-and-tech/news/windows-7-update-microsoft-81-download-windows-10-software-a7684256.html, April 2017.
Citations (2)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now