Patching, system administrators, and their communities
View/ Open
Date
13/02/2023Author
Jenkins, Adam D.G.
Metadata
Abstract
Update your devices”, is well known security advice in both academia and industry.
Yet there exists very little research into the process and the administrators tasked with
sourcing, testing, applying, and troubleshooting of updates for computing systems, that
serve many end-users. These system administrators (sysadmins) play a critical role in
Information security management (ISM), with their decisions impacting the security
of potentially millions of end-users. However, these decisions involve complex risk
assessments on an update by update basis, as although patches can remove potential
software vulnerabilities, they may also introduce new errors to systems that negatively
impact their organization.
In this thesis I will present one of the first attempts at studying this user group
and their impact on the patching process. To do so, I primarily focuses on sysadmins’
Online Communities of Practice, which provides sysadmins with up-to-date patching
information, such as known issues or related vulnerabilities. To begin with, I pro-
vide an in-depth qualitative artifact analysis of emails from a prominent patching ori-
entated mailing list: PatchManagement.org. The analysis identifies several different
types of information that is shared and requested by community members throughout
their patching schedules. This information including requests for help troubleshooting
patching errors or community generated lists of security patches to prioritise. I com-
plement this work by constructing a descriptive case study, detailing distinct commu-
nities’ collaborative information gathering and problem solving behaviours following
the release of two security critical Microsoft patches. By detailing this online life cycle
I find that these communities provide sysadmins with a dynamic, centralised source for
their patching information, and that these communities share information often sourced
from the work of other communities and their respective members. To conclude, I pro-
vide a survey of sysadmins detailing the prominence of patching behaviours at each
stage of the patching process, and balance out the previous observational works with
self-reported data from sysadmins from these online communities.
This work is one of the first explorations into the types of information system ad-
ministrators share online with each other during patching, as well as the challenges
they face and solutions they are using, such as forming these Communities of Practice.
Patching, although on the surface appears very simple, is a more complicated task re-
quiring a number of social-technical decisions to be considered before ”just applying”
the update. I present the lessons learned from our studies and indicate potential routes
for future research within this space.