E ffective patch management is critical to ensure the security of information systems that modern organizations count on today. Facing numerous patch releases from vendors, an information technology (IT) manager must weigh the costs of frequent patching against the security risks that can arise from delays in patch application. To this end, we develop a rigorous quantitative framework to analyze and compare several patching policies that are of practical interest. Our analyses of pure policies-policies that rely on a single metric such as elapsed time or patch severity level-show that certain policies are never optimal and no single policy may fit all information systems uniformly well. Depending on the context parameters, particularly the setup and business disruption costs for patching, either a time-based approach or an approach based on the cumulative severity level may be effective. To develop a more complete guideline for policy selection, we decipher hybrid policies that combine multiple metrics. Finally, we conduct extensive numerical experiments to verify the robustness of our analytical results. Overall, our paper establishes a comprehensive framework for analyzing various patching policies and furnishes useful insights for IT managers.