The reviewed record of science sign in
Pith

arxiv: 2202.09016 · v2 · pith:ZCUPSTDR · submitted 2022-02-18 · cs.SE · cs.HC

Why, How and Where of Delays in Software Security Patch Management: An Empirical Investigation in the Healthcare Sector

Reviewed by Pith T0 review T1 audit T2 compute T3 formal T4 kernel pith:ZCUPSTDRrecord.jsonopen to challenge →

classification cs.SE cs.HC
keywords delayspatchmanagementsecurityfindingsprocesstimelytowards
0
0 comments X
read the original abstract

Numerous security attacks that resulted in devastating consequences can be traced back to a delay in applying a security patch. Despite the criticality of timely patch application, not much is known about why and how delays occur when applying security patches in practice, and how the delays can be mitigated. Based on longitudinal data collected from 132 delayed patching tasks over a period of four years and observations of patch meetings involving eight teams from two organisations in the healthcare domain, and using quantitative and qualitative data analysis approaches, we identify a set of reasons relating to technology, people and organisation as key explanations that cause delays in patching. Our findings also reveal that the most prominent cause of delays is attributable to coordination delays in the patch management process and a majority of delays occur during the patch deployment phase. Towards mitigating the delays, we describe a set of strategies employed by the studied practitioners. This research serves as the first step towards understanding the practical reasons for delays and possible mitigation strategies in vulnerability patch management. Our findings provide useful insights for practitioners to understand what and where improvement is needed in the patch management process and guide them towards taking timely actions against potential attacks. Also, our findings help researchers to invest effort into designing and developing computer-supported tools to better support a timely security patch management process.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.