System administrators, similar to end users, may delay or avoid software patches, also known as updates, despite the impact their timely application can have on system security. These admins are responsible for large, complex, amalgamated systems and must balance the security related needs of their organizations, which would benefit from the patch, with the need to ensure that systems must continue to run unimpeded. In this paper, we present a case study which follows the online life-cycle of a pair of Microsoft patches. We find that communities of sysadmins have evolved sophisticated mechanisms to perform risk assessments that are centred around collecting, synthesizing, and generating information on patches. These communities span different Virtual Communities of Practice, as well as influencers who monitor and report on the impact of new patches. As information is propagated and aggregated across blogs, forums, web sites, and mailing lists, eventually resulting in a consensus around the risk of a patch. Our findings highlight the role that these communities play in informing risk management decisions: Patch information is not static, and it transforms as communities collaborate to understand patch issues.

翻译：摘要：与终端用户类似，系统管理员可能会延迟或避免安装软件补丁（亦称更新），尽管及时应用补丁对系统安全至关重要。这些管理员负责维护庞大、复杂且整合的系统，必须平衡组织安全需求（补丁有益于此）与确保系统持续无碍运行的需求。本文通过跟踪一组微软补丁的在线生命周期进行案例研究。我们发现，系统管理员社区已发展出精密的机制，围绕收集、综合和生成补丁相关信息进行风险评估。这些社区跨越不同的实践社群，并涵盖监控和报告新补丁影响的意见领袖。随着信息在博客、论坛、网站和邮件列表中传播与聚合，最终形成关于补丁风险的共识。我们的研究结果突显了这些社区在风险管理决策中的作用：补丁信息并非静态的，而是随着社区协作理解补丁问题而不断演变。