Remind me Tomorrow: Human Behaviors and Cyber Vulnerabilities
Marshini Chetty, Tudor Dumitraș, and V.S. Subrahmanian, University of Maryland; Aditya Prakash (Virginia Tech)
This research consisted of four interrelated projects addressing users and software updates. The research questions addressed included:
- How do users update their software?
- What are the barriers and facilitators to updates from the user perspective?
- Can we compare what users say they do with what they actually do?
- What are the implications for improving updating mechanisms and updating interfaces?
Using Symantec’s Worldwide Intelligence Network Environment (WINE) data, field data collected from hosts around the world, user studies of patching behaviors, and comparing and contrasting results of these studies, this work in progress is determining whether and how security and software patches are actually being installed and how human behavior impacts cybersecurity.
The first part of the project looked at users’ actual patching behaviors. The team analyzed 1,593 vulnerabilities in 10 side applications on Windows from 8.4 million hosts over 5 years. Using this data, they determined that patching behavior is not visible to network vulnerability scanners and is often targeted in spear-phishing attacks.
The second part of the project addressed the goal of measuring patch deployment milestones from the start of patching through time to patch 50%, 90%, 95% of vulnerable hosts and factors influencing the rate of patching. Preliminary conclusions are that start of patching is strongly correlated with the disclosure date--correlation coefficient of r = 0.994; 77% vulnerabilities start patching within 7 days; 92% vulnerabilities start patching within 30 days. The implications for this data are that while software vendors generally respond promptly to disclosures, patch deployment exhibits a long tail so that exploits are generally effective even if not zero-day.
The third part looked at updating mechanisms. It determined that there is considerable difference among updating mechanisms. For example, prompt for download is marginally more effective than manual updates. Auto-download and prompt for install is nearly as effective as silent updates for patching 50% of vulnerable hosts, but less effective for reaching 95% patch completion.
The fourth portion of the research looked at what users say they do. The team conducted online survey and interviews in summer 2014 with good demographic and sampling methods. Then the surveys were statistically analyzed to determine human factors in updating patches. 70.3% of survey respondents felt it is critical to keep software up to date and nearly half of survey respondents updated for security or to fix bugs/enhance performance, but over 1/3 survey respondents felt there were too many updates. Respondents also had clear expectations about patches. They were critical of unexpected changes, especially to the user interface (UI), want to know what has been changed, fear destabilization and incompatibility, and showed specific preferences for patch installation. 42% of survey respondents preferred automatic downloads while 72% of survey respondents preferred manual installation.
Next Steps for the project include completion of collaborative work, continued empirical analysis of WINE data, user studies extended to system administrators and developers and design of improved information about updates, and modeling attacker and defender behavior using game theory and WINE data.
This PowerPoint presentation is available at: http://cps-vo.org/node/15734
Professor Chetty’s web page is available at: http://www.cyber.umd.edu/faculty/chetty
Information about the UMD Lablet is available at: http://cps-vo.org/group/sos/lablet/umd
(ID#:14-2628)
Note:
Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to SoS.Project (at) SecureDataBank.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.