Tamara Bondar, Hala Assal, AbdelRahman Abdou (Carleton University)

In efforts to understand the reasons behind Internet-connected devices remaining vulnerable for a long time, previous literature analyzed the effectiveness of large-scale vulnerability notifications on remediation rates. Herein we focus on the perspective of system administrators. Through an online survey study with 89 system administrators worldwide, we investigate factors affecting their decisions to remediate or ignore a security vulnerability. We use Censys to find servers with vulnerable public-facing services, extract the abuse contact information from WHOIS, and email an invitation to fill out the survey. We found no evidence that awareness of the existence of a vulnerability affects remediation plans, which explains the consistently small remediation rates following notification campaigns conducted in previous research. More interestingly, participants did not agree on a specific factor as the primary cause for lack of remediation. Many factors appeared roughly equally important, including backwards compatibility, technical knowledge, available resources, and motive to remediate.

View More Papers

Do Privacy Labels Answer Users' Privacy Questions?

Shikun Zhang, Norman Sadeh (Carnegie Mellon University)

Read More

QPEP in the Real World: A Testbed for Secure...

Julian Huwyler (ETH Zurich), James Pavur (University of Oxford), Giorgio Tresoldi and Martin Strohmeier (Cyber-Defence Campus) Presenter: Martin Strohmeier

Read More

Anomaly Detection in the Open World: Normality Shift Detection,...

Dongqi Han (Tsinghua University), Zhiliang Wang (Tsinghua University), Wenqi Chen (Tsinghua University), Kai Wang (Tsinghua University), Rui Yu (Tsinghua University),...

Read More