Tamara Bondar (Carleton University), Hala Assal (Carleton University)
System administrators are the ones primarily responsible for ensuring the security of their systems and services. While security is typically atop their considerations, they also tend to various competing priorities. Through an interview study with 7 sysadmins, and a large-scale survey study with 124 sysadmins in North America, this paper explores factors influencing system administrators’ security vulnerability remediation decisions. In addition, we explore how the vulnerability creator (whether the sysadmin themself or another sysadmin) affects remediation decisions.
Our findings reveal that remediation decisions are often complex and influenced by various factors, including vulnerability severity and the sysadmin’s skills and experience. The creator of the vulnerability had minimal effect on vulnerability remediation decisions, as we found that sysadmins typically assume psychological ownership and moral responsibility towards their systems. Collaboration between sysadmins, and with third-party vendors was recommended by our participants to facilitate vulnerability remediation.