Economics of Security Patch Management
暂无分享,去创建一个
Patch management is a crucial component of IT security programs. An important problem within this context is to determine how often to update the systems with necessary patches. Keeping the systems patched with more frequent patch updates increases operational costs while reducing security risks. On the other hand, leaving the systems unpatched with less frequent patch updates decreases operational costs while increasing security risks. In this paper we develop a game theoretic model to derive the optimal frequency of patch updates to balance the operational costs and damage costs associated with security vulnerabilities. We first analyze a centralized system in a benchmark case to find the socially optimal patch management policy and associated patch release cycle of the vendor and patch update cycle of the firm. Then we consider a noncentralized system in which the vendor determines its patch release policy and the firm selects its patch update policy in a Stackelberg framework. Given the results in centralized and noncentralized patch management, we next address how we can coordinate the patch release policy of the vendor and the patch update policy of the firm using cost sharing and/or liability to achieve the socially optimal patch management in a noncentralized setting.