Security, Availability, and Multiple Information Sources: Exploring Update Behavior of System Administrators


Christian Tiefenau and Maximilian Häring, University of Bonn; Katharina Krombholz, CISPA Helmholtz Center for Information Security; Emanuel von Zezschwitz, University of Bonn, Fraunhofer FKIE


Experts agree that keeping systems up to date is a powerful security measure. Previous work found that users sometimes explicitly refrain from performing timely updates, e.g., due to bad experiences which has a negative impact on end-user security. Another important user group has been investigated less extensively: system administrators, who are responsible for keeping complex and heterogeneous system landscapes available and secure.

In this paper, we sought to understand administrators' behavior, experiences, and attitudes regarding updates in a corporate environment. Based on the results of an interview study, we developed an online survey and quantified common practices and obstacles (e.g., downtime or lack of information about updates). The findings indicate that even experienced administrators struggle with update processes as the consequences of an update are sometimes hard to assess. Therefore, we argue that more usable monitoring and update processes are essential to guarantee IT security at scale.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {255656,
author = {Christian Tiefenau and Maximilian H{\"a}ring and Katharina Krombholz and Emanuel von Zezschwitz},
title = {Security, Availability, and Multiple Information Sources: Exploring Update Behavior of System Administrators},
booktitle = {Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020)},
year = {2020},
isbn = {978-1-939133-16-8},
pages = {239--258},
url = {},
publisher = {USENIX Association},
month = aug

Presentation Video