Existing research lacks a deep understanding of system administrators’ motivations, practices, and barriers in security hardening—contributing to persistent system vulnerabilities. This study employs qualitative content analysis on 316 technical Q&A posts from Stack Exchange to conduct thematic coding and pattern mining, yielding the first systematic empirical insights—grounded in authentic community interactions—into administrators’ core challenges, cognitive misconceptions, and psychological drivers concerning access control and deployment configuration. Key findings reveal that fear-driven responses and regulatory compliance pressures constitute primary behavioral motivators, while widespread misperceptions persist regarding security tools’ capabilities and implementation overhead. Based on these insights, we propose a risk-aware, incremental compliance–oriented framework for security hardening optimization. This work advances theoretical foundations for operational security practice and identifies actionable intervention points for improving real-world hardening efficacy.

Hardening computer systems against cyberattacks is crucial for security. However, past incidents illustrated, that many system operators struggle with effective system hardening. Hence, many computer systems and applications remain insecure. So far, the research community lacks an in-depth understanding of system operators motivation, practices, and challenges around system hardening. With a focus on practices and challenges, we qualitatively analyzed 316 Stack Exchange (SE) posts related to system hardening. We find that access control and deployment-related issues are the most challenging, and system operators suffer from misconceptions and unrealistic expectations. Most frequently, posts focused on operating systems and server applications. System operators were driven by the fear of their systems getting attacked or by compliance reasons. Finally, we discuss our research questions, make recommendations for future system hardening, and illustrate the implications of our work.