Patch Management

Updating software is one of the most effective methods of protecting computers from security vulnerabilities, yet many people and organisations choose to not install them. In this project we endevor to understand the attitudes of people making update decisions and the barriers they face that can impact their willingness and ability to keep their software up to date.

Updating software means changing it. Ideally those changes are for the better such as improved security, better features, fixed bugs, and additional functionality. However, they can also lead to worse outcomes such as slower software, new problems, changes to frequently used functionality, and new security vulnerabilities. According to our research, many of the issues around software updating are actually issues around balancing risks and benefits when neither of these are fully known. For example, the update that protected against the WannaCry ransomeware attack was made available a month before the attack happened, those that installed it were therefore protected and not impacted by the attack. But it would have been impossible for a system administrator to know at the time of update release that a devistating world wide ransomware attack was comming. Incidents like WannaCry suggest that installing patches quickly is a good idea, which is true, but it should also be understood that installing patches quickly also carries risks. For example, Microsoft released a Windows 10 update which then started deleting all the files on the desktop. They acknowledged the issue and offered a work around, but the issue was terrifying and highly disruptive for users, particularly those who installed updates quickly.

Software Update System Administrators Patch Management Security

Publications

Not as easy as just update: Survey of System Administrators and Patching Behaviours
While installing patches (updates) quickly is important for security, many system administrators do not have access to key resources like dedicated testing environments to ensure that installed patches will be stable and not disrupt their organization’s work.
PDF Cite Project Video DOI
Not as easy as just update: Survey of System Administrators and Patching Behaviours
To Patch, or not To Patch? That is the Question: A Case Study of System Administrators' Online Collaborative Behaviour
Case study of a Critical Windows patch which had problems. The case explores how admins learn about patches, how issues are identified by online admin communities, communication with venders like Microsoft, and how a patch gets the community all clear.
PDF Cite Project DOI
"Anyone Else Seeing this Error?": Community, System Administrators, and Patch Information
PDF Cite Project Video
Tales of Software Updates: The process of updating software
PDF Cite Project
Betrayed By Updates: How Negative Experiences Affect Future Security
PDF Cite Project
Out of the loop: How automated software updates cause unintended security consequences
PDF Cite Project