Investigating System Administrators’ Perspective Regarding Software Vulnerabilities.
Dr. Hala Assal
Dr. Hala Assal’s research examines how system administrators make decisions when they discover security issues in the systems they manage. The work focuses on two categories of vulnerabilities: third-party vulnerabilities and misconfigurations. It explores why some known vulnerabilities remain unaddressed, even when administrators are aware of them, and asks what competing priorities, responsibilities, and contextual factors influence whether remediation takes place.
The study found that remediation decisions are shaped by a complex set of factors that vary by vulnerability type. For third-party vulnerabilities, severity was the most important factor, while for misconfigurations, administrators’ own skill and experience played a larger role. Dr. Assal’s work also found that many system administrators operate without clear organizational policies or guidelines, leaving them to rely heavily on personal judgment. This can be especially challenging for administrators in small and medium-sized enterprises, who may feel less confident in their experience and available support.
A key insight from the research is that system administrators often feel a strong sense of psychological ownership over the systems they manage. They view themselves as morally responsible for keeping those systems secure, not merely as people completing assigned tasks. Dr. Assal’s work points to the need for more structured procedures, clearer expectations, formalized review processes, and stronger support networks for professional users such as system administrators, software developers, and software engineers.
The results of this work were published in the 2026 Symposium on Usable Security and Privacy. The video of the presentation is available on YouTube.