To Patch, or not To Patch? That is the Question: A Case Study of System Administrators' Online Collaborative Behaviour

System administrators, similar to end users, may delay or avoid software patches, also known as updates, despite the impact their timely application can have on system security. These admins are responsible for large, complex, amalgamated systems and must balance the security related needs of their organizations, which would benefit from the patch, with the need to ensure that systems must continue to run unimpeded. In this paper, we present a case study which follows the online life-cycle of a pair of Microsoft patches. We find that communities of sysadmins have evolved sophisticated mechanisms to perform risk assessments that are centred around collecting, synthesizing, and generating information on patches. These communities span different Virtual Communities of Practice, as well as influencers who monitor and report on the impact of new patches. As information is propagated and aggregated across blogs, forums, web sites, and mailing lists, eventually resulting in a consensus around the risk of a patch. Our findings highlight the role that these communities play in informing risk management decisions: Patch information is not static, and it transforms as communities collaborate to understand patch issues.