Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

To Patch or Not to Patch: Motivations, Challenges, and Implications for Cybersecurity

Jason R. C. Nurse

TL;DR

The paper tackles why organizations patch or fail to patch vulnerabilities, focusing on human factors that influence patch decisions. It surveys literature from industry and academia to synthesize motivations, disincentives, and the patch management lifecycle, highlighting stakeholders from vendors to regulators. It highlights regulatory mandates, supply-chain considerations, and the promise of automation and AI-assisted patching as pathways to improve patch uptake, while acknowledging risks to system stability and patch quality. The study argues for a balanced approach, including better tooling, vendor collaboration, and, where appropriate, evergreen IT paradigms, to make timely remediation more feasible in real-world environments.

Abstract

As technology has become more embedded into our society, the security of modern-day systems is paramount. One topic which is constantly under discussion is that of patching, or more specifically, the installation of updates that remediate security vulnerabilities in software or hardware systems. This continued deliberation is motivated by complexities involved with patching; in particular, the various incentives and disincentives for organizations and their cybersecurity teams when deciding whether to patch. In this paper, we take a fresh look at the question of patching and critically explore why organizations and IT/security teams choose to patch or decide against it (either explicitly or due to inaction). We tackle this question by aggregating and synthesizing prominent research and industry literature on the incentives and disincentives for patching, specifically considering the human aspects in the context of these motives. Through this research, this study identifies key motivators such as organizational needs, the IT/security team's relationship with vendors, and legal and regulatory requirements placed on the business and its staff. There are also numerous significant reasons discovered for why the decision is taken not to patch, including limited resources (e.g., person-power), challenges with manual patch management tasks, human error, bad patches, unreliable patch management tools, and the perception that related vulnerabilities would not be exploited. These disincentives, in combination with the motivators above, highlight the difficult balance that organizations and their security teams need to maintain on a daily basis. Finally, we conclude by discussing implications of these findings and important future considerations.

To Patch or Not to Patch: Motivations, Challenges, and Implications for Cybersecurity

TL;DR

The paper tackles why organizations patch or fail to patch vulnerabilities, focusing on human factors that influence patch decisions. It surveys literature from industry and academia to synthesize motivations, disincentives, and the patch management lifecycle, highlighting stakeholders from vendors to regulators. It highlights regulatory mandates, supply-chain considerations, and the promise of automation and AI-assisted patching as pathways to improve patch uptake, while acknowledging risks to system stability and patch quality. The study argues for a balanced approach, including better tooling, vendor collaboration, and, where appropriate, evergreen IT paradigms, to make timely remediation more feasible in real-world environments.

Abstract

As technology has become more embedded into our society, the security of modern-day systems is paramount. One topic which is constantly under discussion is that of patching, or more specifically, the installation of updates that remediate security vulnerabilities in software or hardware systems. This continued deliberation is motivated by complexities involved with patching; in particular, the various incentives and disincentives for organizations and their cybersecurity teams when deciding whether to patch. In this paper, we take a fresh look at the question of patching and critically explore why organizations and IT/security teams choose to patch or decide against it (either explicitly or due to inaction). We tackle this question by aggregating and synthesizing prominent research and industry literature on the incentives and disincentives for patching, specifically considering the human aspects in the context of these motives. Through this research, this study identifies key motivators such as organizational needs, the IT/security team's relationship with vendors, and legal and regulatory requirements placed on the business and its staff. There are also numerous significant reasons discovered for why the decision is taken not to patch, including limited resources (e.g., person-power), challenges with manual patch management tasks, human error, bad patches, unreliable patch management tools, and the perception that related vulnerabilities would not be exploited. These disincentives, in combination with the motivators above, highlight the difficult balance that organizations and their security teams need to maintain on a daily basis. Finally, we conclude by discussing implications of these findings and important future considerations.

Paper Structure

This paper contains 6 sections.

Table of Contents

  1. Introduction
  2. Patching: Nature and Context
  3. The Incentives that Support the Decision to Patch
  4. What Motivates the Decision Not to Patch?
  5. Discussion and Future Considerations
  6. Conclusion