Patching, system administrators, and their communities

Abstract

Update your devices”, is well known security advice in both academia and industry. Yet there exists very little research into the process and the administrators tasked with sourcing, testing, applying, and troubleshooting of updates for computing systems, that serve many end-users. These system administrators (sysadmins) play a critical role in Information security management (ISM), with their decisions impacting the security of potentially millions of end-users. However, these decisions involve complex risk assessments on an update by update basis, as although patches can remove potential software vulnerabilities, they may also introduce new errors to systems that negatively impact their organization.

In this thesis I will present one of the first attempts at studying this user group and their impact on the patching process. To do so, I primarily focuses on sysadmins’ Online Communities of Practice, which provides sysadmins with up-to-date patching information, such as known issues or related vulnerabilities. To begin with, I pro- vide an in-depth qualitative artifact analysis of emails from a prominent patching ori- entated mailing list: PatchManagement.org. The analysis identifies several different types of information that is shared and requested by community members throughout their patching schedules. This information including requests for help troubleshooting patching errors or community generated lists of security patches to prioritise. I com- plement this work by constructing a descriptive case study, detailing distinct commu- nities’ collaborative information gathering and problem solving behaviours following the release of two security critical Microsoft patches. By detailing this online life cycle I find that these communities provide sysadmins with a dynamic, centralised source for their patching information, and that these communities share information often sourced from the work of other communities and their respective members. To conclude, I pro- vide a survey of sysadmins detailing the prominence of patching behaviours at each stage of the patching process, and balance out the previous observational works with self-reported data from sysadmins from these online communities.

This work is one of the first explorations into the types of information system ad- ministrators share online with each other during patching, as well as the challenges they face and solutions they are using, such as forming these Communities of Practice. Patching, although on the surface appears very simple, is a more complicated task re- quiring a number of social-technical decisions to be considered before ”just applying” the update. I present the lessons learned from our studies and indicate potential routes for future research within this space.