Optimizing Network Patching Policy Decisions

Abstract : Patch management of networks is essential to mitigate the risks from the exploitation of vulnerabilities through malware and other attacks, but by setting too rigorous a patching policy for network devices the IT security team can also create burdens for IT operations or disruptions to the business.  Different patch deployment timelines could be adopted with the aim of reducing this operational cost, but care must be taken not to substantially increase the risk of emergency disruption from potential exploits and attacks.  In this paper we explore how the IT security policy choices regarding patching timelines can be made in terms of economically-based decisions, in which the aim is to minimize the expected overall costs to the organization from patching-related activity.  We introduce a simple cost function that takes into account costs incurred from disruption caused by planned patching and from expected disruption caused by emergency patching.  To explore the outcomes under different patching policies we apply a systems modelling approach and Monte Carlo style simulations.  The results from the simulations show disruptions caused for a range of patch deployment timelines.  These results together with the cost function are then used to identify the optimal patching timelines under different threat environment conditions and taking into account the organization’s risk tolerance. 
Type de document :
Communication dans un congrès
Dimitris Gritzalis; Steven Furnell; Marianthi Theoharidou. 27th Information Security and Privacy Conference (SEC), Jun 2012, Heraklion, Crete, Greece. Springer, IFIP Advances in Information and Communication Technology, AICT-376, pp.424-442, 2012, Information Security and Privacy Research. 〈10.1007/978-3-642-30436-1_35〉
Liste complète des métadonnées

Littérature citée [2 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01518224
Contributeur : Hal Ifip <>
Soumis le : jeudi 4 mai 2017 - 13:45:21
Dernière modification le : jeudi 28 décembre 2017 - 13:58:02
Document(s) archivé(s) le : samedi 5 août 2017 - 13:02:45

Fichier

978-3-642-30436-1_35_Chapter.p...
Fichiers produits par l'(les) auteur(s)

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Yolanta Beres, Jonathan Griffin. Optimizing Network Patching Policy Decisions. Dimitris Gritzalis; Steven Furnell; Marianthi Theoharidou. 27th Information Security and Privacy Conference (SEC), Jun 2012, Heraklion, Crete, Greece. Springer, IFIP Advances in Information and Communication Technology, AICT-376, pp.424-442, 2012, Information Security and Privacy Research. 〈10.1007/978-3-642-30436-1_35〉. 〈hal-01518224〉

Partager

Métriques

Consultations de la notice

67

Téléchargements de fichiers

74