Optimizing Network Patching Policy Decisions

Abstract: Abstract. Patch management of networks is essential to mitigate the risks from the exploitation of vulnerabilities through malware and other attacks, but by setting too rigorous a patching policy for network devices the IT security team can also create burdens for IT operations or disruptions to the business. Different patch deployment timelines could be adopted with the aim of reducing this operational cost, but care must be taken not to substantially increase the risk of emergency disruption from potential e… Show more

“…We assume that vulnerabilities are identified according to a Poisson process with rate . This has been a standard assumption in prior literature (e.g., Beres and Griffin 2012, Cavusoglu et al 2008, Dalal and Mallows 1988, Ioannidis et al 2012, Rescorla 2005.…”

“…A patch deployment usually involves a significant setup cost, such as the costs associated with system configuration checking, patch searching and documentation, and patch testing and installation (August et al 2014, August and Tunca 2011, Brandon 2005. Furthermore, unplanned patching activities are bound to cause some business disruption, interrupting the normal system workflow and inflicting downtimes on critical business functions, among others (Beres andGriffin 2012, Mastroleon et al 2006). In fact, this is the primary reason why organizations often postpone applying available patches-it is indeed tempting to take advantage of the economy of scale by patching in batches (Beres and Griffin 2012).…”

“…Furthermore, unplanned patching activities are bound to cause some business disruption, interrupting the normal system workflow and inflicting downtimes on critical business functions, among others (Beres andGriffin 2012, Mastroleon et al 2006). In fact, this is the primary reason why organizations often postpone applying available patches-it is indeed tempting to take advantage of the economy of scale by patching in batches (Beres and Griffin 2012). Overall, an IT manager must consider both the setup and business disruption costs, weigh them against the potential exploitation cost, and decide when and how often to patch an enterprise system/application or its subsystems/components.…”

“…It is not hard to see why an organization may consider such a policy vis-à-vis a time-based policy. Because patches may arrive randomly (Beres andGriffin 2012, Cavusoglu et al 2008), it is possible that several of them may arrive in a short window of time, in which case waiting a predetermined period would involve an undue security risk. However, adopting this policy also means that patching intervals would be random and some business disruptions would thus be unavoidable.…”

“…Our context is similar, except that we are interested in analyzing candidate policies for managing multiple patches in a setting where patching is costly but the patches are reliable. More recently, Beres and Griffin (2012) and Ioannidis et al (2012) have considered the delicate issue of balancing patching costs against security risks. Employing simulation models, they both analyze a single class of policies.…”

Optimal Policies for Security Patch Management

“…We assume that vulnerabilities are identified according to a Poisson process with rate . This has been a standard assumption in prior literature (e.g., Beres and Griffin 2012, Cavusoglu et al 2008, Dalal and Mallows 1988, Ioannidis et al 2012, Rescorla 2005.…”

“…A patch deployment usually involves a significant setup cost, such as the costs associated with system configuration checking, patch searching and documentation, and patch testing and installation (August et al 2014, August and Tunca 2011, Brandon 2005. Furthermore, unplanned patching activities are bound to cause some business disruption, interrupting the normal system workflow and inflicting downtimes on critical business functions, among others (Beres andGriffin 2012, Mastroleon et al 2006). In fact, this is the primary reason why organizations often postpone applying available patches-it is indeed tempting to take advantage of the economy of scale by patching in batches (Beres and Griffin 2012).…”

“…Furthermore, unplanned patching activities are bound to cause some business disruption, interrupting the normal system workflow and inflicting downtimes on critical business functions, among others (Beres andGriffin 2012, Mastroleon et al 2006). In fact, this is the primary reason why organizations often postpone applying available patches-it is indeed tempting to take advantage of the economy of scale by patching in batches (Beres and Griffin 2012). Overall, an IT manager must consider both the setup and business disruption costs, weigh them against the potential exploitation cost, and decide when and how often to patch an enterprise system/application or its subsystems/components.…”

“…It is not hard to see why an organization may consider such a policy vis-à-vis a time-based policy. Because patches may arrive randomly (Beres andGriffin 2012, Cavusoglu et al 2008), it is possible that several of them may arrive in a short window of time, in which case waiting a predetermined period would involve an undue security risk. However, adopting this policy also means that patching intervals would be random and some business disruptions would thus be unavoidable.…”

“…Our context is similar, except that we are interested in analyzing candidate policies for managing multiple patches in a setting where patching is costly but the patches are reliable. More recently, Beres and Griffin (2012) and Ioannidis et al (2012) have considered the delicate issue of balancing patching costs against security risks. Employing simulation models, they both analyze a single class of policies.…”

Optimal Policies for Security Patch Management

Dynamic vulnerability severity calculator for industrial control systems

Optimal Dissemination Strategy of Security Patch Based on Differential Game in Social Network