Patch Me If You Can: A Study On The Effects Of Individual User Behavior On The End-Host Vulnerability State

In this paper we study the implications of end-user behavior in applying software updates and patches on information-security vulnerabilities. To this end we tap into a large data set of measurements conducted on more than 400,000 Windows machines over four client-side applications, and separate out the impact of user and vendor behavior on the vulnerability states of hosts. Our modeling of users and the empirical evaluation of this model over vulnerability states of hosts reveal a peculiar relationship between vendors and end-users: the users' promptness in applying software patches, and vendors' policies in facilitating the installation of updates, while both contributing to the hosts' security posture, are overshadowed by other characteristics such as the frequency of vulnerability disclosures and the vendors' swiftness in deploying patches.