A Case Study on ( Security ) Update Processes in Working Environments : Understanding the Context

Copyright is held by the author/owner. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee. Poster presented at the 15th Symposium on Usable Privacy and Security (SOUPS 2019). Abstract Updates are security-relevant and for this reasons should be applied timely, regularly, and routinely to keep systems safe. Yet the process itself can be complex and is often influenced by external factors. Our research aims at investigating the update problem from different perspectives and analyzing the interaction effects of involved stakeholders. In this work, we present the preliminary insights from an ongoing case study focusing on the update process of inhouse and customer software in a small (19 employees) tech company. The data was collected in a mixed-methods approach. We combined interviews and surveys (n=8) with the insights from a content analysis of around 300 update related issues from a text-based ticket system. We found that priorities still conflict with the goal of security but also that updates are already rolled out on a regular basis and are part of the organizational work flow. Finally, we reflect on our methodical approach that involved ethnographic aspects.